docs: open-core hygiene pass (delete paid-tier docs, scrub mdbook, ADR-0006/0007)

[unclesp1d3r]

Summary

Open-core hygiene pass on the public DaemonEye repo. Removes paid-tier
specifications, internal planning artifacts, and references to private
Confluence docs. All removed content verified preserved in Confluence
ES space before deletion.

This PR is docs-only — no Rust code changes.

What changed

AGENTS.md / developer guide:

• Trim Mission paid-tier enumeration to a boundary statement
• Simplify deployment Mermaid diagram (drop PX/SC/mTLS protocol detail)
• Remove "Deployment Tiers" Business/Enterprise comparison table
• Remove internal Confluence hyperlinks (ADR-0003, ShadowHunt Concept)
• Strip mTLS / STIX / TAXII from glossary
• Rename "Enterprise Features" security section to "Planned Hardening (Community)"
• Fix broken .kiro/specs/ links (case mismatch + remove stale tier rows)
• Add spec/ to Source-of-Truth Map and clarify sqlparser's two-phase role

Deleted from repo (content migrated to Confluence):

• docs/src/pricing.md
• docs/src/architecture/feature-tiers.md
• docs/src/technical/business-tier.md, enterprise-tier.md
• spec/product_strategy.md, spec/product.md
• spec/procmond/ (entire directory: epic brief, tech plan, core flows, ticket index, 8 tickets)

Scrubbed mdbook user-facing docs:

• user-guides/configuration.md — drop Business/Enterprise tier sections (~250 lines); remove Splunk/Elasticsearch/Kafka sink examples; strip eBPF/ETW/ESF platform config
• technical/core-monitoring.md — remove Enterprise-tier kernel collector code blocks
• technical/security_design_overview.md — drop tier-specific data protection + compliance sections; strip 16 "Already Planned: ... product.md" references
• deployment.md — remove multi-node aggregation Mermaid diagram
• deployment/{installation,docker,kubernetes}.md — remove Security Center references
• architecture.md, project-overview.md, introduction.md, user-guides.md — strip remaining Security Center / federation / STIX mentions

New Confluence pages (ES space):

• ADR-0006 — Detection Query Execution (redb + DataFusion)
• ADR-0007 — Operator Surface & Action Parity Commitment
• Product Overview (7471145) — migrated from spec/product.md
• Procmond Implementation Epic (7602179) + 11 child pages — migrated from spec/procmond/
• Pricing (1802381) — populated from repo copy before deletion
• DaemonEye Spec – SQL-to-IPC Detection Architecture (7569448, v4) — mirrored + §9 supersede note

Spec annotation:

• spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md §9 marked as superseded by ADR-0006 (custom operator pipeline replaced by DataFusion over redb)

Totals

~7,400 lines removed across 30 files. Four docs: commits.

Test plan

• cargo test --workspace passes (no code changes, but verified)
• mdbook structure validated (no broken TOC references after SUMMARY.md update)
• Full-tree grep confirms no remaining Business Tier, Enterprise Tier, Security Center, Proxy Node references in enumeration form (only boundary footnotes remain, per policy)
• No references to deleted files (pricing.md, feature-tiers.md, business-tier.md, enterprise-tier.md, product_strategy.md, spec/product.md, spec/procmond/) anywhere in repo
• No evilbitlabs.atlassian.net URLs in tracked repo files
• Reviewer confirms no further Business/Enterprise details leak through
• Reviewer validates Confluence pages are complete (spot-check pricing, product overview, procmond epic tree)

Follow-up

After merge, consider:

• ADR-0008 codifying open-core boundary policy formally (Confluence authoritative for architecture/design, repo contains Community tier only, PR template enforcement)
• Revisit ADR-0001's Source-of-Truth map (still lists .kiro/steering/ as authoritative under an older policy)

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for dependabot and dosubot.

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?!?:

🟢 Full CI must pass

Wonderful, this rule succeeded.

All CI checks must pass. Activates for non-bot authors, or dependabot when files exist outside .github/workflows/.

• check-success = DCO
• check-success = coverage
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-15, macOS)
• check-success = test-cross-platform (ubuntu-22.04, Linux)
• check-success = test-cross-platform (windows-2022, Windows)

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 3 commits of the base branch before merging

• #commits-behind <= 3

[coderabbitai]

Summary by CodeRabbit

• Documentation

  • Removed pricing, business/enterprise tier, and many related technical/spec pages; removed Security Center references and fleet/federation claims
  • Simplified licensing to Apache 2.0 and clarified commercial extensions are separate
  • Narrowed architecture/deployment/security guidance (SIEM/export wording adjusted; commercial-tier features marked out-of-scope)
  • Added AI disclosure and open-core hygiene guidance for PRs

• Chores

  • Updated pre-commit configuration: refined hook type filters, bumped several tool versions, re-enabled some Rust hooks, and removed the commit-message lint hook

Walkthrough

This PR removes numerous commercial/business/enterprise documentation pages and references, narrows architecture/deployment language to community scope, updates the SQL-to-IPC spec with an ADR banner, and adjusts .pre-commit-config.yaml (hook versions, re-enabled Rust hooks, standardized types, removed commitizen).

Changes

Cohort / File(s)	Summary
Pre-commit Tooling \.pre-commit-config.yaml	Refined hook argument formatting, added/standardized types filters for JSON/TOML/YAML/XML/text and Rust hooks, bumped actionlint → v1.7.12, re-enabled cargo-machete → v0.9.2 with types: [ cargo, cargo-lock ], bumped cargo-sort → v2.1.3, added types: [ rust ] for pre-commit-rust hooks, added types: [ shell ] and extended shellcheck exclusion, removed commitizen.
Tier & Pricing Docs Removed docs/src/pricing.md, docs/src/architecture/feature-tiers.md, docs/src/technical/business-tier.md, docs/src/technical/enterprise-tier.md	Deleted full pages describing pricing, feature-tier matrices, and Business/Enterprise technical specifications.
TOC / Project Positioning AGENTS.md, docs/src/SUMMARY.md, docs/src/introduction.md, docs/src/project-overview.md	Removed ADR-0003/Confluence pointers and pricing/tier TOC entries; replaced dual-license language with single Apache 2.0 statement and external commercial extension pointer; tightened scope/language around community vs commercial tiers.
Architecture & Deployment Simplification docs/src/architecture.md, docs/src/deployment.md, docs/src/deployment/docker.md, docs/src/deployment/kubernetes.md, docs/src/deployment/installation.md	Removed Security Center component and multi-node topology diagram; removed mTLS mentions for SIEM; clarified outbound alerting sinks and that fleet aggregation/kernel-level collection are commercial-tier concerns.
Technical/Configuration Cleanup docs/src/technical.md, docs/src/technical/core-monitoring.md, docs/src/technical/security_design_overview.md, docs/src/user-guides.md, docs/src/user-guides/configuration.md	Removed Business/Enterprise sections and kernel-level examples; deleted commercial sink connector examples (Splunk HEC, Elasticsearch, Kafka) and STIX/TAXII examples; adjusted CEF sample YAML scalars and noted advanced formats live in commercial tiers.
Procmond Spec & Tickets Removed spec/procmond/index.md, spec/procmond/specs/..., spec/procmond/tickets/... (many files)	Deleted procmond epic index, core flows, tech plan, epic brief, and all procmond ticket/spec documents (actor model, startup/heartbeat, RPC/registration, WAL, security hardening, testing, performance, FreeBSD validation).
Product & Strategy Specs Removed spec/product.md, spec/product_strategy.md	Deleted product overview and product strategy documents including collector schema/virtual-table architecture.
SQL-to-IPC Spec Update spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md	Added ADR-0006 supersession banner: Phase 2 SQL execution now uses Apache DataFusion layered over redb via per-collector TableProvider implementations; clarifies which sections are authoritative vs. superseded.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: tooling updates, dependency refresh, and security audit #168: Overlapping modifications to .pre-commit-config.yaml (hook versions and configuration).

