refactor(findings): merge VulnExplorer into Findings Ledger

- Move VulnExplorer DTOs into Ledger WebService Contracts/VulnExplorer/
  (VulnModels, VexDecisionModels, TriageWorkflowModels, AttestationModels,
   FixVerificationModels, EvidenceSubgraphContracts)
- Create VulnExplorerEndpoints.cs mounting all 10 original endpoints
  (/v1/vulns, /v1/vex-decisions, /v1/evidence-subgraph,
   /v1/fix-verifications, /v1/audit-bundles)
- Create adapter services (VulnExplorerAdapters.cs) that delegate to
  existing Ledger services (FindingSummaryService, VulnerabilityDetailService,
  EvidenceGraphBuilder, VexConsensusService)
- Wire VulnExplorer authorization policies and service registrations
  in Ledger Program.cs
- Comment out api (VulnExplorer) container in docker-compose.stella-ops.yml
- Add vulnexplorer.stella-ops.local as network alias on findings-ledger-web
- Update gateway route: /api/vuln-explorer(..) -> findings.stella-ops.local
- Update STELLAOPS_VULNEXPLORER_URL -> findings.stella-ops.local
- Comment out VulnExplorer in services-matrix.env and hosts file
- Update docs: port-registry, component-map, module-matrix, webservice-catalog,
  findings-ledger README
- Eliminates 1 container (stellaops-api)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/modules/findings-ledger/README.md

@@ -15,7 +15,7 @@ The `src/Findings/` directory is the unified home for all findings-related servi
 
 - **Findings Ledger** (`StellaOps.Findings.Ledger`, `StellaOps.Findings.Ledger.WebService`): Core append-only event ledger.
 - **RiskEngine** (`StellaOps.RiskEngine.Core`, `StellaOps.RiskEngine.WebService`, `StellaOps.RiskEngine.Worker`): Computes risk scores using CVSS, EPSS, KEV, exploit maturity, fix-chain attestation, and VEX gates. Infrastructure lives under `__Libraries/StellaOps.RiskEngine.Infrastructure`.
-- **VulnExplorer** (`StellaOps.VulnExplorer.Api`): API surface for browsing findings, evidence subgraphs, triage workflows, and VEX decision management. Shared contracts from `StellaOps.VulnExplorer.WebService`.
+- **VulnExplorer** (merged into Findings Ledger WebService, SPRINT_20260408_002): VulnExplorer endpoints (`/v1/vulns`, `/v1/vex-decisions`, `/v1/evidence-subgraph`, `/v1/fix-verifications`, `/v1/audit-bundles`) are now served by `StellaOps.Findings.Ledger.WebService`. Contracts live under `Contracts/VulnExplorer/`, adapter services under `Services/VulnExplorerAdapters.cs`. The standalone `StellaOps.VulnExplorer.Api` container (`stellaops-api`) has been decommissioned.
 
 Previously archived docs for RiskEngine and VulnExplorer are in `docs-archived/modules/risk-engine/` and `docs-archived/modules/vuln-explorer/`.
 

docs/technical/architecture/component-map.md

@@ -18,7 +18,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
 - **Findings** — Materialises effective findings from Policy Engine outputs and evidence. Feeds UI, CLI, Notify, and Governance dashboards (`docs/modules/policy/architecture.md`, findings sections). 
 - **Cartographer** — Builds identity graphs from SBOM/advisory data for Graph Explorer and RiskEngine (`docs/modules/graph/architecture.md`). 
 - **Graph** — Graph API + indexer, exposing relationship queries to UI/CLI/Scheduler (`docs/modules/graph/architecture.md`). 
-- **VulnExplorer** — Explorer for vulnerabilities that combines Concelier data, graph overlays, and Policy results for UI/CLI consumption (`docs/modules/vuln-explorer/architecture.md`). 
+- **VulnExplorer** — _(merged into Findings Ledger)_ Explorer for vulnerabilities that combines Concelier data, graph overlays, and Policy results for UI/CLI consumption. Endpoints now served by `src/Findings/StellaOps.Findings.Ledger.WebService`. 
 
