docs: add service README.md files + update AGENTS.md decisions

- Create README.md for 25+ service modules with container info, API surface, storage
- Document attestor-tileproxy separation rationale (air-gap network isolation)
- Document opsmemory-advisoryai separation rationale (resource isolation, blast radius)
- Update Timeline AGENTS.md with merged indexer info

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Scanner/README.md

@@ -0,0 +1,22 @@
+# Scanner
+
+**Container(s):** stellaops-scanner-web, stellaops-scanner-worker, stellaops-cartographer
+**Slot:** 8 (web + worker), 21 (cartographer)  |  **Port:** 8444 (web)  |  **Consumer Group:** scanner (web), cartographer
+**Resource Tier:** heavy (web + worker), light (cartographer)
+
+## Purpose
+The Scanner module performs SBOM generation, vulnerability analysis, reachability mapping, and supply-chain security scanning of container images. The web service exposes scan APIs (triage, SBOM queries, offline-kit management, replay commands), while the worker processes scan jobs from Valkey queues through a multi-stage pipeline (analyzers, EPSS enrichment, secrets detection, crypto analysis, build provenance, PoE generation, verdict push).
+
+## API Surface
+- `scanner` (via Router) — SBOM queries, scan submissions, triage, reachability slices, offline-kit import/export, smart-diff, policy gate evaluation
+- `cartographer` (via Router) — dependency graph construction and mapping
+
+## Storage
+PostgreSQL schema `scanner` (via `ScannerStorage:Postgres`); RustFS object store for artifacts (`scanner-artifacts` bucket)
+
+## Background Workers
+- `ScannerWorkerHostedService` — processes scan jobs from Valkey queue
+- `EpssIngestJob` — EPSS score ingestion
+- `EpssEnrichmentJob` — live EPSS enrichment of scan results
+- `EpssSignalJob` — EPSS signal emission
+- `FnDriftMetricsExporter` — function drift metrics