feat(sniff): log source discovery + database persistence

- Create src/sniff/discovery.rs: LogSource, LogSourceType, discovery
  functions for system logs, Docker containers, and custom paths
- Create src/database/repositories/log_sources.rs: CRUD for log_sources
  and log_summaries tables (follows existing alerts repository pattern)
- Add log_sources and log_summaries tables to init_database()
- Export docker module from lib.rs for reuse by sniff discovery
- 14 unit tests (8 discovery + 6 repository)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: vsilent

.github/copilot-instructions.md

@@ -0,0 +1,113 @@
+# Stackdog Security — Copilot Instructions
+
+## What This Project Is
+
+Stackdog is a Rust-based security platform for Docker containers and Linux servers. It collects events via eBPF syscall monitoring, runs them through a rule/signature engine and optional ML anomaly detection, manages firewall responses (nftables/iptables + container quarantine), and exposes a REST + WebSocket API consumed by a React/TypeScript dashboard.
+
+## Workspace Structure
+
+This is a Cargo workspace with two crates:
+- `.` — Main crate (`stackdog`): HTTP server, all security logic
+- `ebpf/` — Separate crate (`stackdog-ebpf`): eBPF programs compiled for the kernel (uses `aya-ebpf`)
+
+## Build, Test, and Lint Commands
+
+```bash
+# Build
+cargo build
+cargo build --release
+
+# Tests
+cargo test --lib                        # Unit tests only (in-source)
+cargo test --all                        # All tests including integration
+cargo test --lib -- events::            # Run tests for a specific module
+cargo test --lib -- rules::scorer       # Run a single test by name prefix
+
+# Code quality
+cargo fmt --all
+cargo clippy --all
+cargo audit                             # Dependency vulnerability scan
+
+# Benchmarks
+cargo bench
+
+# Frontend (in web/)
+npm test
+npm run lint
+npm run build
+```
+
+## Environment Setup
+
+Requires a `.env` file (copy `.env.sample`). Key variables:
+```
+APP_HOST=0.0.0.0
+APP_PORT=5000
+DATABASE_URL=stackdog.db
+RUST_BACKTRACE=full
+```
+
+System dependencies (Linux): `libsqlite3-dev libssl-dev clang llvm pkg-config`
+
+## Architecture
+
+```
+Collectors (Linux only)     Rule Engine          Response
+  eBPF syscall events   →   Signatures       →   nftables/iptables
+  Docker daemon events  →   Threat scoring   →   Container quarantine
+  Network events        →   ML anomaly det.  →   Alerting
+
+                         REST + WebSocket API
+                         React/TypeScript UI
+```
+
+**Key src/ modules:**
+
+| Module | Purpose |
+|---|---|
+| `events/` | Core event types: `SyscallEvent`, `SecurityEvent`, `NetworkEvent`, `ContainerEvent` |
+| `rules/` | Rule engine, signature database, threat scorer |
+| `alerting/` | `AlertManager`, notification channels (Slack/email/webhook) |
+| `collectors/` | eBPF loader, Docker daemon events, network collector (Linux only) |
+| `firewall/` | nftables management, iptables fallback, `QuarantineManager` (Linux only) |
+| `ml/` | Candle-based anomaly detection (optional `ml` feature) |
+| `correlator/` | Event correlation engine |
+| `baselines/` | Baseline learning for anomaly detection |
+| `database/` | SQLite connection pool (`r2d2` + raw `rusqlite`), repositories |
+| `api/` | actix-web REST endpoints + WebSocket |
+| `response/` | Automated response action pipeline |
+
+## Key Conventions
+
+### Platform-Gating
+Linux-only modules (`collectors`, `firewall`) and deps (aya, netlink) are gated:
+```rust
+#[cfg(target_os = "linux")]
+pub mod firewall;
+```
+The `ebpf` and `ml` features are opt-in and must be enabled explicitly:
+```bash
+cargo build --features ebpf
+cargo build --features ml
+```
+
+### Error Handling
+- Use `anyhow::{Result, Context}` for application/binary code
+- Use `thiserror` for library error types
+- Never use `.unwrap()` in production code; use `?` with `.context("...")`
+
+### Database
+The project uses raw `rusqlite` with `r2d2` connection pooling. `DbPool` is `r2d2::Pool<SqliteConnectionManager>`. Tables are created with `CREATE TABLE IF NOT EXISTS` in `database::connection::init_database`. Repositories are in `src/database/repositories/` and receive a `&DbPool`.
+
+### API Routes
+Each API sub-module exports a `configure_routes(cfg: &mut web::ServiceConfig)` function. All routes are composed in `api::configure_all_routes`, which is the single call site in `main.rs`.
+
+### Test Location
+- **Unit tests**: `#[cfg(test)] mod tests { ... }` inside source files
+- **Integration tests**: `tests/` directory at workspace root
+
+### eBPF Programs
+The `ebpf/` crate is compiled separately for the Linux kernel. User-space loading is handled by `src/collectors/ebpf/` using the `aya` library. Kernel-side programs use `aya-ebpf`.
+
+### Async Runtime
+The main binary uses `#[actix_rt::main]`. Library code uses `tokio`. Avoid mixing runtimes.

