chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/features/checked/excititor/vex-source-registration-and-verification-pipeline.md

@@ -10,19 +10,20 @@ VERIFIED
 VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion.
 
 ## Implementation Details
-- **Modules**: `src/Excititor/StellaOps.Excititor.Worker/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`
+- **Modules**: `src/Concelier/StellaOps.Excititor.Worker/`, `src/Concelier/StellaOps.Excititor.WebService/`, `src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`, `src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/`
 - **Key Classes**:
-  - `VexWorkerHostedService` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs`) - background service scheduling provider runs
-  - `DefaultVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs`) - runs VEX provider connectors on schedule
-  - `OrchestratorVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs`) - orchestrator-managed provider runner
-  - `VexWorkerOrchestratorClient` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs`) - communicates with orchestrator for work assignment
-  - `VexWorkerHeartbeatService` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs`) - sends heartbeats to orchestrator
-  - `VexWorkerPluginCatalogLoader` (`src/Excititor/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs`) - loads available VEX connector plugins
-  - `VexConnectorBase` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs`) - base class for VEX source connectors
-  - `VexConnectorDescriptor` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs`) - descriptor metadata for connectors
-  - `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - verifies signatures during ingestion
-  - `VexWorkerSchedule` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs`) - schedule configuration for provider runs
-  - `MirrorRegistrationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs`) - REST endpoints for mirror/source registration
+  - `VexWorkerHostedService` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs`) - background service scheduling provider runs
+  - `DefaultVexProviderRunner` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs`) - runs VEX provider connectors on schedule
+  - `OrchestratorVexProviderRunner` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs`) - orchestrator-managed provider runner
+  - `VexWorkerOrchestratorClient` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs`) - communicates with orchestrator for work assignment
+  - `VexWorkerHeartbeatService` (`src/Concelier/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs`) - sends heartbeats to orchestrator
+  - `VexWorkerPluginCatalogLoader` (`src/Concelier/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs`) - loads available VEX connector plugins
+  - `VexConnectorBase` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs`) - base class for VEX source connectors
+  - `VexConnectorDescriptor` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs`) - descriptor metadata for connectors
+  - `CiscoCsafConnector` (`src/Concelier/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs`) - public Cisco CSAF connector exercised in the live fallback and cursor-preservation regression checks
+  - `WorkerSignatureVerifier` (`src/Concelier/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - verifies signatures during ingestion
+  - `VexWorkerSchedule` (`src/Concelier/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs`) - schedule configuration for provider runs
+  - `MirrorRegistrationEndpoints` (`src/Concelier/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs`) - REST endpoints for mirror/source registration
 - **Interfaces**: `IVexProviderRunner`, `IVexConsensusRefreshScheduler`, `IVexWorkerOrchestratorClient`
 - **Source**: Feature matrix scan
 
@@ -35,7 +36,13 @@ VEX source onboarding pipeline with scheduled provider runners, orchestration, s
 - [ ] Verify `VexWorkerPluginCatalogLoader` discovers and loads all available vendor connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco, SUSE)
 
 ## Verification
-- Verified on 2026-02-13 via `run-001`.
-- Tier 0: Source files confirmed present on disk.
-- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
-- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-001/tier2-integration-check.json`
+- Re-verified on 2026-04-22 via `run-002`.
+- Tier 0: Current `src/Concelier/...` source files confirmed present on disk; stale legacy `src/Excititor/...` references from the previous checked record were normalized during this QA cycle.
+- Tier 1: `dotnet build` passed for `src/Concelier/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj` with 0 warnings and 0 errors. Targeted xUnit helper runs also passed for `CiscoCsafConnectorTests` (8/8) and `VexWorkerOrchestratorClientTests` (10/10).
+- Tier 2d: Disposable Cisco-only worker run `eddb0e0b-26b1-4b9c-b08d-679413905795` completed after `index.json` returned `404` and the connector fell back cleanly to `changes.csv` `200`; the run persisted no duplicate raw documents and preserved `vex.connector_states.last_updated = 2026-04-22 07:25:53.884862+00`.
+- Artifacts: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier0-source-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier1-build-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-002/tier2-integration-check.json`
+- Further re-verified on 2026-04-22 via `run-003` for the Oracle CSAF provider path.
+- Tier 0: Oracle CSAF source files and their targeted test classes were confirmed present under `src/Concelier/...`.
+- Tier 1: Targeted xUnit helper runs passed for `OracleCatalogLoaderTests` (3/3) and `OracleCsafConnectorTests` (4/4), covering cache/offline catalog loading, checksum mismatch handling, missing historical documents, and empty-digest checkpoint behavior.
+- Tier 2d: Disposable Oracle-only worker run `5fa3edb0-a3af-4ec1-b9bb-dce9baa32d09` completed successfully against the live Oracle RSS catalog. The connector skipped multiple historical `404` CSAF URIs without failing the provider, persisted no duplicate raw documents, and preserved `vex.connector_states.last_updated = 2026-04-22 06:46:15.261191+00`.
+- Artifacts: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier0-source-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier1-build-check.json`, `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-003/tier2-integration-check.json`

docs/features/checked/web/developer-workspace.md

@@ -7,7 +7,7 @@ Web
 VERIFIED
 
 ## Description
-Developer-focused workspace assembling Evidence Ribbon, Quick-Verify CTA with streaming progress, a sortable findings rail with severity/reachability/runtime indicators, and action stubs for creating GitHub issues or Jira tickets from findings.
+Developer-focused workspace assembling Evidence Ribbon, Quick-Verify CTA with streaming progress, and a sortable findings rail with severity/reachability/runtime indicators.
 
 ## Implementation Details
 - **Feature directory**: `src/Web/StellaOps.Web/src/app/features/workspaces/developer/`
@@ -19,6 +19,10 @@ Developer-focused workspace assembling Evidence Ribbon, Quick-Verify CTA with st
 - **Models**:
   - `src/Web/StellaOps.Web/src/app/features/workspaces/developer/models/developer-workspace.models.ts`
 - **Source**: Feature matrix scan
+- **Runtime note**: Placeholder GitHub/Jira ticket actions were removed from the live route on 2026-04-21 until a real issue-handoff contract exists.
+
+## Notes
+- The live route intentionally omits ticket-creation buttons until the workspace is backed by a real GitHub/Jira handoff flow. The previous local action stubs were removed to keep the surface truthful.
 
 ## E2E Test Plan
 - **Setup**:

docs/features/checked/web/quick-verify-drawer-ui-component.md

@@ -7,13 +7,14 @@ Web
 VERIFIED
 
 ## Description
-Slide-out drawer component for one-click verification of attestation chains, DSSE signatures, and Rekor inclusion proofs directly from any evidence chip or finding row.
+Slide-out drawer component used by Quick-Verify entry points across the Web UI. The shared drawer now fails closed with an explicit unavailable state when a caller lacks a bound runtime verification contract, instead of simulating a verified receipt.
 
 ## Implementation Details
 - **Feature directory**: `src/Web/StellaOps.Web/src/app/shared/components/quick-verify-drawer/`
 - **Components**:
   - `quick-verify-drawer` (`src/Web/StellaOps.Web/src/app/shared/components/quick-verify-drawer/quick-verify-drawer.component.ts`)
 - **Source**: batch_38/file_13.md
+- **Runtime note**: the shared drawer no longer fabricates verification success or a synthetic receipt for heterogeneous caller identifiers such as bundle IDs, verdict IDs, or content hashes.
 
 ## E2E Test Plan
 - **Setup**: