docs: sweep stale counts to match v0.9.2 binary state

Audit found several user-facing surfaces still carrying old numbers
from earlier releases. Brought everything in line with the binary's
authoritative footer ('39 modules · 10 KEV · 28 verified · 7 any').

README.md:
- Status section: v0.9.0 → v0.9.2 framing; describe the 22 → 28
  verification arc (v0.9.1 + v0.9.2)
- '119 detection rules' → 151 (current bundled count)
- '10 of 26 KEV-listed' → '10 of 34'
- 'Not yet verified (4 of 26 CVEs)' → '(6 of 34 CVEs)' with the new
  honest list (vmwgfx, dirty_cow, mutagen_astronomy, pintheft,
  vsock_uaf, fragnesia) and the reason each is blocked
- Example --auto output: 31 → 39 modules

docs/index.html:
- '22 of 26 CVEs confirmed' → '28 of 34', mainline kernel list expanded
  (5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7)
- Corpus section '26 CVEs across 10 years' → '34 CVEs'
- '26 CVEs, 10-year span' (author list intro) → '34 CVEs'
- Footer feature list '22 of 26' → '28 of 34'
- KEV stat chip 11 → 10 (matches binary; the anticipated 11th from
  metadata refresh hasn't been added yet)
- '119 detection rules' → '151' (two occurrences)

docs/og.svg + og.png:
- KEV chip 11 → 10 (matches binary)

CVES.md:
- '31 modules' → '39 modules covering 34 CVEs'
- Rewrote the unverified-rows note to match the actual 6-module list

No content changes to RELEASE_NOTES.md or ROADMAP.md — those entries
correctly describe state at the time they were written.

docs/index.html

@@ -83,7 +83,7 @@
     <div class="stats-row" id="stats-row">
       <div class="stat-chip"><span class="num" data-target="39">0</span><span>modules</span></div>
       <div class="stat-chip stat-vfy"><span class="num" data-target="28">0</span><span>✓ VM-verified</span></div>
-      <div class="stat-chip stat-kev"><span class="num" data-target="11">0</span><span>★ in CISA KEV</span></div>
+      <div class="stat-chip stat-kev"><span class="num" data-target="10">0</span><span>★ in CISA KEV</span></div>
       <div class="stat-chip"><span class="num" data-target="151">0</span><span>detection rules</span></div>
     </div>
 
@@ -210,7 +210,7 @@ uid=0(root) gid=0(root)</pre>
 
       <article class="bento-card">
         <div class="bento-icon">🛡</div>
-        <h3>119 detection rules</h3>
+        <h3>151 detection rules</h3>
         <p>
           auditd · sigma · yara · falco. One command emits the corpus for
           your SIEM. Each rule grounded in the module's own syscalls.
@@ -227,7 +227,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="bento-icon">★</div>
         <h3>CISA KEV prioritized</h3>
         <p>
-          10 of 26 CVEs in the corpus are in CISA's Known Exploited
+          10 of 34 CVEs in the corpus are in CISA's Known Exploited
           Vulnerabilities catalog — actively exploited in the wild.
           Refreshed on demand via <code>tools/refresh-cve-metadata.py</code>.
         </p>
@@ -294,9 +294,9 @@ uid=0(root) gid=0(root)</pre>
           <code>tools/verify-vm/</code> spins up known-vulnerable
           kernels (stock distro + mainline from kernel.ubuntu.com), runs
           <code>--explain --active</code> per module, and records the
-          verdict. <strong>22 of 26 CVEs</strong> confirmed against
+          verdict. <strong>28 of 34 CVEs</strong> confirmed against
           real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
-          + mainline 5.15.5 / 6.1.10. Records baked into the binary;
+          + mainline 5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7. Records baked into the binary;
           <code>--list</code> shows ✓ per module.
         </p>
       </article>
@@ -309,7 +309,7 @@ uid=0(root) gid=0(root)</pre>
   <div class="container">
     <div class="section-head">
       <span class="section-tag">corpus</span>
-      <h2>26 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
+      <h2>34 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
     </div>
 
     <h3 class="corpus-h" data-color="green">
@@ -414,7 +414,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="audience-icon">🎓</div>
         <h3>Researchers / CTF</h3>
         <p>
-          26 CVEs, 10-year span, each with the original PoC author
+          34 CVEs, 10-year span, each with the original PoC author
           credited and the kernel-range citation auditable.
           <code>--explain</code> shows the reasoning chain; detection
           rules let you practice both sides. Source is the documentation.
@@ -511,13 +511,13 @@ uid=0(root) gid=0(root)</pre>
       <div class="tl-col tl-shipped">
         <div class="tl-tag">shipped</div>
         <ul>
-          <li><strong>22 of 26 CVEs empirically verified</strong> in real Linux VMs</li>
+          <li><strong>28 of 34 CVEs empirically verified</strong> in real Linux VMs</li>
           <li><strong>kernel.ubuntu.com/mainline/</strong> kernel fetch path — unblocks pin-not-in-apt targets</li>
           <li>Per-module <code>verified_on[]</code> table baked into the binary</li>
           <li><strong>--explain mode</strong> — one-page operator briefing per CVE</li>
           <li><strong>OPSEC notes</strong> — per-module runtime footprint</li>
           <li><strong>CISA KEV + NVD CWE + MITRE ATT&amp;CK</strong> metadata pipeline</li>
-          <li>119 detection rules across all four SIEM formats</li>
+          <li>151 detection rules across all four SIEM formats</li>
           <li><code>core/host.c</code> shared host-fingerprint refactor</li>
           <li>88-test harness (kernel_range + detect integration)</li>
         </ul>