Suggested labels

documentation

Poem

Docs trimmed to core, enterprise paths set aside,
Hooks tuned, versions bumped, rust checks re-applied.
Specs folded and flagged, the roadmap pared and neat—
Community code stays light, pre-commit keeps the beat. 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits specification (docs scope, concise description) and accurately describes the main change: documentation cleanup and removal of paid-tier content.
Description check	✅ Passed	The PR description is comprehensive and clearly related to the changeset, detailing all removed files, modified docs, and Confluence migrations with proper test validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch minor-cleanup

Warning

Review ran into problems

🔥 Problems

These MCP integrations need to be re-authenticated in the Integrations settings: Linear, Notion

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Open-core hygiene pass to remove paid-tier/speculation-heavy documentation from the public DaemonEye repo, scrub mdbook content to Community-tier scope, and update a key spec to note the new (ADR-led) query execution direction.

Changes:

• Deleted paid-tier docs/spec artifacts (pricing, tier comparisons, and procmond epic/tickets) and updated mdbook TOC/content to remove those references.
• Added a “superseded” annotation to the SQL-to-IPC detection architecture spec to reflect the newer redb + DataFusion execution model direction.
• Added/updated repo tooling and assistant assets (VS Code extension recommendations, pre-commit config adjustments, and .claude/ skills/rules/scripts).

Reviewed changes

Copilot reviewed 53 out of 53 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
spec/product.md	Removes product overview with tier details (deleted).
spec/procmond/tickets/Validate_Performance_and_Optimize.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Validate_FreeBSD_Platform_Support.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_Write-Ahead_Log_and_Event_Bus_Connector.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_Security_Hardening_and_Data_Sanitization.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_RPC_Service_and_Registration_Manager_(procmond).md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_Comprehensive_Test_Suite.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_Agent_Loading_State_and_Heartbeat_Detection.md	Removes internal epic ticket doc (deleted).
spec/procmond/tickets/Implement_Actor_Pattern_and_Startup_Coordination.md	Removes internal epic ticket doc (deleted).
spec/procmond/specs/Epic_Brief__Complete_Procmond_Implementation.md	Removes internal epic brief (deleted).
spec/procmond/index.md	Removes internal ticket index (deleted).
spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md	Adds “superseded by ADR-0006” note for §9 execution model.
docs/src/user-guides/configuration.md	Removes paid-tier config examples; adds boundary notes for commercial-only features.
docs/src/user-guides.md	Removes STIX export example; adds commercial-tier boundary note.
docs/src/technical/security_design_overview.md	Replaces tier-specific sections with short commercial boundary statements.
docs/src/technical/enterprise-tier.md	Removes enterprise-tier feature doc (deleted).
docs/src/technical/core-monitoring.md	Removes enterprise kernel collector examples; clarifies Community-tier sysinfo approach.
docs/src/technical.md	Removes links to paid-tier docs.
docs/src/project-overview.md	Removes tier marketing/comparison content; adds brief commercial boundary note.
docs/src/pricing.md	Removes pricing page (deleted).
docs/src/introduction.md	Removes dual-license tier breakdown; clarifies Apache 2.0 + separate commercial extensions.
docs/src/deployment/kubernetes.md	Removes Security Center mention.
docs/src/deployment/installation.md	Removes enterprise “enhanced features” requirements block.
docs/src/deployment/docker.md	Removes Security Center image references.
docs/src/deployment.md	Removes multi-node Security Center diagram; clarifies fleet aggregation out of scope.
docs/src/architecture/feature-tiers.md	Removes feature tier comparison doc (deleted).
docs/src/architecture.md	Scrubs external comms section to Community-tier scope.
docs/src/SUMMARY.md	Removes TOC entries pointing at deleted paid-tier docs.
AGENTS.md	Updates open-core boundary language, deployment diagram, and source-of-truth map.
.vscode/extensions.json	Adds recommended VS Code extensions for repo development.
.pre-commit-config.yaml	Updates hook config (types filters, versions, adds cargo-machete).
.claude/skills/skill-stocktake/scripts/scan.sh	Adds skill inventory scan script.
.claude/skills/skill-stocktake/scripts/save-results.sh	Adds results merge script with UTC timestamps.
.claude/skills/skill-stocktake/scripts/quick-diff.sh	Adds quick diff script for changed skills.
.claude/skills/skill-stocktake/SKILL.md	Adds “skill-stocktake” command documentation.
.claude/skills/security-scan/SKILL.md	Adds “security-scan” skill doc.
.claude/skills/security-bounty-hunter/SKILL.md	Adds “security-bounty-hunter” skill doc.
.claude/skills/rust-testing/SKILL.md	Adds comprehensive Rust testing skill doc.
.claude/skills/docker-patterns/SKILL.md	Adds Docker patterns skill doc.
.claude/skills/deployment-patterns/SKILL.md	Adds deployment patterns skill doc.
.claude/skills/database-migrations/SKILL.md	Adds DB migration patterns skill doc.
.claude/skills/codebase-onboarding/SKILL.md	Adds codebase onboarding skill doc.
.claude/skills/code-tour/SKILL.md	Adds CodeTour generation skill doc.
.claude/rules/testing.md	Adds Rust testing rule overlay.
.claude/rules/security.md	Adds Rust security rule overlay.
.claude/rules/patterns.md	Adds Rust patterns rule overlay.
.claude/rules/hooks.md	Adds Rust hooks guidance overlay.
.claude/rules/coding-style.md	Adds Rust coding-style overlay.

[coderabbitai]

Actionable comments posted: 11

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.pre-commit-config.yaml:
- Line 9: Inline YAML arrays in .pre-commit-config.yaml (e.g., the args entry
shown with args: [ "--maxkb=10240" ]) have extra spaces inside the brackets that
violate YAMLlint brackets rules; update these to use compact bracket spacing
(e.g., args: ["--maxkb=10240"]) for the shown line and apply the same
normalization to the other listed occurrences (lines
14,16,18-19,21,23-24,31,33,35,37,52,60,77,86,93) so all inline arrays follow the
brackets rule.
- Line 53: The exclusion regex for the shellcheck hook is too broad because the
dot characters are unescaped in the patterns `^.github/workflows/release.yml$`
and `^.claude`, causing unintended matches; update the exclude value to escape
the dots and keep the anchors (e.g., use
`^\.github/workflows/release\.yml$|^\.claude$`) so only the intended paths are
skipped by shellcheck.
- Around line 55-60: The comment above the cargo-machete hook is inaccurate: it
says "Temporarily disabled" while the hook block (repo:
https://github.com/bnjbvr/cargo-machete, rev: v0.9.2, id: cargo-machete, types:
[ cargo, cargo-lock ]) is actually enabled; update that comment in
.pre-commit-config.yaml to accurately reflect the current behavior (e.g.,
"enabled" or remove the misleading note) so maintainers understand the hook is
active.

