feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.

docs/modules/scanner/operations/entrypoint-lang-go.md

@@ -0,0 +1,24 @@
+# Entry-Point Runtime — Go
+
+## Signals to gather
+- Statically linked ELF with `.note.go.buildid`.
+- `.gopclntab` section (function name table) or `Go build ID` strings.
+- Minimal dynamic dependencies (often none) and musl/glibc loader differences.
+- `GODEBUG`, `GOMAXPROCS`, `GOENV` environment variables.
+- Go module artefacts: `go.mod`, `go.sum`.
+
+## Implementation notes
+- Use ELF parsing to locate `.note.go.buildid`; fallback to scanning the first few MB for `Go build ID`.
+- Distinguish from Rust/C by checking `.dynsym` count, presence of Go-specific section names, and the absence of `GLIBCXX`.
+- For distroless images, rely solely on ELF traits since no package metadata is present.
+- Record binary path and module files as evidence.
+
+## Evidence & scoring
+- Strong boost for `.note.go.buildid` or `.gopclntab`.
+- Add evidence for module files or env variables.
+- Penalise binaries with high numbers of shared libraries (likely C/C++).
+
+## Edge cases
+- TinyGo or stripped binaries may lack build IDs—fall back to heuristics (symbol patterns, text section).
+- CGO-enabled binaries include glibc dependencies; still treat as Go but mention CGO in evidence if detected.
+- Supervisors wrapping Go services (e.g., `envoy`) should be handled upstream by wrapper detection.