.qwen/PROJECT_MEMORY.md

@@ -0,0 +1,277 @@
+# Stackdog Security - Project Memory
+
+## Project Identity
+
+**Name:** Stackdog Security  
+**Version:** 0.1.0 (Security-focused rewrite)  
+**Type:** Container and Linux Server Security Platform  
+**License:** MIT  
+
+## Core Mission
+
+> Provide real-time security monitoring, AI-powered threat detection, and automated response for Docker containers and Linux servers using Rust and eBPF technologies.
+
+## Key Decisions
+
+### Architecture Decisions
+
+| ID | Decision | Rationale | Date |
+|----|----------|-----------|------|
+| **ARCH-001** | Use eBPF for syscall monitoring | Minimal overhead (<5% CPU), kernel-level visibility, safe (sandboxed) | 2026-03-13 |
+| **ARCH-002** | Use Candle for ML instead of Python | Native Rust, no Python dependencies, fast inference, maintained by HuggingFace | 2026-03-13 |
+| **ARCH-003** | Use nftables over iptables | Modern, faster, better batch support, iptables as fallback | 2026-03-13 |
+| **ARCH-004** | TDD development methodology | Better code quality, maintainability, regression prevention | 2026-03-13 |
+| **ARCH-005** | Functional programming principles | Immutability, fewer bugs, easier reasoning about code | 2026-03-13 |
+
+### Technology Choices
+
+| Component | Technology | Alternatives Considered |
+|-----------|-----------|------------------------|
+| **eBPF Framework** | aya-rs | libbpf (C), bcc (Python) |
+| **ML Framework** | Candle (HuggingFace) | PyTorch (Python), ONNX Runtime, linfa |
+| **Web Framework** | Actix-web 4.x | Axum, Rocket |
+| **Database** | SQLite + rusqlite + r2d2 | PostgreSQL, Redis |
+| **Firewall** | nftables (netlink) | iptables, firewalld |
+
+## Project Structure
+
+```
+stackdog/
+├── src/
+│   ├── collectors/          # Event collection (eBPF, Docker, etc.)
+│   ├── events/              # Event types and structures
+│   ├── ml/                  # ML engine (Candle-based)
+│   ├── firewall/            # Firewall management (nftables/iptables)
+│   ├── response/            # Automated response actions
+│   ├── correlator/          # Event correlation
+│   ├── alerting/            # Alert system
+│   ├── api/                 # REST API + WebSocket
+│   ├── config/              # Configuration
+│   ├── models/              # Data models
+│   ├── database/            # Database operations
+│   └── utils/               # Utilities
+├── ebpf/                    # eBPF programs (separate crate)
+├── web/                     # React/TypeScript frontend
+├── tests/                   # Integration tests
+├── benches/                 # Performance benchmarks
+└── models/                  # Pre-trained ML models
+```
+
+## Development Principles
+
+### Clean Code (Robert C. Martin)
+
+1. **DRY** - Don't Repeat Yourself
+2. **SRP** - Single Responsibility Principle
+3. **OCP** - Open/Closed Principle
+4. **DIP** - Dependency Inversion Principle
+5. **Functional First** - Immutability, From/Into traits, builder pattern
+
+### TDD Workflow
+
+```
+Red → Green → Refactor
+```
+
+1. Write failing test
+2. Run test (verify failure)
+3. Implement minimal code to pass
+4. Run test (verify pass)
+5. Refactor (maintain passing tests)
+
+### Code Review Checklist
+
+- [ ] Tests written first (TDD)
+- [ ] All tests pass
+- [ ] Code formatted (`cargo fmt`)
+- [ ] No clippy warnings
+- [ ] DRY principle followed
+- [ ] Functions < 50 lines
+- [ ] Error handling comprehensive
+- [ ] Documentation for public APIs
+
+## Key APIs and Interfaces
+
+### Event Types
+
+```rust
+// Core security event
+pub enum SecurityEvent {
+    Syscall(SyscallEvent),
+    Network(NetworkEvent),
+    Container(ContainerEvent),
+    Alert(AlertEvent),
+}
+
+// Syscall event from eBPF
+pub struct SyscallEvent {
+    pub pid: u32,
+    pub uid: u32,
+    pub syscall_type: SyscallType,
+    pub timestamp: DateTime<Utc>,
+    pub container_id: Option<String>,
+}
+```
+
+### ML Interface
+
+```rust
+// Feature vector for ML
+pub struct SecurityFeatures {
+    pub syscall_rate: f64,
+    pub network_rate: f64,
+    pub unique_processes: u32,
+    pub privileged_calls: u32,
