Feature/detectors (vsilent#103)

* ebpf files

* refactoring, ebpf / containers

* feat(cli): add clap subcommands (serve/sniff) + sniff config

- Add clap 4 for CLI argument parsing
- Refactor main.rs: dispatch to serve (default) or sniff subcommand
- Create src/cli.rs with Cli/Command enums
- Create src/sniff/config.rs with SniffConfig (env + CLI args)
- Add new deps: clap, async-trait, reqwest, zstd
- Update .env.sample with sniff + AI provider config vars
- 12 unit tests (7 CLI parsing + 5 config loading)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): log source discovery + database persistence

- Create src/sniff/discovery.rs: LogSource, LogSourceType, discovery
  functions for system logs, Docker containers, and custom paths
- Create src/database/repositories/log_sources.rs: CRUD for log_sources
  and log_summaries tables (follows existing alerts repository pattern)
- Add log_sources and log_summaries tables to init_database()
- Export docker module from lib.rs for reuse by sniff discovery
- 14 unit tests (8 discovery + 6 repository)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): log reader trait + File/Docker/Journald implementations

- Create src/sniff/reader.rs with LogReader async trait and LogEntry struct
- FileLogReader: byte offset tracking, incremental reads, log rotation detection
- DockerLogReader: bollard-based container log streaming with timestamp filtering
- JournaldReader: journalctl subprocess (Linux-gated with #[cfg(target_os = "linux")])
- Add futures-util dependency for Docker log stream consumption
- 10 unit tests covering read, incremental, truncation, empty lines, metadata

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): AI log analysis with OpenAI and pattern backends

- Create src/sniff/analyzer.rs with LogAnalyzer trait
- OpenAiAnalyzer: single client for OpenAI/Ollama/vLLM/any compatible API
  sends batched logs to /chat/completions, parses structured JSON response
- PatternAnalyzer: fallback local analyzer using regex-free pattern matching
  detects error spikes, counts errors/warnings without external AI
- LogSummary and LogAnomaly types with serialization support
- JSON response parsing with graceful handling of partial LLM output
- 16 unit tests (prompt building, JSON parsing, pattern analysis, serialization)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): consume mode — zstd compression, dedup, log purge

- Create src/sniff/consumer.rs with LogConsumer
- FNV hashing deduplication with configurable capacity (100k entries)
- zstd compression (level 3) with timestamped archive files
- File purge via truncation (preserves fd for syslog daemons)
- Docker log purge via /var/lib/docker/containers/ JSON log truncation
- Full consume pipeline: deduplicate → compress → purge → report stats
- ConsumeResult tracks entries_archived, duplicates_skipped, bytes_freed
- 13 unit tests (hashing, dedup, compression, purge, full pipeline)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): reporter + orchestrator loop

- Reporter: converts LogSummary/LogAnomaly into Alerts using existing
  AlertManager infrastructure (route_by_severity, NotificationChannel)
- SniffOrchestrator: full discover → read → analyze → report → consume
  pipeline with continuous and one-shot modes
- Wire up run_sniff() in main.rs to use SniffOrchestrator
- Add events, rules, alerting, models modules to binary crate
- 7 new tests (reporter: 5, orchestrator: 3)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): REST API for log sources and summaries

- GET /api/logs/sources — list discovered log sources
- POST /api/logs/sources — manually add a custom log source
- GET /api/logs/sources/{path} — get a single source
- DELETE /api/logs/sources/{path} — remove a source
- GET /api/logs/summaries — list AI summaries (optional source_id filter)
- Register routes in configure_all_routes
- 7 tests covering all endpoints

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: update CHANGELOG and README for sniff feature

- CHANGELOG: document all sniff additions (discovery, readers, AI
  analysis, consumer, reporter, orchestrator, REST API, deps)
- README: add log sniffing to key features, architecture diagram,
  project structure, CLI usage examples, REST API examples,
  and completed tasks list

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: remove task files from repo and gitignore

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: add curl-based binary installation

