refactor(findings): merge VulnExplorer into Findings Ledger

- Move VulnExplorer DTOs into Ledger WebService Contracts/VulnExplorer/
  (VulnModels, VexDecisionModels, TriageWorkflowModels, AttestationModels,
   FixVerificationModels, EvidenceSubgraphContracts)
- Create VulnExplorerEndpoints.cs mounting all 10 original endpoints
  (/v1/vulns, /v1/vex-decisions, /v1/evidence-subgraph,
   /v1/fix-verifications, /v1/audit-bundles)
- Create adapter services (VulnExplorerAdapters.cs) that delegate to
  existing Ledger services (FindingSummaryService, VulnerabilityDetailService,
  EvidenceGraphBuilder, VexConsensusService)
- Wire VulnExplorer authorization policies and service registrations
  in Ledger Program.cs
- Comment out api (VulnExplorer) container in docker-compose.stella-ops.yml
- Add vulnexplorer.stella-ops.local as network alias on findings-ledger-web
- Update gateway route: /api/vuln-explorer(..) -> findings.stella-ops.local
- Update STELLAOPS_VULNEXPLORER_URL -> findings.stella-ops.local
- Comment out VulnExplorer in services-matrix.env and hosts file
- Update docs: port-registry, component-map, module-matrix, webservice-catalog,
  findings-ledger README
- Eliminates 1 container (stellaops-api)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/docker-compose.stella-ops.yml

@@ -424,7 +424,7 @@ services:
       STELLAOPS_EXCITITOR_URL: "http://excititor.stella-ops.local"
       STELLAOPS_VEXHUB_URL: "http://vexhub.stella-ops.local"
       STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local"
-      STELLAOPS_VULNEXPLORER_URL: "http://vulnexplorer.stella-ops.local"
+      STELLAOPS_VULNEXPLORER_URL: "http://findings.stella-ops.local"
       STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
       STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
       STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
@@ -1002,33 +1002,38 @@ services:
       <<: *healthcheck-tcp
     labels: *release-labels
 
-  # --- Slot 13: VulnExplorer (api) [src/Findings/StellaOps.VulnExplorer.Api] ---
-  api:
-    <<: *resources-light
-    image: stellaops/api:dev
-    container_name: stellaops-api
-    restart: unless-stopped
-    depends_on: *depends-infra
-    environment:
-      ASPNETCORE_URLS: "http://+:8080"
-      <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
-      ConnectionStrings__Default: *postgres-connection
-      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
-      Router__Enabled: "${VULNEXPLORER_ROUTER_ENABLED:-true}"
-      Router__Messaging__ConsumerGroup: "vulnexplorer"
-    volumes:
-      - *cert-volume
-    ports:
-      - "127.1.0.13:80:80"
-    networks:
-      stellaops:
-        aliases:
-          - vulnexplorer.stella-ops.local
-      frontdoor: {}
-    healthcheck:
-      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
-      <<: *healthcheck-tcp
-    labels: *release-labels
+  # --- Slot 13: VulnExplorer (api) - MERGED into findings-ledger-web (SPRINT_20260408_002) ---
+  # VulnExplorer endpoints are now served by the Findings Ledger WebService.
+  # Gateway route /api/vuln-explorer(..) now points to findings.stella-ops.local.
+  # The vulnexplorer.stella-ops.local alias is added to the findings-ledger-web
+  # container for backward compatibility.
+  #
+  # api:
+  #   <<: *resources-light
+  #   image: stellaops/api:dev
+  #   container_name: stellaops-api
+  #   restart: unless-stopped
+  #   depends_on: *depends-infra
+  #   environment:
+  #     ASPNETCORE_URLS: "http://+:8080"
+  #     <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
+  #     ConnectionStrings__Default: *postgres-connection
+  #     ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+  #     Router__Enabled: "${VULNEXPLORER_ROUTER_ENABLED:-true}"
+  #     Router__Messaging__ConsumerGroup: "vulnexplorer"
+  #   volumes:
+  #     - *cert-volume
+  #   ports:
+  #     - "127.1.0.13:80:80"
+  #   networks:
+  #     stellaops:
+  #       aliases:
+  #         - vulnexplorer.stella-ops.local
+  #     frontdoor: {}
+  #   healthcheck:
+  #     test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
+  #     <<: *healthcheck-tcp
+  #   labels: *release-labels
 