 ## Policy & Governance
 - **Policy** — Policy Engine core libraries and services executing lattice logic across SBOM, advisory, and VEX evidence. Emits explain traces, drives Findings, Notifier, and Export Center (`docs/modules/policy/architecture.md`). 

docs/technical/architecture/module-matrix.md

@@ -22,7 +22,7 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
 | Data Ingestion | 7 | Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Feedser, Mirror |
 | Scanning & Analysis | 5 | Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph |
 | Artifacts & Evidence | 7 | Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, Provenance, Provcache |
-| Policy & Risk | 4 | Policy, RiskEngine, VulnExplorer, Unknowns |
+| Policy & Risk | 3 | Policy, RiskEngine, Unknowns (VulnExplorer merged into Findings Ledger) |
 | Operations | 8 | Scheduler, Orchestrator, TaskRunner, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay |
 | Integration | 5 | CLI, Zastava, Web, API, Registry |
 | Infrastructure | 6 | Cryptography, Telemetry, Graph, Signals, AirGap, AOC |

docs/technical/architecture/port-registry.md

@@ -28,7 +28,7 @@ This page focuses on deterministic slot/port allocation and may include legacy o
 | 10 | 10100 | 10101 | Excititor | `excititor.stella-ops.local` | `src/Concelier/StellaOps.Excititor.WebService` | `STELLAOPS_EXCITITOR_URL` |
 | 11 | 10110 | 10111 | VexHub | `vexhub.stella-ops.local` | `src/VexHub/StellaOps.VexHub.WebService` | `STELLAOPS_VEXHUB_URL` |
 | 12 | 10120 | 10121 | VexLens | `vexlens.stella-ops.local` | `src/VexLens/StellaOps.VexLens.WebService` | `STELLAOPS_VEXLENS_URL` |
-| 13 | 10130 | 10131 | VulnExplorer | `vulnexplorer.stella-ops.local` | `src/Findings/StellaOps.VulnExplorer.Api` | `STELLAOPS_VULNEXPLORER_URL` |
+| 13 | 10130 | 10131 | VulnExplorer (merged into Findings Ledger) | `vulnexplorer.stella-ops.local` (alias on findings-ledger-web) | `src/Findings/StellaOps.Findings.Ledger.WebService` | `STELLAOPS_VULNEXPLORER_URL` |
 | 14 | 10140 | 10141 | Policy Engine | `policy-engine.stella-ops.local` | `src/Policy/StellaOps.Policy.Engine` | `STELLAOPS_POLICY_ENGINE_URL` |
 | 15 | 10150 | 10151 | Policy Gateway | `policy-gateway.stella-ops.local` | `src/Policy/StellaOps.Policy.Gateway` | `STELLAOPS_POLICY_GATEWAY_URL` |
 | 16 | 10160 | 10161 | RiskEngine | `riskengine.stella-ops.local` | `src/Findings/StellaOps.RiskEngine.WebService` | `STELLAOPS_RISKENGINE_URL` |
@@ -123,7 +123,7 @@ Add the following to your hosts file (`C:\Windows\System32\drivers\etc\hosts` on
 127.1.0.10 excititor.stella-ops.local
 127.1.0.11 vexhub.stella-ops.local
 127.1.0.12 vexlens.stella-ops.local
-127.1.0.13 vulnexplorer.stella-ops.local
+# 127.1.0.13 vulnexplorer.stella-ops.local  # MERGED: alias on findings-ledger-web
 127.1.0.14 policy-engine.stella-ops.local
 127.1.0.15 policy-gateway.stella-ops.local
 127.1.0.16 riskengine.stella-ops.local

docs/technical/architecture/webservice-catalog.md

@@ -5,7 +5,7 @@ This page is the source-of-truth inventory for Stella Ops `*.WebService` runtime
 ## Scope and contract
 - Inventory source: `rg --files src -g "*WebService.csproj"`.
 - Includes active runtime webservices only (31 services).
-- Excludes non-`WebService` API binaries (for example `StellaOps.Policy.Engine`, `StellaOps.Policy.Gateway`, `StellaOps.Graph.Api`, `StellaOps.VulnExplorer.Api`, `StellaOps.Symbols.Server`, `StellaOps.Registry.TokenService`, `StellaOps.SmRemote.Service`) even though they may bind `*.stella-ops.local` aliases.
+- Excludes non-`WebService` API binaries (for example `StellaOps.Policy.Engine`, `StellaOps.Policy.Gateway`, `StellaOps.Graph.Api`, `StellaOps.Symbols.Server`, `StellaOps.Registry.TokenService`, `StellaOps.SmRemote.Service`) even though they may bind `*.stella-ops.local` aliases. Note: `StellaOps.VulnExplorer.Api` has been merged into `StellaOps.Findings.Ledger.WebService` (SPRINT_20260408_002).
 - Canonical runtime hostname form: `<service>.stella-ops.local`.
 
 ## Runtime hostname convention and exceptions