- install.sh: POSIX shell installer — detects Linux x86_64/aarch64,
  downloads from GitHub Releases, verifies SHA256, installs to
  /usr/local/bin
- release.yml: GitHub Actions workflow — builds Linux binaries on tag
  push using cross, creates release with tarballs + checksums
- README: add curl install one-liner to Quick Start

Usage:
  curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/dev/install.sh | sudo bash

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: fix ML module status — stub infrastructure, not in progress

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(cli): add --ai-model and --ai-api-url flags to sniff command

- Add --ai-model flag to specify AI model (e.g. qwen2.5-coder:latest)
- Add --ai-api-url flag to specify API endpoint URL
- Recognize "ollama" as AI provider alias (maps to OpenAI-compatible client)
- CLI args override env vars for model and API URL
- Log AI model and API URL at startup for transparency

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(sniff): add debug logging and robust LLM JSON extraction

- Add debug/trace logging across entire sniff pipeline:
  discovery, reader, analyzer, orchestrator, reporter
- Respect user RUST_LOG env var (no longer hardcoded to info)
- Improve LLM response JSON extraction to handle:
  markdown code fences, preamble text, trailing text
- Include raw LLM response in trace logs for debugging parse failures
- Show first 200 chars of failed JSON in error messages
- Add 5 tests for extract_json edge cases

Usage: RUST_LOG=debug stackdog sniff --once ...

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(alerting): implement real Slack webhook notifications

- Add --slack-webhook CLI flag to sniff command
- Read STACKDOG_SLACK_WEBHOOK_URL env var (CLI overrides env)
- Implement actual HTTP POST to Slack incoming webhook API
- Build proper JSON payloads with serde_json (color-coded by severity)
- Add reqwest blocking feature for synchronous notification delivery
- Wire NotificationConfig through SniffConfig → Orchestrator → Reporter
- Add STACKDOG_WEBHOOK_URL env var support
- Update .env.sample with notification channel examples
- Add 3 tests for Slack webhook config (CLI, env, override priority)

Usage:
  stackdog sniff --once --slack-webhook https://hooks.slack.com/services/T/B/xxx
  # or via env:
  export STACKDOG_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T/B/xxx

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update docker.yml

* ci: upgrade deprecated GitHub Actions to v4

- actions/cache v2 → v4
- actions/upload-artifact v2 → v4
- actions/download-artifact v2 → v4
- actions/checkout v2 → v4
- docker/build-push-action v1 → v6 (+ docker/login-action v3)
- github/codeql-action/upload-sarif v1 → v3

Fixes: deprecated action versions causing workflow failures

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: modernize Docker CICD workflow

- Replace deprecated actions-rs/* with dtolnay/rust-toolchain + cargo commands
- Fix broken rustfmt/clippy steps (were using wrong action parameters)
- Use Swatinem/rust-cache for simpler, faster dependency caching
- Use ubuntu-latest runners instead of self-hosted
- Add Docker Buildx for improved image builds
- Trigger on PRs to main and dev (pushes :latest on every build)
- Use npm ci for deterministic frontend installs
- Add artifact retention-days: 1 to save storage

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* build: switch to musl targets and rustls for portable binaries

- reqwest: use rustls-tls instead of native-tls (no OpenSSL dependency)
- release.yml: build x86_64/aarch64-unknown-linux-musl (static binaries)
- Dockerfile: update debian:buster-slim → bookworm-slim, drop libpq-dev

Statically linked binaries work on any Linux distro including Alpine.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: add pre-commit hook and apply cargo fmt

Add .githooks/pre-commit that runs:
- cargo fmt --all --check (strict, blocks commit)
- cargo clippy (shows warnings, blocks on compile errors)

Enable with: git config core.hooksPath .githooks

Also applies cargo fmt --all to fix existing formatting across codebase.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: resolve all clippy warnings