+    // ...
+}
+
+// Threat score output
+pub enum ThreatScore {
+    Normal,
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+```
+
+### Firewall Interface
+
+```rust
+pub trait FirewallBackend {
+    fn add_rule(&self, rule: &Rule) -> Result<()>;
+    fn remove_rule(&self, rule: &Rule) -> Result<()>;
+    fn batch_update(&self, rules: &[Rule]) -> Result<()>;
+    fn block_container(&self, container_id: &str) -> Result<()>;
+    fn quarantine_container(&self, container_id: &str) -> Result<()>;
+}
+```
+
+## Configuration
+
+### Environment Variables
+
+```bash
+APP_HOST=0.0.0.0
+APP_PORT=5000
+DATABASE_URL=stackdog.db
+RUST_LOG=info
+RUST_BACKTRACE=full
+
+# Security-specific
+EBPF_ENABLED=true
+FIREWALL_BACKEND=nftables  # or iptables
+ML_ENABLED=true
+ML_MODEL_PATH=models/
+ALERT_THRESHOLD=0.75
+```
+
+### Cargo Features
+
+```toml
+[features]
+default = ["nftables", "ml"]
+nftables = ["netlink-packet-route"]
+iptables = ["iptables"]
+ml = ["candle-core", "candle-nn"]
+ebpf = ["aya"]
+```
+
+## Testing Strategy
+
+### Test Categories
+
+| Category | Location | Command | Coverage Target |
+|----------|----------|---------|-----------------|
+| Unit | `src/**/*.rs` | `cargo test` | 80%+ |
+| Integration | `tests/integration/` | `cargo test --test integration` | Critical paths |
+| E2E | `tests/e2e/` | `cargo test --test e2e` | Key workflows |
+| Benchmark | `benches/` | `cargo bench` | Performance targets |
+
+### Performance Targets
+
+| Metric | Target |
+|--------|--------|
+| Event throughput | 100K events/sec |
+| ML inference latency | <10ms |
+| Firewall update | <1ms per rule |
+| Memory usage | <256MB baseline |
+| CPU overhead | <5% |
+
+## Dependencies
+
+### Core
+
+- `actix-web` - Web framework
+- `aya` - eBPF framework
+- `candle-core`, `candle-nn` - ML framework
+- `bollard` - Docker API
+- `rusqlite` - SQLite driver
+- `r2d2` - Connection pool
+- `netlink-packet-route` - nftables
+- `tokio` - Async runtime
+
+### Development
+
+- `mockall` - Mocking for tests
+- `criterion` - Benchmarking
+- `cargo-audit` - Security audit
+- `cargo-deny` - Dependency linting
+
+## Milestones
+
+| Version | Target | Features |
+|---------|--------|----------|
+| v0.1.0 | Week 4 | eBPF collectors, basic rules |
+| v0.2.0 | Week 6 | Firewall integration |
+| v0.3.0 | Week 10 | ML anomaly detection |
+| v0.4.0 | Week 12 | Alerting system |
+| v0.5.0 | Week 16 | Web dashboard |
+| v1.0.0 | Week 18 | Production release |
+
+## Risks and Mitigations
+
+| Risk | Impact | Probability | Mitigation |
+|------|--------|-------------|------------|
+| eBPF kernel compatibility | High | Medium | Fallback to auditd |
+| ML model accuracy | High | Medium | Start with rule-based, iterate |
+| Performance overhead | High | Low | Benchmark early, optimize |
+| False positives | Medium | High | Tunable thresholds, learning period |
+
+## Open Questions
+
+1. **Model Training:** How to collect training data for ML models?
+   - Decision: Start with synthetic data, then real-world collection
+
+2. **Multi-node Support:** Single node first, cluster later?
+   - Decision: Single node for v1.0, cluster in v2.0
+
+3. **Kubernetes Support:** Include in scope?
+   - Decision: Out of scope for v1.0, backlog for v2.0
+
+## Resources
+
+### Documentation
+
+- [DEVELOPMENT.md](DEVELOPMENT.md) - Full development plan
+- [TODO.md](TODO.md) - Task tracking
+- [BUGS.md](BUGS.md) - Bug tracking
+- [CONTRIBUTING.md](CONTRIBUTING.md) - Contribution guidelines
+
+### External
+
+- [Rust Book](https://doc.rust-lang.org/book/)
+- [Candle Docs](https://docs.rs/candle-core)
+- [aya-rs Docs](https://aya-rs.dev/)
+- [eBPF Documentation](https://ebpf.io/)
+
+## Contact
+
+- **Project Lead:** Vasili Pascal
+- **Email:** info@try.direct
+- **Twitter:** [@VasiliiPascal](https://twitter.com/VasiliiPascal)
+- **Gitter:** [stackdog/community](https://gitter.im/stackdog/community)
+
+---
+
+*Last updated: 2026-03-13*

Cargo.toml

@@ -74,6 +74,7 @@ ebpf = []
 [dev-dependencies]
 # Testing
 tokio-test = "0.4"
+tempfile = "3"
 
 # Benchmarking
 criterion = { version = "0.5", features = ["html_reports"] }