In `@AGENTS.md`:
- Line 17: The AGENTS.md paragraph uses a bare domain ("evilbitlabs.io"); update
that reference to a fully qualified URL (https://evilbitlabs.io) so the link is
clickable and follows link-hygiene rules, and if this is an internal doc
cross-reference prefer a relative link instead; modify the sentence containing
"DaemonEye also ships..." to replace the bare domain with the fully qualified
URL (or a relative path if appropriate).

In `@docs/src/introduction.md`:
- Line 68: Replace the bare domain "evilbitlabs.io" in the sentence starting
"The DaemonEye components in this repository — procmond, daemoneye-agent,
daemoneye-cli, daemoneye-lib — are licensed under Apache 2.0..." with the full
URL "https://evilbitlabs.io" so the text contains the complete, clickable link
and complies with the markdown link-hygiene guideline for documentation
cross-references.

In `@docs/src/project-overview.md`:
- Around line 221-222: The document is internally inconsistent about open-core
scope: reconcile the "Fleet-level aggregation and federation are commercial-tier
concerns, handled outside this repo." line with other occurrences describing
Business/Enterprise capabilities by either (A) removing or moving all
Business/Enterprise-specific capability descriptions from this repo and
replacing them with a concise commercial-tier note pointing to the external
product/repo, or (B) marking those sections explicitly as in-repo examples (not
shipped) and documenting which features are community vs commercial. Find and
update the phrases "fleet-level aggregation and federation" and any
"Business/Enterprise" capability sections to use a single consistent model,
apply the docs/src/** style: clear, technical, operational language, and ensure
every commercial feature is tagged as "commercial / external" with a pointer,
while community features remain fully documented in this file.

In `@docs/src/technical/security_design_overview.md`:
- Around line 408-409: The document currently mixes out-of-scope commercial
features with retained "Enterprise Performance Targets" and enterprise
requirement footnotes (see the "Enterprise Performance Targets" heading and
associated footnotes), creating an inconsistent scope boundary; either remove
the "Enterprise Performance Targets" section and any enterprise-specific
footnotes from this repo doc, or relocate them behind a clear external-reference
boundary note (e.g., add an explicit "External/Commercial Reference" subsection
and move the enterprise requirements there with a pointer to the external
enterprise doc), and update any nearby lines that mention commercial features
(the sentence about centralized aggregation/mTLS/RBAC/kernel-level collection)
to reference that external boundary so the repo doc is internally consistent.
- Line 1153: The current sentence under "Vendor Implementation" that reads "PKI
and certificate management are out of scope for this repo" is too absolute;
change it to clarify scope by replacing that clause with wording like
"centralized PKI lifecycle management (e.g., enterprise-wide certificate
issuance/rotation/revocation) is out of scope for this repo" so core
TLS/certificate validation responsibilities remain implied; update the line
containing that exact phrase and ensure the sentence still notes "Additional
Required: Enhanced PKI certificate management and formal PKI documentation."

In `@docs/src/user-guides/configuration.md`:
- Around line 306-307: Update the documentation to avoid mixed messaging about
kernel-level collection by either removing or clearly marking the configuration
knobs DAEMONEYE_ENABLE_EBPF, DAEMONEYE_ENABLE_ETW,
DAEMONEYE_ENABLE_ENDPOINT_SECURITY and their YAML examples (enable_ebpf,
enable_etw, enable_endpoint_security) as commercial-only/out-of-scope; search
the file for those symbols and replace the exposed examples with a short note
stating "commercial-tier only" (or remove the examples entirely) so the page
consistently reflects that eBPF/ETW/Endpoint Security collection is not
available in the community tier.
- Around line 218-219: The guide currently states "Additional sink types (Splunk
HEC, Elasticsearch, Kafka, and others) are available in commercial tiers" but
still includes a Kafka sink config example; either remove that Kafka example or
clearly mark it as commercial-only and move it to a commercial-specific section.
Locate the Kafka sink config example block (the Kafka sink config example in the
same document) and either delete it from community-facing examples or prepend a
clear commercial-only banner and relocate it under a new "Commercial-only
examples" subsection so community examples remain accurate and runnable.

In `@spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md`:
- Around line 1267-1280: The supersession banner mistakenly references “§9.2”
and leaves ambiguous ownership by only listing a narrow set of superseded
sections; update the banner so it correctly references the in-doc section that
contains the "custom operator pipeline" text (replace “§9.2” with the correct
in-file section number where that pipeline is described), expand the list of
superseded content to include all remaining operator-pipeline language (e.g.,
move mentions in §11.1–§11.4 and any later operator-pipeline paragraphs into the
superseded list), and clearly state that ADR-0006 supersedes operator-pipeline
implementation decisions while §11.5, §11.6, and §11.7 remain authoritative for
joins, persistence semantics, and redb performance guidance; ensure the banner
labels itself as "superseded by ADR-0006" and unambiguously delineates retained
vs. superseded sections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 305e7c9c-2a25-420c-9c7f-199497709dfa

📥 Commits

Reviewing files that changed from the base of the PR and between a8a2262 and 8756c20.

⛔ Files ignored due to path filters (19)

• .claude/rules/coding-style.md is excluded by none and included by none
• .claude/rules/hooks.md is excluded by none and included by none
• .claude/rules/patterns.md is excluded by none and included by none
• .claude/rules/security.md is excluded by none and included by none
• .claude/rules/testing.md is excluded by none and included by none
• .claude/skills/code-tour/SKILL.md is excluded by none and included by none
• .claude/skills/codebase-onboarding/SKILL.md is excluded by none and included by none
• .claude/skills/database-migrations/SKILL.md is excluded by none and included by none
• .claude/skills/deployment-patterns/SKILL.md is excluded by none and included by none
• .claude/skills/docker-patterns/SKILL.md is excluded by none and included by none
• .claude/skills/rust-patterns/SKILL.md is excluded by none and included by none
• .claude/skills/rust-testing/SKILL.md is excluded by none and included by none
• .claude/skills/security-bounty-hunter/SKILL.md is excluded by none and included by none
• .claude/skills/security-scan/SKILL.md is excluded by none and included by none
• .claude/skills/skill-stocktake/SKILL.md is excluded by none and included by none
• .claude/skills/skill-stocktake/scripts/quick-diff.sh is excluded by none and included by none
• .claude/skills/skill-stocktake/scripts/save-results.sh is excluded by none and included by none
• .claude/skills/skill-stocktake/scripts/scan.sh is excluded by none and included by none
• .vscode/extensions.json is excluded by none and included by none

📒 Files selected for processing (34)