- Remove unused imports across 17 files
- Prefix unused variables/fields with underscore
- Implement Default trait instead of inherent default() methods (dedup, threat_scorer)
- Implement FromStr trait instead of inherent from_str() methods (AiProvider, LogSourceType)
- Replace Iterator::last() with next_back() on DoubleEndedIterator
- Derive Default for EbpfLoader instead of manual impl
- Remove useless .into() conversion in database connection
- Wrap too-many-arguments functions with param structs (SniffArgs, CreateLogSummaryParams)
- Replace filter_map(Some(...)) with map(...) in build_readers
- Replace manual find loop with Iterator::find
- Collapse nested if-let in signature_matcher
- Gate program_to_tracepoint with cfg for Linux+ebpf only
- Move api module to library crate, fix binary to import from library
- Fix pre-existing test_get_alerts_empty to init database
- Use std::io::Error::other() instead of Error::new(Other, e)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: use _pid consistently in get_process_comm

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: resolve clippy errors in Linux-only firewall modules

- Remove unused imports in nftables.rs, quarantine.rs
- Replace inherent to_string() with Display trait for NfTable
- Remove needless borrows in .args() calls (iptables.rs, nftables.rs)
- Prefix unused variables with underscore (response.rs)
- Add error() getter to ResponseLog

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: remove redundant to_string() in format! args

NfTable implements Display, so format! uses it directly.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: convert NfTable to string before passing to args()

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: bump VERSION.md to 0.2.0

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: resolve warnings in tests and examples

- Remove unused imports (AlertSeverity, AlertType, anyhow::Result, SyscallEvent, SyscallType)
- Prefix unused variables with underscore
- Fix EbpfLoader::default() test (returns value, not Result)
- Fix KernelVersionTooLow fields to use String not integer literals
- Remove unnecessary mut on enricher variables

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: restore mutable enricher in enrichment tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: align test mutability and silence unused ptrace events var

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(tests): clean remaining all-target warnings and invalid literal

- remove useless UID >= 0 assertion (u32)
- replace invalid u16 port overflow test with type-safety test
- remove redundant serde_json import
- fix cfg-sensitive unused vars in enrichment tests
- clean monitor test vars in syscall monitor unit tests
- remove unused TestRule in rules engine tests
- use from_ref instead of cloned slice in sniff discovery test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: restore used enrichment vars and silence ptrace unused vars

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: handle non-linux unused vars in enrichment tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: fix ebpf loader creation assertion for linux builds

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: use valid 64-char hex container ID in enrichment test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: fallback to npm install when web lockfile is missing

Use npm ci only when web/package-lock.json exists to avoid EUSAGE in CI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: add webpack config with TS entrypoint for dashboard build

Fix CI frontend build fallback to default ./src entry by defining explicit
entry ./src/index.tsx and html template.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: fix dashboard import paths and TypeScript build errors

- Correct component imports from ../../services|types to ../services|types
- Fix react-bootstrap Alert alias in ContainerList
- Add explicit typed mappings for alert/container badge variants
- Type websocket stats callback payload
- Import fireEvent in ThreatMap tests
- Improve WebSocket test mock shape to satisfy TS
- Expose ApiService.api for existing tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* log: show API URL instead of dashboard bind address

- Replace misleading "Web Dashboard" startup line
- Show user-facing API URL and map 0.0.0.0 -> 127.0.0.1 for display

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: default API/WS endpoints to APP_PORT or 5555

- Inject APP_PORT and REACT_APP_API_PORT into webpack env
- API service default: http://localhost:${port}/api (port from env, fallback 5555)
- WS service default: ws://localhost:${port}/ws (port from env, fallback 5555)

Fixes frontend trying to connect to hardcoded port 5000.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: normalize container API payloads to prevent runtime crashes

Handle both snake_case and camelCase fields for containers API responses,
with safe defaults for missing nested fields (securityStatus/networkActivity).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: fix threat statistics endpoint path

Use /threats/statistics to match backend routes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: guard ThreatMap against missing stats buckets

Handle absent byType/bySeverity in API responses to prevent runtime
Object.entries(undefined) crashes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: restore CSS injection and degrade gracefully without WS endpoint

