feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.

deploy/README.md

@@ -1,10 +1,10 @@
-# Deployment Profiles
-
-This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`.
-
-## Structure
-
-- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
+# Deployment Profiles
+
+This directory contains deterministic deployment bundles for the core Stella Ops stack. All manifests reference immutable image digests and map 1:1 to the release manifests stored under `deploy/releases/`.
+
+## Structure
+
+- `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
 - `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
 - `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth.
 - `compose/docker-compose.telemetry.yaml` – optional OpenTelemetry collector overlay (mutual TLS, OTLP pipelines).
@@ -12,11 +12,11 @@ This directory contains deterministic deployment bundles for the core Stella Ops
 - `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
 - `telemetry/` – shared OpenTelemetry collector configuration and certificate artefacts (generated via tooling).
 - `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
-
-## Workflow
-
-1. Update or add a release manifest under `releases/` with the new digests.
-2. Mirror the digests into the Compose and Helm profiles that correspond to that channel.
+
+## Workflow
+
+1. Update or add a release manifest under `releases/` with the new digests.
+2. Mirror the digests into the Compose and Helm profiles that correspond to that channel.
 3. Run `deploy/tools/validate-profiles.sh` (requires Docker CLI and Helm) to ensure the bundles lint and template cleanly.
 4. If telemetry ingest is required for the release, generate development certificates using
    `./ops/devops/telemetry/generate_dev_tls.sh` and run the collector smoke test with
@@ -31,7 +31,7 @@ Maintaining the digest linkage keeps offline/air-gapped installs reproducible an
 - `ops/devops/telemetry/generate_dev_tls.sh` – produces local CA/server/client certificates for Compose-based collector testing.
 - `ops/devops/telemetry/smoke_otel_collector.py` – sends OTLP traffic and asserts the collector accepted traces, metrics, and logs.
 - `ops/devops/telemetry/package_offline_bundle.py` – packages telemetry assets (config/Helm/Compose) into a signed tarball for air-gapped installs.
-- `docs/ops/deployment-upgrade-runbook.md` – end-to-end instructions for upgrade, rollback, and channel promotion workflows (Helm + Compose).
+- `docs/modules/devops/runbooks/deployment-upgrade.md` – end-to-end instructions for upgrade, rollback, and channel promotion workflows (Helm + Compose).
 
 ## CI smoke checks