• .pre-commit-config.yaml
• AGENTS.md
• docs/src/SUMMARY.md
• docs/src/architecture.md
• docs/src/architecture/feature-tiers.md
• docs/src/deployment.md
• docs/src/deployment/docker.md
• docs/src/deployment/installation.md
• docs/src/deployment/kubernetes.md
• docs/src/introduction.md
• docs/src/pricing.md
• docs/src/project-overview.md
• docs/src/technical.md
• docs/src/technical/business-tier.md
• docs/src/technical/core-monitoring.md
• docs/src/technical/enterprise-tier.md
• docs/src/technical/security_design_overview.md
• docs/src/user-guides.md
• docs/src/user-guides/configuration.md
• spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md
• spec/procmond/index.md
• spec/procmond/specs/Core_Flows__Procmond_Process_Monitoring.md
• spec/procmond/specs/Epic_Brief__Complete_Procmond_Implementation.md
• spec/procmond/specs/Tech_Plan__Complete_Procmond_Implementation.md
• spec/procmond/tickets/Implement_Actor_Pattern_and_Startup_Coordination.md
• spec/procmond/tickets/Implement_Agent_Loading_State_and_Heartbeat_Detection.md
• spec/procmond/tickets/Implement_Comprehensive_Test_Suite.md
• spec/procmond/tickets/Implement_RPC_Service_and_Registration_Manager_(procmond).md
• spec/procmond/tickets/Implement_Security_Hardening_and_Data_Sanitization.md
• spec/procmond/tickets/Implement_Write-Ahead_Log_and_Event_Bus_Connector.md
• spec/procmond/tickets/Validate_FreeBSD_Platform_Support.md
• spec/procmond/tickets/Validate_Performance_and_Optimize.md
• spec/product.md
• spec/product_strategy.md

💤 Files with no reviewable changes (23)

• docs/src/deployment/docker.md
• docs/src/deployment/installation.md
• docs/src/pricing.md
• docs/src/technical.md
• docs/src/architecture/feature-tiers.md
• spec/procmond/index.md
• docs/src/deployment/kubernetes.md
• docs/src/SUMMARY.md
• spec/product.md
• spec/procmond/tickets/Validate_FreeBSD_Platform_Support.md
• spec/procmond/specs/Tech_Plan__Complete_Procmond_Implementation.md
• spec/procmond/tickets/Implement_Agent_Loading_State_and_Heartbeat_Detection.md
• spec/procmond/tickets/Implement_Comprehensive_Test_Suite.md
• spec/procmond/tickets/Implement_Write-Ahead_Log_and_Event_Bus_Connector.md
• spec/procmond/tickets/Implement_Security_Hardening_and_Data_Sanitization.md
• spec/product_strategy.md
• docs/src/technical/enterprise-tier.md
• spec/procmond/tickets/Validate_Performance_and_Optimize.md
• spec/procmond/tickets/Implement_Actor_Pattern_and_Startup_Coordination.md
• spec/procmond/specs/Epic_Brief__Complete_Procmond_Implementation.md
• docs/src/technical/business-tier.md
• spec/procmond/specs/Core_Flows__Procmond_Process_Monitoring.md
• spec/procmond/tickets/Implement_RPC_Service_and_Registration_Manager_(procmond).md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Resolve YAMLlint bracket-spacing errors in inline arrays.

These lines currently violate YAMLlint brackets rules (“too many spaces inside brackets”), which will keep lint noisy/failing until normalized.

Suggested fix

-            args: [ "--maxkb=10240" ]
+            args: ["--maxkb=10240"]
-            types: [ json ]
+            types: [json]
-            types: [ toml ]
+            types: [toml]
-            args: [ --allow-multiple-documents ]
+            args: [--allow-multiple-documents]
-            types: [ yaml ]
+            types: [yaml]
-            types: [ xml ]
+            types: [xml]
-            types: [ text ]
+            types: [text]
-            args: [ --fix=auto ]
+            args: [--fix=auto]
-            types: [ rust ]
+            types: [rust]
-            types: [ shell ]
+            types: [shell]
-            types: [ cargo, cargo-lock ]
+            types: [cargo, cargo-lock]
-            types: [ markdown ]
+            types: [markdown]

Also applies to: 14-14, 16-16, 18-19, 21-21, 23-24, 31-31, 33-33, 35-35, 37-37, 52-52, 60-60, 77-77, 86-86, 93-93

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 9-9: too many spaces inside brackets

(brackets)

---

[error] 9-9: too many spaces inside brackets

(brackets)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 9, Inline YAML arrays in
.pre-commit-config.yaml (e.g., the args entry shown with args: [ "--maxkb=10240"
]) have extra spaces inside the brackets that violate YAMLlint brackets rules;
update these to use compact bracket spacing (e.g., args: ["--maxkb=10240"]) for
the shown line and apply the same normalization to the other listed occurrences
(lines 14,16,18-19,21,23-24,31,33,35,37,52,60,77,86,93) so all inline arrays
follow the brackets rule.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix overbroad shellcheck exclusion regex.

Line 53 uses unescaped . in both patterns, so it can match unintended paths and silently skip shell checks.

Suggested fix

-            exclude: ^.github/workflows/release.yml$|^.claude
+            exclude: ^\.github/workflows/release\.yml$|^\.claude/

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	exclude: ^.github/workflows/release.yml$|^.claude
	exclude: ^\.github/workflows/release\.yml$|^\.claude/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 53, The exclusion regex for the shellcheck
hook is too broad because the dot characters are unescaped in the patterns
`^.github/workflows/release.yml$` and `^.claude`, causing unintended matches;
update the exclude value to escape the dots and keep the anchors (e.g., use
`^\.github/workflows/release\.yml$|^\.claude$`) so only the intended paths are
skipped by shellcheck.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update stale cargo-machete comment to match actual behavior.

Line 55 says the hook is “temporarily disabled,” but Lines 56-60 clearly enable it. This is misleading for maintainers and CI operators.

Suggested fix

-    # Temporarily disabled due to issues with cargo-machete while we are stubbing out the project
+    # Re-enabled cargo-machete for dependency hygiene during project stubbing

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Temporarily disabled due to issues with cargo-machete while we are stubbing out the project
	# - repo: https://github.com/bnjbvr/cargo-machete
	# rev: v0.9.1
	# hooks:
	# - id: cargo-machete
	- repo: https://github.com/bnjbvr/cargo-machete
	rev: v0.9.2
	hooks:
	- id: cargo-machete
	types: [ cargo, cargo-lock ]
	# Re-enabled cargo-machete for dependency hygiene during project stubbing
	- repo: https://github.com/bnjbvr/cargo-machete
	rev: v0.9.2
	hooks:
	- id: cargo-machete
	types: [ cargo, cargo-lock ]

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 60-60: too many spaces inside brackets

(brackets)

---

[error] 60-60: too many spaces inside brackets

(brackets)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml around lines 55 - 60, The comment above the
cargo-machete hook is inaccurate: it says "Temporarily disabled" while the hook
block (repo: https://github.com/bnjbvr/cargo-machete, rev: v0.9.2, id:
cargo-machete, types: [ cargo, cargo-lock ]) is actually enabled; update that
comment in .pre-commit-config.yaml to accurately reflect the current behavior
(e.g., "enabled" or remove the misleading note) so maintainers understand the
hook is active.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use a fully qualified URL for commercial-details reference.

