chore(docs+devops): cross-module doc sync + sprint archival moves + compose updates

Bundled pre-session doc + ops work:
- docs/modules/**: sync across advisory-ai, airgap, cli, excititor,
  export-center, findings-ledger, notifier, notify, platform, router,
  sbom-service, ui, web (architectural + operational updates)
- docs/features/**: updates to checked excititor vex pipeline,
  developer workspace, quick verify drawer
- docs top-level: README, quickstart, API_CLI_REFERENCE, UI_GUIDE,
  code-of-conduct/TESTING_PRACTICES updates
- docs/qa/feature-checks/: FLOW.md + excititor state update
- docs/implplan/: remaining sprint updates + new Concelier source
  credentials sprint (SPRINT_20260422_003)
- docs-archived/implplan/: 30 sprint archival moves (ElkSharp series,
  misc completed sprints)
- devops/compose: .env + services compose + env example + router gateway
  config updates

File-level granularity preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/modules/cli/architecture.md

@@ -18,7 +18,7 @@
 
 **Boundaries.**
 
-* CLI **never** signs; it only calls **Signer**/**Attestor** via backend APIs when needed (e.g., `report --attest`).
+* Most workflow signing remains **server-side** through **Signer**/**Attestor** (for example `report --attest`), but the explicit operator commands `stella crypto sign` and `stella crypto verify` perform local/provider-backed cryptographic operations when the active CLI profile exposes signing keys.
 * CLI **does not** store long‑lived credentials beyond OS keychain; tokens are **short** (Authority OpToks).
 * Heavy work (scanning, merging, policy) is executed **server‑side** (Scanner/Excititor/Concelier).