   # --- Slot 14: Policy Engine ------------------------------------------------
   policy-engine:
@@ -1568,6 +1573,7 @@ services:
       stellaops:
         aliases:
           - findings.stella-ops.local
+          - vulnexplorer.stella-ops.local
       frontdoor: {}
     healthcheck:
       test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]

devops/compose/hosts.stellaops.local

@@ -19,7 +19,7 @@
 127.1.0.10 excititor.stella-ops.local
 127.1.0.11 vexhub.stella-ops.local
 127.1.0.12 vexlens.stella-ops.local
-127.1.0.13 vulnexplorer.stella-ops.local
+# 127.1.0.13 vulnexplorer.stella-ops.local  # MERGED into findings-ledger-web (SPRINT_20260408_002)
 127.1.0.14 policy-engine.stella-ops.local
 127.1.0.15 policy-gateway.stella-ops.local
 127.1.0.16 riskengine.stella-ops.local

devops/compose/router-gateway-local.json

@@ -118,7 +118,7 @@
                                    { "Type": "Microservice", "Path": "^/api/(compare|change-traces|sbomservice)(.*)", "IsRegex": true, "TranslatesTo": "http://sbomservice.stella-ops.local/api/$1$2" },
                                    { "Type": "Microservice", "Path": "^/api/fix-verification(.*)", "IsRegex": true, "TranslatesTo": "http://scanner.stella-ops.local/api/fix-verification$1" },
                                    { "Type": "Microservice", "Path": "^/api/verdicts(.*)", "IsRegex": true, "TranslatesTo": "https://evidencelocker.stella-ops.local/api/verdicts$1" },
-                                   { "Type": "Microservice", "Path": "^/api/vuln-explorer(.*)", "IsRegex": true, "TranslatesTo": "http://vulnexplorer.stella-ops.local/api/vuln-explorer$1" },
+                                   { "Type": "Microservice", "Path": "^/api/vuln-explorer(.*)", "IsRegex": true, "TranslatesTo": "http://findings.stella-ops.local/api/vuln-explorer$1" },
                                    { "Type": "Microservice", "Path": "^/api/vex(.*)", "IsRegex": true, "TranslatesTo": "https://vexhub.stella-ops.local/api/vex$1" },
                                    { "Type": "Microservice", "Path": "^/api/admin/plans(.*)", "IsRegex": true, "TranslatesTo": "http://registry-token.stella-ops.local/api/admin/plans$1" },
                                    { "Type": "Microservice", "Path": "^/api/admin(.*)", "IsRegex": true, "TranslatesTo": "http://platform.stella-ops.local/api/admin$1" },

devops/docker/services-matrix.env

@@ -29,8 +29,8 @@ excititor-worker|devops/docker/Dockerfile.hardened.template|src/Concelier/Stella
 vexhub-web|devops/docker/Dockerfile.hardened.template|src/VexHub/StellaOps.VexHub.WebService/StellaOps.VexHub.WebService.csproj|StellaOps.VexHub.WebService|8080
 # ── Slot 12: VexLens ────────────────────────────────────────────────────────────
 vexlens-web|devops/docker/Dockerfile.hardened.template|src/VexLens/StellaOps.VexLens.WebService/StellaOps.VexLens.WebService.csproj|StellaOps.VexLens.WebService|8080
-# ── Slot 13: VulnExplorer (api) ─────────────────────────────────────────────────
-api|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.VulnExplorer.Api/StellaOps.VulnExplorer.Api.csproj|StellaOps.VulnExplorer.Api|8080
+# ── Slot 13: VulnExplorer (api) - MERGED into Findings Ledger (SPRINT_20260408_002) ──
+# api|devops/docker/Dockerfile.hardened.template|src/Findings/StellaOps.VulnExplorer.Api/StellaOps.VulnExplorer.Api.csproj|StellaOps.VulnExplorer.Api|8080
 # ── Slot 14: Policy Engine ──────────────────────────────────────────────────────
 policy-engine|devops/docker/Dockerfile.hardened.template|src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj|StellaOps.Policy.Engine|8080
 # ── Slot 15: Policy Gateway ─────────────────────────────────────────────────────