Line 17 uses a bare domain; make it clickable (https://...) to keep doc link hygiene consistent.

As per coding guidelines **/*.md: Use relative links for documentation cross-references and maintain link hygiene.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` at line 17, The AGENTS.md paragraph uses a bare domain
("evilbitlabs.io"); update that reference to a fully qualified URL
(https://evilbitlabs.io) so the link is clickable and follows link-hygiene
rules, and if this is an internal doc cross-reference prefer a relative link
instead; modify the sentence containing "DaemonEye also ships..." to replace the
bare domain with the fully qualified URL (or a relative path if appropriate).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

License note should use a full URL for link hygiene.

Replace evilbitlabs.io with https://evilbitlabs.io so operators can follow it directly.

As per coding guidelines **/*.md: Use relative links for documentation cross-references and maintain link hygiene.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/introduction.md` at line 68, Replace the bare domain
"evilbitlabs.io" in the sentence starting "The DaemonEye components in this
repository — procmond, daemoneye-agent, daemoneye-cli, daemoneye-lib — are
licensed under Apache 2.0..." with the full URL "https://evilbitlabs.io" so the
text contains the complete, clickable link and complies with the markdown
link-hygiene guideline for documentation cross-references.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Out-of-scope boundary is undermined by remaining enterprise commitments

Line 408 and Line 436 move commercial features out of scope, but this document still retains “Enterprise Performance Targets” and enterprise requirement footnotes. The resulting scope boundary is internally inconsistent.

Please either remove enterprise requirement sections from this repo doc or move them behind an explicit external-reference boundary note.

As per coding guidelines "docs/src/**: ... accuracy, completeness, and operational relevance."

Also applies to: 436-437

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/technical/security_design_overview.md` around lines 408 - 409, The
document currently mixes out-of-scope commercial features with retained
"Enterprise Performance Targets" and enterprise requirement footnotes (see the
"Enterprise Performance Targets" heading and associated footnotes), creating an
inconsistent scope boundary; either remove the "Enterprise Performance Targets"
section and any enterprise-specific footnotes from this repo doc, or relocate
them behind a clear external-reference boundary note (e.g., add an explicit
"External/Commercial Reference" subsection and move the enterprise requirements
there with a pointer to the external enterprise doc), and update any nearby
lines that mention commercial features (the sentence about centralized
aggregation/mTLS/RBAC/kernel-level collection) to reference that external
boundary so the repo doc is internally consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

PKI scope wording is overly absolute

Line 1153 says PKI/certificate management is out of scope, which can be misread against core TLS/certificate-validation expectations. Please narrow wording to “centralized PKI lifecycle management” (or similar) to avoid implying cert handling is unnecessary in core paths.

As per coding guidelines "docs/**/*.md: Ensure clarity, accuracy, and completeness."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/technical/security_design_overview.md` at line 1153, The current
sentence under "Vendor Implementation" that reads "PKI and certificate
management are out of scope for this repo" is too absolute; change it to clarify
scope by replacing that clause with wording like "centralized PKI lifecycle
management (e.g., enterprise-wide certificate issuance/rotation/revocation) is
out of scope for this repo" so core TLS/certificate validation responsibilities
remain implied; update the line containing that exact phrase and ensure the
sentence still notes "Additional Required: Enhanced PKI certificate management
and formal PKI documentation."

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Commercial-only sink note conflicts with a still-present Kafka example

Line 218 says Kafka is commercial-tier, but the same guide still shows a Kafka sink config example (Line 452-457). This is contradictory and will mislead operators on community capabilities.

Please remove/replace the Kafka example (or scope-label it explicitly as commercial and move it out of community-facing examples).

As per coding guidelines "docs/**/*.md: Ensure clarity, accuracy, and completeness. Verify examples are correct and runnable".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/user-guides/configuration.md` around lines 218 - 219, The guide
currently states "Additional sink types (Splunk HEC, Elasticsearch, Kafka, and
others) are available in commercial tiers" but still includes a Kafka sink
config example; either remove that Kafka example or clearly mark it as
commercial-only and move it to a commercial-specific section. Locate the Kafka
sink config example block (the Kafka sink config example in the same document)
and either delete it from community-facing examples or prepend a clear
commercial-only banner and relocate it under a new "Commercial-only examples"
subsection so community examples remain accurate and runnable.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Kernel-collection scope statement is inconsistent with remaining config knobs

These lines correctly mark kernel collection as commercial-tier, but this page still exposes DAEMONEYE_ENABLE_EBPF/ETW/ENDPOINT_SECURITY and enable_ebpf/enable_etw/enable_endpoint_security examples. That mixed messaging weakens operator reliability.

Please align this page to one clear community story (remove or clearly mark those knobs as commercial-only/out-of-scope).

As per coding guidelines "docs//*.md: Check documentation matches current CLI behavior" and "docs/src/: ... operational relevance".

Also applies to: 331-332, 356-357

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/user-guides/configuration.md` around lines 306 - 307, Update the
documentation to avoid mixed messaging about kernel-level collection by either
removing or clearly marking the configuration knobs DAEMONEYE_ENABLE_EBPF,
DAEMONEYE_ENABLE_ETW, DAEMONEYE_ENABLE_ENDPOINT_SECURITY and their YAML examples
(enable_ebpf, enable_etw, enable_endpoint_security) as
commercial-only/out-of-scope; search the file for those symbols and replace the
exposed examples with a short note stating "commercial-tier only" (or remove the
examples entirely) so the page consistently reflects that eBPF/ETW/Endpoint
Security collection is not available in the community tier.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Supersession banner is internally inconsistent and can mislead implementation.

Line 1269 references “§9.2”, but this section is numbered under 11.x; and the current superseded list is too narrow given remaining operator-pipeline language later in the doc. Tighten this banner so ownership boundaries are unambiguous.

Proposed doc fix

-> The "custom operator pipeline" direction in §9.2 is retained below for historical context ...
+> The "custom operator pipeline" direction in §11.2 is retained below for historical context ...
 ...
-> Sections that are superseded:
+> Sections that are superseded (or historical-only where still present):

