feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.

docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md

@@ -2,7 +2,7 @@
 
 > **Audience:** teams implementing new Excititor provider plug‑ins (CSAF feeds,
 > OpenVEX attestations, etc.)  
-> **Prerequisites:** read `docs/ARCHITECTURE_EXCITITOR.md` and the module
+> **Prerequisites:** read `docs/modules/excititor/architecture.md` and the module
 > `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`.
 
 The Excititor connector SDK gives you:

docs/dev/30_VEXER_CONNECTOR_GUIDE.md

@@ -2,7 +2,7 @@
 
 > **Audience:** teams implementing new Vexer provider plug‑ins (CSAF feeds,
 > OpenVEX attestations, etc.)  
-> **Prerequisites:** read `docs/ARCHITECTURE_VEXER.md` and the module
+> **Prerequisites:** read `docs/modules/vexer/architecture.md` and the module
 > `AGENTS.md` in `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`.
 
 The Vexer connector SDK gives you:

docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md

@@ -116,7 +116,7 @@ Capability flags let the host reason about what your plug-in supports:
 - Support environment overrides using `STELLAOPS_AUTHORITY_PLUGINS__DESCRIPTORS__<NAME>__...`.
 - Never store raw secrets in git: allow operators to supply them via `.local.yaml`, environment variables, or injected secret files. Document which keys are mandatory.
 - Validate configuration as soon as the registrar runs; use explicit error messages to guide operators. The Standard plug-in now enforces complete bootstrap credentials (username + password) and positive lockout windows via `StandardPluginOptions.Validate`.
-- Cross-reference bootstrap workflows with `docs/ops/authority_bootstrap.md` (to be published alongside CORE6) so operators can reuse the same payload formats for manual provisioning.
+- Cross-reference bootstrap workflows with `docs/modules/authority/operations/bootstrap.md` (to be published alongside CORE6) so operators can reuse the same payload formats for manual provisioning.
 - `passwordHashing` inherits defaults from `authority.security.passwordHashing`. Override only when hardware constraints differ per plug-in:
   ```yaml
   passwordHashing:

docs/dev/BUILDX_PLUGIN_QUICKSTART.md

@@ -116,4 +116,4 @@ Add the workflow to your repository (or call it via `workflow_call`) and adjust
 
 ---
 
-For deeper integration guidance (custom SBOM builders, exporting DSSE bundles), track ADRs in `docs/ARCHITECTURE_SCANNER.md` §7 and follow upcoming Attestor API releases.
+For deeper integration guidance (custom SBOM builders, exporting DSSE bundles), track ADRs in `docs/modules/scanner/architecture.md` §7 and follow upcoming Attestor API releases.

docs/dev/authority-dpop-mtls-plan.md

@@ -134,13 +134,13 @@
 2. Introduce configuration classes and bind from YAML/environment.
 3. Implement nonce store (Redis + in-memory), handler integration, and OpenIddict transaction plumbing.
 4. Stamp `cnf.jkt`, audit events, and metrics; update Mongo documents and migrations.
-5. Extend docs: `docs/ARCHITECTURE_AUTHORITY.md`, `docs/security/audit-events.md`, `docs/security/rate-limits.md`, CLI/UI references.
+5. Extend docs: `docs/modules/authority/architecture.md`, `docs/security/audit-events.md`, `docs/security/rate-limits.md`, CLI/UI references.
 
 **mTLS work-stream**
 1. Extend client document/schema and provisioning stores with certificate bindings + sender constraint flag.
 2. Configure Kestrel/middleware for optional client certificates and validation service.
 3. Update token issuance/introspection to honour certificate bindings and emit `cnf.x5t#S256`.
 4. Add auditing/metrics and integration tests (happy path + failure).
-5. Refresh operator documentation (`docs/ops/authority-backup-restore.md`, `docs/ops/authority-monitoring.md`, sample `authority.yaml`) to cover certificate lifecycle.
+5. Refresh operator documentation (`docs/modules/authority/operations/backup-restore.md`, `docs/modules/authority/operations/monitoring.md`, sample `authority.yaml`) to cover certificate lifecycle.
 
 Both streams should conclude with `dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln` and documentation cross-links so dependent guilds can unblock UI/Signer work.

docs/dev/fixtures.md

@@ -11,7 +11,7 @@ fixture sets, where they live, and how to regenerate them safely.
 - **Purpose:** Exercised by `OsvGhsaParityRegressionTests` to ensure OSV + GHSA outputs stay aligned on aliases,
   ranges, references, and credits.
 - **Regeneration:** Either run the test harness with online regeneration (`UPDATE_PARITY_FIXTURES=1 dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj`)
-  or execute the fixture updater (`dotnet run --project tools/FixtureUpdater/FixtureUpdater.csproj`). Both paths
+  or execute the fixture updater (`dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj`). Both paths
   normalise timestamps and canonical ordering.
 - **SemVer provenance:** The regenerated fixtures should show `normalizedVersions[].notes` in the
   `osv:{ecosystem}:{advisoryId}:{identifier}` shape emitted by `SemVerRangeRuleBuilder`. Confirm the
@@ -22,7 +22,7 @@ fixture sets, where they live, and how to regenerate them safely.
 
 - **Location:** `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/Fixtures/credit-parity.{ghsa,osv,nvd}.json`
 - **Purpose:** Exercised by `GhsaCreditParityRegressionTests` to guarantee GHSA/NVD/OSV acknowledgements remain in lockstep.
-- **Regeneration:** `dotnet run --project tools/FixtureUpdater/FixtureUpdater.csproj` rewrites all three canonical snapshots.
+- **Regeneration:** `dotnet run --project src/Tools/FixtureUpdater/FixtureUpdater.csproj` rewrites all three canonical snapshots.
 - **Verification:** `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj`.
 
 > Always commit fixture changes together with the code that motivated them and reference the regression test that guards the behaviour.

docs/dev/merge_semver_playbook.md

@@ -82,10 +82,10 @@ Coordinate with the Storage team when enabling these indexes so deployment windo
 
 ## 6. Dual-write rollout
 
-Follow the operational checklist in `docs/ops/migrations/SEMVER_STYLE.md`. The summary:
+Follow the operational checklist in `docs/modules/devops/migrations/semver-style.md`. The summary:
 
 1. **Dual write (now)** – emit both legacy `versionRanges` and the new `normalizedVersions`.
-2. **Backfill** – follow the storage migration in `docs/ops/migrations/SEMVER_STYLE.md` to rewrite historical advisories before switching consumers.
+2. **Backfill** – follow the storage migration in `docs/modules/devops/migrations/semver-style.md` to rewrite historical advisories before switching consumers.
 3. **Verify** – run the aggregation above (with `explain("executionStats")`) to ensure the new indexes are used.
 4. **Cutover** – after consumers switch to normalized rules, mark the old `rangeExpression` as deprecated.