When is the Final vbmeta Image Generated in a Signed Build?

**BACKGROUND** I am attempting to generate my own signed builds of LineageOS 18.1 and am having trouble with the final signed OTA. Specifically, the vendor partition is failing during AVB verification which causes a boot loop. To perform my build, I am following the official Lineage build instructions as well as a number of external guides. The general outline is as follows: 1. Build Android via mka target-files-package otatools. Interestingly, after this step, I have a valid vbmeta at $OUT/obj/PACKAGING/target_files_intermediates/lineage_fajita-target_files-eng.*/IMAGES/vbmeta.img which has the correct hashes for both the vendor and system images found in the same directory. 2. `./build/tools/releasetools/sign_target_files_apks -o -d $CERTDIR -p "$ANDROID_HOST_OUT" --prebuilts_path $TOPDIR/images/fajita $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip `. 3. ./build/tools/releasetools/ota_from_target_files -p "$ANDROID_HOST_OUT" -k $CERTDIR/releasekey --block signed-target_files.zip lineage-18.1-$(date "+%Y%m%d")-UNOFFICIAL-fajita-signed.zip. 4. Profit. I admit, step 2 confuses me somewhat. I get that each of the APKs is extracted and signed; that part it easy. What I do not understand is what happens to the files after they have been signed. If I extract signed-target_files.zip I have both a full system image at IMAGES/system.img as well as what appears to be a full system rootfs as individual files at SYSTEM/*. Which is the "correct" system payload? I notice there is no equivalent VENDOR/* directory; shouldn't one have been created in a similar fashion to the system files? After step 2, I see that the vbmeta image in the extracted signed-target_files.zip is different. Obviously, the hash for the system image has to be regenerated as the image contents have changed and, presumably, the same would have to happen for vendor and/or any other partition which has its contents updated. Unfortunately, this is where things seem to go off the rails. Again with the extracted signed-target_files.zip: - IMAGES/vbmeta.img has the correct SHA for IMAGES/system.img, with a different value from what is found under $OUT. - IMAGES/vbmeta.img has an _incorrect_ SHA for IMAGES/vendor.img. This value is also different from what is in $OUT. - IMAGES/vbmeta.img has correct SHAs for boot.img and dtbo.img which, as far as I can tell, are unmodified from the original build. **QUESTIONS** 1. When signing an Android build, which files are used to generate the updated vbmeta image? 2. How do these relate to the contents of signed-target_files.zip? 3. Is there any good documentation on the part of the build process? I have found a bunch of stuff on how APKs are signed or how AVB verification works but, unfortunately, startlingly little on the mechanics of signed image generation itself.