As per coding guidelines spec/**: Project specifications and architecture documents. Enforce technical accuracy, architectural consistency, and clear requirements.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	> **Superseded by ADR-0006 — Detection Query Execution (redb + DataFusion) (2026-04-17).**
	>
	> The "custom operator pipeline" direction in §9.2 is retained below for historical context and for its redb schema / indexing guidance (§11.6–11.7), which remains authoritative. However, Phase 2 SQL execution is no longer a hand-rolled operator pipeline — it is Apache DataFusion layered over redb via per-collector `TableProvider` implementations. See ADR-0006 for rationale, alternatives considered (sled, GlueSQL, Turso, rusqlite/duckdb, Polars), and the compile-time contract between the dialect lowering stage and DataFusion-compatible SQL.
	>
	> Sections that remain authoritative after ADR-0006:
	>
	> - §11.5 Smart Joins (INLJ / SHJ / MRC strategies)
	> - §11.6 Write-Through & Persistence Semantics
	> - §11.7 redb Performance Playbook (partitioning, key encoding, indexes, writer architecture)
	>
	> Sections that are superseded:
	>
	> - §11.1–§11.4 (Why Not a Full RDBMS, Chosen Approach: Operator Pipeline, Store Abstraction, Operator Examples) — replaced by ADR-0006's "redb per-domain tables + DataFusion TableProvider" model.
	> **Superseded by ADR-0006 — Detection Query Execution (redb + DataFusion) (2026-04-17).**
	>
	> The "custom operator pipeline" direction in §11.2 is retained below for historical context and for its redb schema / indexing guidance (§11.6–11.7), which remains authoritative. However, Phase 2 SQL execution is no longer a hand-rolled operator pipeline — it is Apache DataFusion layered over redb via per-collector `TableProvider` implementations. See ADR-0006 for rationale, alternatives considered (sled, GlueSQL, Turso, rusqlite/duckdb, Polars), and the compile-time contract between the dialect lowering stage and DataFusion-compatible SQL.
	>
	> Sections that remain authoritative after ADR-0006:
	>
	> - §11.5 Smart Joins (INLJ / SHJ / MRC strategies)
	> - §11.6 Write-Through & Persistence Semantics
	> - §11.7 redb Performance Playbook (partitioning, key encoding, indexes, writer architecture)
	>
	> Sections that are superseded (or historical-only where still present):
	>
	> - §11.1–§11.4 (Why Not a Full RDBMS, Chosen Approach: Operator Pipeline, Store Abstraction, Operator Examples) — replaced by ADR-0006's "redb per-domain tables + DataFusion TableProvider" model.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md` around lines 1267
- 1280, The supersession banner mistakenly references “§9.2” and leaves
ambiguous ownership by only listing a narrow set of superseded sections; update
the banner so it correctly references the in-doc section that contains the
"custom operator pipeline" text (replace “§9.2” with the correct in-file section
number where that pipeline is described), expand the list of superseded content
to include all remaining operator-pipeline language (e.g., move mentions in
§11.1–§11.4 and any later operator-pipeline paragraphs into the superseded
list), and clearly state that ADR-0006 supersedes operator-pipeline
implementation decisions while §11.5, §11.6, and §11.7 remain authoritative for
joins, persistence semantics, and redb performance guidance; ensure the banner
labels itself as "superseded by ADR-0006" and unambiguously delineates retained
vs. superseded sections.

[dosubot]

Related Documentation

4 document(s) may need updating based on files changed in this PR:

DaemonEye

Architecture Overview

View Suggested Changes

@@ -258,9 +258,8 @@
 - **Direction**: daemoneye-cli queries daemoneye-agent
 - **Security**: Local communication only, input validation
 ### External Communication
-- **Alert Delivery**: Outbound-only network connections
-- **SIEM Integration**: HTTPS, mTLS, webhook protocols
-- **Security Center**: mTLS with certificate authentication
+- **Alert Delivery**: Outbound-only network connections to configured sinks
+- **SIEM Integration**: HTTPS + webhook protocols for alert forwarding
 ## Error Handling Strategy
 ### Graceful Degradation
 - Continue operation when individual components fail

[Accept] [Decline]

DaemonEye Documentation

View Suggested Changes

@@ -6,7 +6,7 @@
 ## Key Features
 - **Real-time Process Monitoring**: Continuous monitoring of system processes with minimal performance impact
 - **Threat Detection**: SQL-based detection rules with hot-reloading capabilities
-- **Multi-tier Architecture**: Core, Business, and Enterprise tiers with different feature sets
+
 - **Cross-platform Support**: Linux, macOS, Windows, and FreeBSD support
 - **Container Ready**: Docker and Kubernetes deployment options
 - **Security Focused**: Built with security best practices and minimal attack surface
@@ -47,10 +47,9 @@
 4. Join our community discussions on GitHub
 5. Contact support for commercial assistance
 ## License
-DaemonEye follows a dual-license strategy:
-- **Core Components**: Apache 2.0 licensed (procmond, daemoneye-agent, daemoneye-cli, daemoneye-lib)
-- **Business Tier Features**: \$199/site one-time license (Security Center, GUI, enhanced connectors, curated rules)
-- **Enterprise Tier Features**: Custom pricing (kernel monitoring, federation, STIX/TAXII integration)
+DaemonEye is open-core software. The core components in this repository — procmond, daemoneye-agent, daemoneye-cli, daemoneye-lib — are licensed under AGPL-3.0.
+
+Enterprise support and additional features are available by contacting EvilBit Labs at support@evilbitlabs.com or visiting evilbitlabs.io.
 
 ---
 *This documentation is continuously updated. For the latest information, always refer to the most recent version.*
@@ -64,5 +63,5 @@
 Testing
 Contributing to DaemonEye
 Release Process
-Pricing
+
 Migration Strategy: Crossbeam to DaemonEye EventBus

[Accept] [Decline]

Enterprise Tier Features

View Suggested Changes

@@ -1,4 +1,12 @@
 # Enterprise Tier Features
+
+> **ARCHIVED - April 2026**
+> 
+> As of April 2026, Enterprise tier documentation has been moved to private internal documentation and is no longer maintained in the public DaemonEye repository. This page is preserved for historical reference only.
+> 
+> For current information about Enterprise features, please contact EvilBit Labs directly at [contact@evilbitlabs.com](mailto:contact@evilbitlabs.com).
+
+---
 
 This document describes the Enterprise tier features of DaemonEye, including kernel monitoring, network event monitoring, and federated security center architecture.
 ## Overview
@@ -312,3 +320,7 @@
 - Review feature extraction performance
 - Optimize anomaly detection thresholds
 *This document provides comprehensive information about Enterprise tier features. For additional help, consult the troubleshooting section or contact support.*
+
+---
+
+**Historical content only. This information may be outdated or incomplete. For current Enterprise feature details, contact EvilBit Labs directly.**

[Accept] [Decline]

Feature Tiers

View Suggested Changes

@@ -1,6 +1,15 @@
 # Feature Tiers
 
-DaemonEye offers three distinct tiers, each carefully crafted to address diverse organizational requirements and deployment sizes. While all tiers share a foundational, security-first architecture, they progressively introduce more sophisticated capabilities.
+> **⚠️ ARCHIVED CONTENT — April 2026**  
+> As of April 2026, paid-tier (Business and Enterprise) feature documentation has been moved to private internal documentation and is no longer maintained in the public DaemonEye repository. This page is preserved for historical reference only.
+>
+> For current Enterprise feature information, please contact EvilBit Labs directly at [support@evilbitlabs.com](mailto:support@evilbitlabs.com).
+
+---
+
+**Historical Content (Last updated: April 2026)**
+
+DaemonEye offered three distinct tiers, each carefully crafted to address diverse organizational requirements and deployment sizes. While all tiers share a foundational, security-first architecture, they progressively introduce more sophisticated capabilities.
 ## Core Tier (Open Source)
 **License**: Apache 2.0
 **Target**: Individual users, small teams, proof-of-concept deployments
@@ -197,4 +206,8 @@
 - Configuration migration tools provided
 - Data export/import capabilities
 - Gradual feature activation
-*Choose the tier that best fits your organization's needs, with the flexibility to upgrade as requirements grow and evolve.*
+---
+
+**End of Archived Content**
+
+*For current DaemonEye Community (open-source) tier documentation, see the main [DaemonEye repository](https://github.com/EvilBit-Labs/DaemonEye). For Business or Enterprise tier inquiries, contact [EvilBit Labs](mailto:support@evilbitlabs.com).*

[Accept] [Decline]

^{How did I do? Any feedback?}

[unclesp1d3r]

@dosubot We are only removing document references to the paid tiers from this GitHub repo, not from the knowledge-base. This repo is for Community/OSS code, so it doesn't need to have docs on Pro-tier features, but those features still exist.

