feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.

docs/modules/scanner/operations/entrypoint-lang-ccpp.md

@@ -0,0 +1,24 @@
+# Entry-Point Runtime — C / C++
+
+## Signals to gather
+- Dynamically linked ELF (`.dynamic`) with GLIBC references (`GLIBC`, `GLIBCXX`, `libstdc++`).
+- Presence of `/lib64/ld-linux-*.so.*` loaders.
+- Absence of Go/Rust-specific markers.
+- Native supervisor binaries (`nginx`, `envoy`, custom C services).
+- Config files adjacent to the binary (`/etc/app.conf`, YAML/INI).
+
+## Implementation notes
+- Treat this detector as the "native fallback": confirm no higher-priority language matched.
+- Collect shared library list to attach as evidence; highlight unusual dependencies.
+- Inspect `EXPOSE` ports and config directories to aid classification.
+- Normalise busybox-style symlinks (actual binary often `/bin/busybox` with applet name).
+
+## Evidence & scoring
+- Boost for ELF dynamic dependencies and loader presence.
+- Add evidence for config files, service managers, or env variables.
+- Penalise extremely small binaries without metadata (may be wrappers).
+
+## Edge cases
+- Static C binaries may look like Go; rely on build ID absence and library fingerprints.
+- When binary is part of a supervisor stack (e.g., `s6-svscan`), delegate classification to `Supervisor`.
+- Windows native services should be handled by PE analysis (`entrypoint-runtime-overview.md`).