- Use style-loader + css-loader for .css files (fix dashboard styling)
- Add css/style loader deps to web package
- WebSocket service now falls back to REST-only mode when /ws is unavailable
  to avoid noisy reconnect/error spam in dev

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: add left sidebar navigation to dashboard layout

- Introduce Sidebar component with Overview/Threats/Alerts/Containers links
- Update App layout to include sidebar + main dashboard content
- Add section anchors in Dashboard for sidebar navigation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* web: move logo to sidebar and add top actions bar

- Move logo into sidebar at 39x39 (30% larger than 30x30)\n- Remove "Stackdog Security Dashboard" header text\n- Add top bar with right-aligned actions menu button (...)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* install: fallback when latest release is missing

- Handle GitHub /releases/latest 404 gracefully\n- Fallback to most recent release entry\n- Improve install usage examples to main branch URL

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: avoid panic on malformed .env

- Make .env loading non-fatal in main\n- Print warning and continue with existing environment\n- Ensures stackdog --help works even with malformed .env

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: update README and changelog for installer/env fixes

- README: switch install script examples to main and v0.2.1\n- CHANGELOG: document non-fatal .env loading and installer fallback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Limit sniff analyzer prompts

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add live mail abuse guard

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* iptables & nftables

* multiple updates, eBPF, container API quality is improved

* tests, ip_ban engine implemented, frontend dashboard improvements

* logs, containers in ui, ports, ws

* context.to_string()

* clippy fix

* clippy fix

* clippy fix

* ip_ban::engine::tests

* GLIBC_2.39 not found fix, using musl

* docker files

* multi stage build

* The problem was cross build reusing the default target directory, which already contained host-built build-script binaries. Now  musl build uses its own isolated target di

* mount docker.sock to stackdog container

* Audit, analyze syslog, new detectors, sniff command enriched

* Audit, analyze syslog, new detectors, sniff command enriched

---------

Co-authored-by: vsilent <jabberroid@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

.githooks/pre-commit

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+echo "🐕 Stackdog pre-commit: running cargo fmt..."
+cargo fmt --all -- --check || {
+    echo "❌ cargo fmt failed. Run 'cargo fmt --all' to fix."
+    exit 1
+}
+
+echo "🐕 Stackdog pre-commit: running cargo clippy..."
+cargo clippy 2>&1
+CLIPPY_EXIT=$?
+if [ $CLIPPY_EXIT -ne 0 ]; then
+    echo "❌ cargo clippy failed to compile. Fix errors before committing."
+    exit 1
+fi
+
+echo "✅ Pre-commit checks passed."

.github/workflows/codacy-analysis.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI
@@ -41,6 +41,6 @@ jobs:
 
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/docker.yml

@@ -2,161 +2,100 @@ name: Docker CICD
 
 on:
   push:
-    branches:
-      - master
-      - testing
+    branches: [main, dev]
   pull_request:
-    branches:
-      - master
+    branches: [main, dev]
 
 jobs:
-  cicd-linux-docker:
-    name: Cargo and npm build
-    #runs-on: ubuntu-latest
-    runs-on: [self-hosted, linux]
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout sources
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
           components: rustfmt, clippy
+          targets: x86_64-unknown-linux-musl
 
-      - name: Cache cargo registry
-        uses: actions/cache@v2.1.6
-        with:
-          path: ~/.cargo/registry
-          key: docker-registry-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-registry-
-            docker-
-
-      - name: Cache cargo index
-        uses: actions/cache@v2.1.6
-        with:
-          path: ~/.cargo/git
-          key: docker-index-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-index-
-            docker-
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Generate Secret Key
-        run: |
-          head -c16 /dev/urandom > src/secret.key
+        run: head -c16 /dev/urandom > src/secret.key
 
-      - name: Cache cargo build
-        uses: actions/cache@v2.1.6
-        with:
-          path: target
-          key: docker-build-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-build-
-            docker-
-
-      - name: Cargo check
-        uses: actions-rs/cargo@v1
-        with:
-          command: check
+      - name: Check
+        run: cargo check
 