[dosubot]

Got it — thanks for the clarification. The knowledge base docs for Enterprise Tier Features and Feature Tiers should not be archived or marked as historical; those paid-tier features are still active and the KB is the correct home for that documentation. I'll decline the suggested changes to those two pages.

The other two suggestions — Architecture Overview (stripping mTLS/Security Center references) and DaemonEye Documentation (removing the multi-tier line, updating the license section, dropping the Pricing link) — still align with the goal of keeping the public repo docs Community-only. Let me know if you'd like me to revise anything there as well.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}
   

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

AGENTS.md (1)

17-17: ⚠️ Potential issue | 🟡 Minor

Use a fully-qualified URL for the external commercial-details reference.

evilbitlabs.io should be clickable (https://evilbitlabs.io) to maintain link hygiene in docs.

As per coding guidelines **/*.md: Use relative links for documentation cross-references and maintain link hygiene.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` at line 17, Replace the bare hostname "evilbitlabs.io" in the
AGENTS.md sentence with a fully-qualified, clickable URL using Markdown link
syntax: e.g. change the text to "See https://evilbitlabs.io for commercial
details." (or preferably "See [https://evilbitlabs.io](https://evilbitlabs.io)
for commercial details.") — update the literal "evilbitlabs.io" occurrence to
"https://evilbitlabs.io" to satisfy link hygiene and ensure external references
are explicit.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Line 43: The sentence in AGENTS.md asserting "Higher-tier designs are not part
of this repo" is misleading because feature-gated Enterprise modules (e.g.,
kernel and network in daemoneye-lib/src/lib.rs, lines referencing the
feature-gated modules) do exist; update the wording to a more accurate phrasing
such as "not documented or fully implemented here" or "maintained privately and
not documented here" so it reflects that Enterprise-tier components may be
present but are feature-gated and not maintained in this documentation; apply
the same wording change at the other occurrence (lines 108-109) to keep
consistency.

---

Duplicate comments:
In `@AGENTS.md`:
- Line 17: Replace the bare hostname "evilbitlabs.io" in the AGENTS.md sentence
with a fully-qualified, clickable URL using Markdown link syntax: e.g. change
the text to "See https://evilbitlabs.io for commercial details." (or preferably
"See [https://evilbitlabs.io](https://evilbitlabs.io) for commercial details.")
— update the literal "evilbitlabs.io" occurrence to "https://evilbitlabs.io" to
satisfy link hygiene and ensure external references are explicit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: fbb5beb2-0f7f-4b14-a6b2-cd95451285c8

📥 Commits

Reviewing files that changed from the base of the PR and between 8756c20 and 7df4b81.

⛔ Files ignored due to path filters (1)

• docs/solutions/workflow-issues/open-core-hygiene-confluence-migration-2026-04-18.md is excluded by none and included by none

📒 Files selected for processing (1)

• AGENTS.md

[Copilot]

Pull request overview

Docs-focused open-core hygiene pass to remove paid-tier/internal planning content from the public DaemonEye repo, scrub remaining docs to Community-tier scope, and annotate the SQL-to-IPC spec with an ADR supersedence note.

Changes:

• Deleted paid-tier docs/spec planning artifacts (pricing, tier docs, procmond epic/tickets, product docs) and updated mdbook TOC accordingly.
• Scrubbed user/technical docs and AGENTS.md to remove internal links and tier enumerations, replacing with boundary statements.
• Added a workflow write-up for Confluence migration hygiene and updated repo tooling/config (pre-commit, VSCode recommendations, .claude scripts).

Reviewed changes

Copilot reviewed 54 out of 54 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
spec/product.md	Deleted paid-tier product overview content from repo.
spec/procmond/index.md	Deleted procmond epic ticket index (migrated to Confluence per PR description).
spec/procmond/specs/Epic_Brief__Complete_Procmond_Implementation.md	Deleted internal epic brief planning doc.
spec/procmond/tickets/Implement_Write-Ahead_Log_and_Event_Bus_Connector.md	Deleted internal ticket doc.
spec/procmond/tickets/Implement_Actor_Pattern_and_Startup_Coordination.md	Deleted internal ticket doc.
spec/procmond/tickets/Implement_RPC_Service_and_Registration_Manager_(procmond).md	Deleted internal ticket doc.
spec/procmond/tickets/Implement_Agent_Loading_State_and_Heartbeat_Detection.md	Deleted internal ticket doc.
spec/procmond/tickets/Implement_Comprehensive_Test_Suite.md	Deleted internal ticket doc.
spec/procmond/tickets/Implement_Security_Hardening_and_Data_Sanitization.md	Deleted internal ticket doc.
spec/procmond/tickets/Validate_FreeBSD_Platform_Support.md	Deleted internal ticket doc.
spec/procmond/tickets/Validate_Performance_and_Optimize.md	Deleted internal ticket doc.
spec/daemon_eye_spec_sql_to_ipc_detection_architecture.md	Marked §9 storage/execution model as superseded by ADR-0006 while retaining authoritative subsections.
docs/src/user-guides/configuration.md	Removed paid-tier config examples and replaced with boundary notes.
docs/src/user-guides.md	Removed paid-tier export config example content; retained Community-tier examples.
docs/src/technical/core-monitoring.md	Removed enterprise kernel collector code blocks; replaced with Community-tier scope statement.
docs/src/technical.md	Removed links to Business/Enterprise tier docs from technical index.
docs/src/project-overview.md	Updated feature/licensing language to Community-tier scope and boundary statement.
docs/src/introduction.md	Replaced dual-license tier breakdown with boundary statement.
docs/src/deployment.md	Removed multi-node aggregation diagram; clarified commercial-tier scope for fleet aggregation.
docs/src/deployment/docker.md	Removed Security Center image references.
docs/src/deployment/kubernetes.md	Removed Security Center deployment mention.
docs/src/deployment/installation.md	Removed enterprise kernel feature prerequisite section.
docs/src/architecture.md	Scrubbed Security Center/mTLS specifics in external communication section.
docs/src/SUMMARY.md	Removed TOC entries for deleted pricing/tier docs.
docs/src/pricing.md	Deleted pricing page from mdbook.
docs/src/architecture/feature-tiers.md	Deleted feature tiers doc from mdbook.
docs/src/technical/enterprise-tier.md	Deleted enterprise tier doc from mdbook.
docs/solutions/workflow-issues/open-core-hygiene-confluence-migration-2026-04-18.md	Added documented workflow for Confluence migration + repo scrub process.
AGENTS.md	Updated open-core boundary statements, source-of-truth map, and added an open-core hygiene checklist.
.vscode/extensions.json	Added recommended editor extensions for repo contributors.
.pre-commit-config.yaml	Updated hook filtering/types, versions, and re-enabled cargo-machete.
.claude/skills/skill-stocktake/scripts/scan.sh	Added script to inventory skill files and extract metadata/usage counts.
.claude/skills/skill-stocktake/scripts/save-results.sh	Added script to merge evaluation results into a timestamped results file.
.claude/skills/skill-stocktake/scripts/quick-diff.sh	Added script to detect changed/new skill files vs evaluated_at.
.claude/skills/skill-stocktake/SKILL.md	Added documentation for /skill-stocktake command workflow and schema.
.claude/skills/security-scan/SKILL.md	Added Claude skill doc for scanning .claude/ config security posture.
.claude/skills/security-bounty-hunter/SKILL.md	Added Claude skill doc for bounty-oriented security review workflow.
.claude/skills/rust-testing/SKILL.md	Added Rust testing patterns skill doc.
.claude/skills/docker-patterns/SKILL.md	Added Docker patterns skill doc.
.claude/skills/deployment-patterns/SKILL.md	Added deployment patterns skill doc.
.claude/skills/database-migrations/SKILL.md	Added DB migration patterns skill doc.
.claude/skills/codebase-onboarding/SKILL.md	Added codebase onboarding skill doc.
.claude/skills/code-tour/SKILL.md	Added CodeTour creation skill doc.
.claude/rules/testing.md	Added Rust-specific testing rule overlay.
.claude/rules/security.md	Added Rust-specific security rule overlay.
.claude/rules/patterns.md	Added Rust-specific patterns rule overlay.
.claude/rules/hooks.md	Added Rust hooks rule overlay.
.claude/rules/coding-style.md	Added Rust coding-style rule overlay.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

