refactor(findings): merge VulnExplorer into Findings Ledger

- Move VulnExplorer DTOs into Ledger WebService Contracts/VulnExplorer/
  (VulnModels, VexDecisionModels, TriageWorkflowModels, AttestationModels,
   FixVerificationModels, EvidenceSubgraphContracts)
- Create VulnExplorerEndpoints.cs mounting all 10 original endpoints
  (/v1/vulns, /v1/vex-decisions, /v1/evidence-subgraph,
   /v1/fix-verifications, /v1/audit-bundles)
- Create adapter services (VulnExplorerAdapters.cs) that delegate to
  existing Ledger services (FindingSummaryService, VulnerabilityDetailService,
  EvidenceGraphBuilder, VexConsensusService)
- Wire VulnExplorer authorization policies and service registrations
  in Ledger Program.cs
- Comment out api (VulnExplorer) container in docker-compose.stella-ops.yml
- Add vulnexplorer.stella-ops.local as network alias on findings-ledger-web
- Update gateway route: /api/vuln-explorer(..) -> findings.stella-ops.local
- Update STELLAOPS_VULNEXPLORER_URL -> findings.stella-ops.local
- Comment out VulnExplorer in services-matrix.env and hosts file
- Update docs: port-registry, component-map, module-matrix, webservice-catalog,
  findings-ledger README
- Eliminates 1 container (stellaops-api)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

devops/compose/docker-compose.stella-ops.yml

@@ -424,7 +424,7 @@ services:
       STELLAOPS_EXCITITOR_URL: "http://excititor.stella-ops.local"
       STELLAOPS_VEXHUB_URL: "http://vexhub.stella-ops.local"
       STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local"
-      STELLAOPS_VULNEXPLORER_URL: "http://vulnexplorer.stella-ops.local"
+      STELLAOPS_VULNEXPLORER_URL: "http://findings.stella-ops.local"
       STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
       STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
       STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
@@ -1002,33 +1002,38 @@ services:
       <<: *healthcheck-tcp
     labels: *release-labels
 
-  # --- Slot 13: VulnExplorer (api) [src/Findings/StellaOps.VulnExplorer.Api] ---
-  api:
-    <<: *resources-light
-    image: stellaops/api:dev
-    container_name: stellaops-api
-    restart: unless-stopped
-    depends_on: *depends-infra
-    environment:
-      ASPNETCORE_URLS: "http://+:8080"
-      <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
-      ConnectionStrings__Default: *postgres-connection
-      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
-      Router__Enabled: "${VULNEXPLORER_ROUTER_ENABLED:-true}"
-      Router__Messaging__ConsumerGroup: "vulnexplorer"
-    volumes:
-      - *cert-volume
-    ports:
-      - "127.1.0.13:80:80"
-    networks:
-      stellaops:
-        aliases:
-          - vulnexplorer.stella-ops.local
-      frontdoor: {}
-    healthcheck:
-      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
-      <<: *healthcheck-tcp
-    labels: *release-labels
+  # --- Slot 13: VulnExplorer (api) - MERGED into findings-ledger-web (SPRINT_20260408_002) ---
+  # VulnExplorer endpoints are now served by the Findings Ledger WebService.
+  # Gateway route /api/vuln-explorer(..) now points to findings.stella-ops.local.
+  # The vulnexplorer.stella-ops.local alias is added to the findings-ledger-web
+  # container for backward compatibility.
+  #
+  # api:
+  #   <<: *resources-light
+  #   image: stellaops/api:dev
+  #   container_name: stellaops-api
+  #   restart: unless-stopped
+  #   depends_on: *depends-infra
+  #   environment:
+  #     ASPNETCORE_URLS: "http://+:8080"
+  #     <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
+  #     ConnectionStrings__Default: *postgres-connection
+  #     ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+  #     Router__Enabled: "${VULNEXPLORER_ROUTER_ENABLED:-true}"
+  #     Router__Messaging__ConsumerGroup: "vulnexplorer"
+  #   volumes:
+  #     - *cert-volume
+  #   ports:
+  #     - "127.1.0.13:80:80"
+  #   networks:
+  #     stellaops:
+  #       aliases:
+  #         - vulnexplorer.stella-ops.local
+  #     frontdoor: {}
+  #   healthcheck:
+  #     test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
+  #     <<: *healthcheck-tcp
+  #   labels: *release-labels
 
   # --- Slot 14: Policy Engine ------------------------------------------------
   policy-engine:
@@ -1568,6 +1573,7 @@ services:
       stellaops:
         aliases:
           - findings.stella-ops.local
+          - vulnexplorer.stella-ops.local
       frontdoor: {}
     healthcheck:
       test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]