-      - name: Cargo test
-        if: ${{ always() }}
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
+      - name: Format check
+        run: cargo fmt --all -- --check
 
-      - name: Rustfmt
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          override: true
-          components: rustfmt
-          command: fmt
-          args: --all -- --check
-
-      - name: Rustfmt
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          override: true
-          components: clippy
-          command: clippy
-          args: -- -D warnings
-
-      - name: Run cargo build
-        uses: actions-rs/cargo@v1
-        with:
-          command: build
-          args: --release
+      - name: Clippy
+        run: cargo clippy -- -D warnings
+
+      - name: Test
+        run: cargo test
+
+      - name: Build static release
+        env:
+          CARGO_TARGET_DIR: target-cross
+        run: cross build --release --target x86_64-unknown-linux-musl
 
-      - name: npm install, build, and test
+      - name: Build frontend
         working-directory: ./web
         run: |
-          npm install
+          if [ -f package-lock.json ]; then
+            npm ci
+          else
+            npm install
+          fi
           npm run build
-      #   npm test
 
-      - name: Archive production artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: dist-without-markdown
-          path: |
-            web/dist
-            !web/dist/**/*.md
-
-#      - name: Archive code coverage results
-#        uses: actions/upload-artifact@v2
-#        with:
-#          name: code-coverage-report
-#          path: output/test/code-coverage.html
-      - name: Display structure of downloaded files
-        run: ls -R web/dist
-
-      - name: Copy app files and zip
+      - name: Package app
         run: |
           mkdir -p app/stackdog/dist
-          cp target/release/stackdog app/stackdog
-          cp -a web/dist/. app/stackdog
+          cp target-cross/x86_64-unknown-linux-musl/release/stackdog app/stackdog/
+          cp -a web/dist/. app/stackdog/
           cp docker/prod/Dockerfile app/Dockerfile
-          cd app
-          touch .env
-          tar -czvf ../app.tar.gz .
-          cd ..
+          touch app/.env
+          tar -czf app.tar.gz -C app .
 
-      - name: Upload app archive for Docker job
-        uses: actions/upload-artifact@v2.2.2
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
         with:
-          name: artifact-linux-docker
+          name: app-archive
           path: app.tar.gz
+          retention-days: 1
 
-  cicd-docker:
-    name: CICD Docker
-    #runs-on: ubuntu-latest
-    runs-on: [self-hosted, linux]
-    needs: cicd-linux-docker
+  docker:
+    name: Docker Build & Push
+    runs-on: ubuntu-latest
+    needs: build
     steps:
-      - name: Download app archive
-        uses: actions/download-artifact@v2
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
         with:
-          name: artifact-linux-docker
+          name: app-archive
 
-      - name: Extract app archive
-        run: tar -zxvf app.tar.gz
+      - name: Extract archive
+        run: tar -xzf app.tar.gz
 
-      - name: Display structure of downloaded files
-        run: ls -R
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Docker build and publish
-        uses: docker/build-push-action@v1
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: trydirect/stackdog
-          add_git_labels: true
-          tag_with_ref: true
-          #no-cache: true
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: trydirect/stackdog:latest

.github/workflows/release.yml

@@ -18,9 +18,9 @@ jobs:
     strategy:
       matrix:
         include:
-          - target: x86_64-unknown-linux-gnu
+          - target: x86_64-unknown-linux-musl
             artifact: stackdog-linux-x86_64
-          - target: aarch64-unknown-linux-gnu
+          - target: aarch64-unknown-linux-musl
             artifact: stackdog-linux-aarch64
 
     steps:
@@ -36,12 +36,14 @@ jobs:
         run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Build release binary
+        env:
+          CARGO_TARGET_DIR: target-cross
         run: cross build --release --target ${{ matrix.target }}
 