AGENTS.md (1)

17-17: ⚠️ Potential issue | 🟡 Minor

Make the domain reference a clickable URL.

Line 17 uses a bare domain evilbitlabs.io; convert it to a fully qualified URL (https://evilbitlabs.io) for proper link hygiene.

As per coding guidelines **/*.md: Use relative links for documentation cross-references and maintain link hygiene.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` at line 17, Replace the bare domain token `evilbitlabs.io` in the
AGENTS.md sentence ("DaemonEye also ships in higher commercial tiers... See
evilbitlabs.io for commercial details.") with a fully qualified URL
`https://evilbitlabs.io` to make the reference clickable and conform to
link-hygiene; ensure the visible text remains the same if you prefer and only
the href is the full URL, and keep using relative links elsewhere for internal
documentation cross-references per guidelines.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Line 43: Update the sentence to state that higher-tier designs are present in
the repository but are feature-gated and documented separately: mention that
Enterprise modules like the kernel and network monitoring are included under
feature flags (e.g., #[cfg(feature = "kernel-monitoring")] and #[cfg(feature =
"network-correlation")]) and that Community-tier requirements live in spec/ and
.kiro/specs/; rephrase the current line to something like “Community tier
requirements live in spec/ and .kiro/specs/; higher-tier designs are present in
the codebase but gated behind feature flags and documented separately.”
- Around line 108-109: AGENTS.md currently claims commercial components "are not
described here" but community docs (docs/src/deployment/configuration.md)
enumerate Enterprise options like enable_kernel_monitoring; fix by either
removing Enterprise-specific enumerations/labels (e.g., remove or move
enable_kernel_monitoring and any "Enterprise" tags and fleet management
references out of community .md files) or by rewording AGENTS.md to truthfully
state that some Enterprise features (referenced by name, e.g.,
enable_kernel_monitoring and fleet management) appear in community docs for
informational purposes; update AGENTS.md text accordingly and ensure consistency
with docs/src/deployment/configuration.md.

---

Duplicate comments:
In `@AGENTS.md`:
- Line 17: Replace the bare domain token `evilbitlabs.io` in the AGENTS.md
sentence ("DaemonEye also ships in higher commercial tiers... See evilbitlabs.io
for commercial details.") with a fully qualified URL `https://evilbitlabs.io` to
make the reference clickable and conform to link-hygiene; ensure the visible
text remains the same if you prefer and only the href is the full URL, and keep
using relative links elsewhere for internal documentation cross-references per
guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1f7fdc23-0b8b-4d66-88d5-16dfb8b4be51

📥 Commits

Reviewing files that changed from the base of the PR and between 7df4b81 and f1f9704.

📒 Files selected for processing (1)

• AGENTS.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for feature-gated Enterprise/Business tier modules in lib.rs

rg -n -A2 -B2 'cfg\(feature.*enterprise|cfg\(feature.*business|cfg\(feature.*kernel|cfg\(feature.*network' daemoneye-lib/src/lib.rs

Repository: EvilBit-Labs/DaemonEye

Length of output: 424

---

Line 43: Reword to accurately reflect feature-gated Enterprise modules in codebase.

The statement "Higher-tier designs...are not part of this repo" is inaccurate. Feature-gated Enterprise modules (kernel, network) are present in daemoneye-lib/src/lib.rs (lines 53-54, 60-61), marked with #[cfg(feature = "kernel-monitoring")] and #[cfg(feature = "network-correlation")]. Reword to clarify: "Higher-tier designs are feature-gated and documented separately; Community tier live in spec/ and .kiro/specs/" or similar to distinguish tier availability from repo presence.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` at line 43, Update the sentence to state that higher-tier designs
are present in the repository but are feature-gated and documented separately:
mention that Enterprise modules like the kernel and network monitoring are
included under feature flags (e.g., #[cfg(feature = "kernel-monitoring")] and
#[cfg(feature = "network-correlation")]) and that Community-tier requirements
live in spec/ and .kiro/specs/; rephrase the current line to something like
“Community tier requirements live in spec/ and .kiro/specs/; higher-tier designs
are present in the codebase but gated behind feature flags and documented
separately.”

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Search for documentation of Enterprise-tier modules in community docs

rg -n -i 'kernel.*collector|network.*monitor|fleet.*management' docs/ --glob '!*enterprise*' --glob '!*business*' -C2

Repository: EvilBit-Labs/DaemonEye

Length of output: 3379

---

Remove Enterprise feature enumeration from community docs or reword AGENTS.md.

Line 108's claim that commercial features "are not described here" is contradicted by community documentation. The docs/src/deployment/configuration.md file explicitly enumerates the enable_kernel_monitoring option with an (Enterprise) label. This violates the guideline: "No paid-tier feature enumerations in Community tier documentation."

Either: (1) remove Enterprise feature enumerations (kernel monitoring, fleet management references) from all community .md files per policy, or (2) reword AGENTS.md to accurately reflect what's documented in the Community tier. The present phrasing obscures the fact that Enterprise capabilities are already being described in configuration and architecture documentation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 108 - 109, AGENTS.md currently claims commercial
components "are not described here" but community docs
(docs/src/deployment/configuration.md) enumerate Enterprise options like
enable_kernel_monitoring; fix by either removing Enterprise-specific
enumerations/labels (e.g., remove or move enable_kernel_monitoring and any
"Enterprise" tags and fleet management references out of community .md files) or
by rewording AGENTS.md to truthfully state that some Enterprise features
(referenced by name, e.g., enable_kernel_monitoring and fleet management) appear
in community docs for informational purposes; update AGENTS.md text accordingly
and ensure consistency with docs/src/deployment/configuration.md.