trydirect
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 4 deletions b/‎.gitignore‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 353 additions & 0 deletions b/‎README.md‎
Lines changed: 353 additions & 0 deletions
@@ -33,8 +33,4 @@ Cargo.lock
 # End of https://www.gitignore.io/api/rust,code
 
 .idea
-<<<<<<< HEAD
-=======
-*.db
->>>>>>> testing
 docs/tasks/
@@ -482,6 +482,359 @@ cargo doc --open
 
 ### Project Structure
 
+## 🚀 Quick Start
+
+### Run as Binary
+
+```bash
+# Clone repository
+git clone https://github.com/vsilent/stackdog
+cd stackdog
+
+# Build and run
+cargo run
+```
+
+### Use as Library
+
+Add to your `Cargo.toml`:
+
+```toml
+[dependencies]
+stackdog = "0.2"
+```
+
+Basic usage:
+
+```rust
+use stackdog::{RuleEngine, AlertManager, ThreatScorer};
+
+let mut engine = RuleEngine::new();
+let mut alerts = AlertManager::new()?;
+let scorer = ThreatScorer::new();
+
+// Process security events
+for event in events {
+    let score = scorer.calculate_score(&event);
+    if score.is_high_or_higher() {
+        alerts.generate_alert(...)?;
+    }
+}
+```
+
+### Docker Development
+
+```bash
+# Start development environment
+docker-compose up -d
+
+# View logs
+docker-compose logs -f stackdog
+```
+
+---
+
+## 🏗️ Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     Stackdog Security Core                       │
+├─────────────────────────────────────────────────────────────────┤
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
+│  │  Collectors │  │   ML/AI     │  │   Response Engine       │  │
+│  │             │  │   Engine    │  │                         │  │
+│  │ • eBPF      │  │             │  │ • nftables/iptables     │  │
+│  │ • Auditd    │  │ • Anomaly   │  │ • Container quarantine  │  │
+│  │ • Docker    │  │   Detection │  │ • Auto-response         │  │
+│  │   Events    │  │ • Scoring   │  │ • Alerting              │  │
+│  └─────────────┘  └─────────────┘  └─────────────────────────┘  │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Components
+
+| Component | Description | Status |
+|-----------|-------------|--------|
+| **Events** | Security event types & validation | ✅ Complete |
+| **Rules** | Rule engine & signature detection | ✅ Complete |
+| **Alerting** | Alert management & notifications | ✅ Complete |
+| **Firewall** | nftables/iptables integration | ✅ Complete |
+| **Collectors** | eBPF syscall monitoring | ✅ Infrastructure |
+| **ML** | Candle-based anomaly detection | 🚧 In progress |
+
+---
+
+## 🎯 Features
+
+### 1. Event Collection
+
+```rust
+use stackdog::{SyscallEvent, SyscallType};
+
+let event = SyscallEvent::builder()
+    .pid(1234)
+    .uid(1000)
+    .syscall_type(SyscallType::Execve)
+    .container_id(Some("abc123".to_string()))
+    .build();
+```
+
+**Supported Events:**
+- Syscall events (execve, connect, openat, ptrace, etc.)
+- Network events
+- Container lifecycle events
+- Alert events
+
+### 2. Rule Engine
+
+```rust
+use stackdog::RuleEngine;
+use stackdog::rules::builtin::{SyscallBlocklistRule, ProcessExecutionRule};
+
+let mut engine = RuleEngine::new();
+engine.register_rule(Box::new(SyscallBlocklistRule::new(
+    vec![SyscallType::Ptrace, SyscallType::Setuid]
+)));
+
+let results = engine.evaluate(&event);
+```
+
+**Built-in Rules:**
+- Syscall allowlist/blocklist
+- Process execution monitoring
+- Network connection tracking
+- File access monitoring
+
+### 3. Signature Detection
+
+```rust
+use stackdog::SignatureDatabase;
+
+let db = SignatureDatabase::new();
+println!("Loaded {} signatures", db.signature_count());
+
+let matches = db.detect(&event);
+for sig in matches {
+    println!("Threat: {} (Severity: {})", sig.name(), sig.severity());
+}
+```
+
+**Built-in Signatures (10+):**
+- 🪙 Crypto miner detection
+- 🏃 Container escape attempts
+- 🌐 Network scanners
+- 🔐 Privilege escalation
+- 📤 Data exfiltration
+
+### 4. Threat Scoring
+
+```rust
+use stackdog::ThreatScorer;
+
+let scorer = ThreatScorer::new();
+let score = scorer.calculate_score(&event);
+
+if score.is_critical() {
+    println!("Critical threat detected! Score: {}", score.value());
+}
+```
+
+**Severity Levels:**
+- Info (0-19)