       - name: Package
         run: |
           mkdir -p dist
-          cp target/${{ matrix.target }}/release/stackdog dist/stackdog
+          cp target-cross/${{ matrix.target }}/release/stackdog dist/stackdog
           cd dist
           tar czf ${{ matrix.artifact }}.tar.gz stackdog
           sha256sum ${{ matrix.artifact }}.tar.gz > ${{ matrix.artifact }}.tar.gz.sha256

.gitignore

@@ -33,4 +33,7 @@ Cargo.lock
 # End of https://www.gitignore.io/api/rust,code
 
 .idea
+*.db
 docs/tasks/
+web/node_modules/
+web/dist/

CHANGELOG.md

@@ -7,8 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.2] - 2026-04-07
+
+### Fixed
+
+- **CLI startup robustness** — `.env` loading is now non-fatal.
+  - `stackdog --help` and other commands no longer panic when `.env` is missing or contains malformed lines.
+  - Stackdog now logs a warning and continues with existing environment variables.
+
+- **Installer release resolution** — `install.sh` now handles missing `/releases/latest` responses gracefully.
+  - Falls back to the most recent release entry when no stable "latest" release is available.
+  - Improves error messaging and updates install examples to use the `main` branch script URL.
+
 ### Added
 
+- **Expanded detector framework** with additional log-driven detection coverage.
+  - Reverse shell, sensitive file access, cloud metadata / SSRF, exfiltration chain, and secret leakage detectors.
+  - file integrity monitoring with SQLite-backed baselines via `STACKDOG_FIM_PATHS`.
+  - configuration assessment via `STACKDOG_SCA_PATHS`.
+  - package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`.
+  - Docker posture audits for privileged mode, host namespaces, dangerous capabilities, Docker socket mounts, and writable sensitive mounts.
+
+- **Improved syslog ingestion**
+  - RFC3164 and RFC5424 parsing in file-based log ingestion for cleaner timestamps and normalized message bodies.
+
 #### Log Sniffing & Analysis (`stackdog sniff`)
 - **CLI Subcommands** — Multi-mode binary with `stackdog serve` and `stackdog sniff`
   - `--once` flag for single-pass mode
@@ -66,6 +88,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Refactored `main.rs` to dispatch `serve`/`sniff` subcommands via clap
 - Added `events`, `rules`, `alerting`, `models` modules to binary crate
 - Updated `.env.sample` with `STACKDOG_LOG_SOURCES`, `STACKDOG_AI_*` config vars
+- Version metadata updated to `0.2.2` across Cargo, the web package manifest, and current release documentation.
 
 ### Testing
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "stackdog"
-version = "0.2.0"
+version = "0.2.2"
 authors = ["Vasili Pascal <info@try.direct>"]
 edition = "2021"
 description = "Security platform for Docker containers and Linux servers"
@@ -48,13 +48,15 @@ r2d2 = "0.8"
 bollard = "0.16"
 
 # HTTP client (for LLM API)
-reqwest = { version = "0.12", features = ["json", "blocking"] }
+reqwest = { version = "0.12", default-features = false, features = ["json", "blocking", "rustls-tls"] }
+sha2 = "0.10"
 
 # Compression
 zstd = "0.13"
 
 # Stream utilities
 futures-util = "0.3"
+lettre = { version = "0.11", default-features = false, features = ["tokio1", "tokio1-rustls-tls", "builder", "smtp-transport"] }
 
 # eBPF (Linux only)
 [target.'cfg(target_os = "linux")'.dependencies]
@@ -78,6 +80,8 @@ ebpf = []
 # Testing
 tokio-test = "0.4"
 tempfile = "3"
+actix-test = "0.1"
+awc = "3"
 
 # Benchmarking
 criterion = { version = "0.5", features = ["html_reports"] }

DEVELOPMENT.md

@@ -1,7 +1,7 @@
 # Stackdog Security - Development Plan
 
-**Last Updated:** 2026-03-13  
-**Current Version:** 0.2.0  
+**Last Updated:** 2026-04-07  
+**Current Version:** 0.2.2  
 **Status:** Phase 2 In Progress
 
 ## Project Vision