+- Low (20-39)
+- Medium (40-69)
+- High (70-89)
+- Critical (90-100)
+
+### 5. Alert System
+
+```rust
+use stackdog::AlertManager;
+
+let mut manager = AlertManager::new()?;
+
+let alert = manager.generate_alert(
+    AlertType::ThreatDetected,
+    AlertSeverity::High,
+    "Suspicious activity detected".to_string(),
+    Some(event),
+)?;
+
+manager.acknowledge_alert(&alert.id())?;
+```
+
+**Notification Channels:**
+- Console (logging)
+- Slack webhooks
+- Email (SMTP)
+- Generic webhooks
+
+### 6. Firewall & Response
+
+```rust
+use stackdog::{QuarantineManager, ResponseAction, ResponseType};
+
+// Quarantine container
+let mut quarantine = QuarantineManager::new()?;
+quarantine.quarantine("container_abc123")?;
+
+// Automated response
+let action = ResponseAction::new(
+    ResponseType::BlockIP("192.168.1.100".to_string()),
+    "Block malicious IP".to_string(),
+);
+```
+
+**Response Actions:**
+- Block IP addresses
+- Block ports
+- Quarantine containers
+- Kill processes
+- Send alerts
+- Custom commands
+
+---
+
+## 📦 Installation
+
+### Prerequisites
+
+- **Rust** 1.75+ ([install](https://rustup.rs/))
+- **SQLite3** + libsqlite3-dev
+- **Linux** kernel 4.19+ (for eBPF features)
+- **Clang/LLVM** (for eBPF compilation)
+
+### Install Dependencies
+
+**Ubuntu/Debian:**
+```bash
+apt-get install libsqlite3-dev libssl-dev clang llvm pkg-config
+```
+
+**macOS:**
+```bash
+brew install sqlite openssl llvm
+```
+
+**Fedora/RHEL:**
+```bash
+dnf install sqlite-devel openssl-devel clang llvm
+```
+
+### Build from Source
+
+```bash
+git clone https://github.com/vsilent/stackdog
+cd stackdog
+cargo build --release
+```
+
+### Run Tests
+
+```bash
+# Run all tests
+cargo test --lib
+
+# Run specific module tests
+cargo test --lib -- events::
+cargo test --lib -- rules::
+cargo test --lib -- alerting::
+```
+
+---
+
+## 💡 Usage Examples
+
+### Example 1: Detect Suspicious Syscalls
+
+```rust
+use stackdog::{RuleEngine, SyscallEvent, SyscallType};
+use stackdog::rules::builtin::SyscallBlocklistRule;
+
+let mut engine = RuleEngine::new();
+engine.register_rule(Box::new(SyscallBlocklistRule::new(
+    vec![SyscallType::Ptrace, SyscallType::Setuid]
+)));
+
+let event = SyscallEvent::new(
+    1234, 1000, SyscallType::Ptrace, Utc::now()
+);
+
+let results = engine.evaluate(&event);
+if results.iter().any(|r| r.is_match()) {
+    println!("⚠️ Suspicious syscall detected!");
+}
+```
+
+### Example 2: Container Quarantine
+
+```rust
+use stackdog::QuarantineManager;
+
+let mut quarantine = QuarantineManager::new()?;
+
+// Quarantine compromised container
+quarantine.quarantine("container_abc123")?;
+
+// Check quarantine status
+let state = quarantine.get_state("container_abc123");
+println!("Container state: {:?}", state);
+
+// Release after investigation
+quarantine.release("container_abc123")?;
+```
+
+### Example 3: Multi-Event Pattern Detection
+
+```rust
+use stackdog::{SignatureMatcher, PatternMatch, SyscallType};
+
+let mut matcher = SignatureMatcher::new();
+
+// Detect: execve followed by ptrace (suspicious)
+matcher.add_pattern(
+    PatternMatch::new()
+        .with_syscall(SyscallType::Execve)
+        .then_syscall(SyscallType::Ptrace)
+        .within_seconds(60)
+);
+
+let result = matcher.match_sequence(&events);
+if result.is_match() {
+    println!("⚠️ Suspicious pattern detected!");
+}
+```
+
+### More Examples
+
+See [`examples/usage_examples.rs`](examples/usage_examples.rs) for complete working examples.
+
+Run examples:
+```bash
+cargo run --example usage_examples
+```
+
+---
+
+## 📚 Documentation
+
+| Document | Description |
+|----------|-------------|
+| [DEVELOPMENT.md](DEVELOPMENT.md) | Complete development plan (18 weeks) |
+| [TESTING.md](TESTING.md) | Testing guide and infrastructure |
+| [TODO.md](TODO.md) | Task tracking and roadmap |
+| [CHANGELOG.md](CHANGELOG.md) | Version history |
+| [CONTRIBUTING.md](CONTRIBUTING.md) | Contribution guidelines |
+| [STATUS.md](STATUS.md) | Current implementation status |
+
+### API Documentation
+
+```bash
+# Generate docs
+cargo doc --open
+
+# View online (after release)
+# https://docs.rs/stackdog
 ```
 stackdog/
 ├── src/