Include rules section

2026-04-30 08:45:25 +07:00 · 2026-04-30 08:45:25 +07:00 · c40369566b
commit c40369566b
parent 6d84925fd9
1 changed files with 18 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -40,6 +40,24 @@ Mapping:
 - Relay address is private → set `relay-ip=` to a public IP
 - Relay echo fails → `min-port`/`max-port` range not publicly reachable

+## Rules
+
+| Code                          | Description                                                                                       | Severity            |
+|-------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `stun_turn.discovery`         | Verifies that at least one STUN/TURN endpoint could be discovered (explicit URI or SRV lookup).   | CRITICAL            |
+| `stun_turn.srv_stun`          | Verifies that at least one STUN endpoint is reachable via SRV (_stun/_stuns) or an explicit URI.  | WARNING             |
+| `stun_turn.srv_turn`          | Verifies that at least one TURN endpoint is reachable via SRV (_turn/_turns) or an explicit URI.  | CRITICAL            |
+| `stun_turn.dial`              | Verifies that every discovered endpoint accepts a connection (TCP/TLS handshake or UDP socket).   | CRITICAL            |
+| `stun_turn.tls_transport`     | Verifies that at least one TLS/DTLS transport (stuns/turns) succeeds when present.                | CRITICAL            |
+| `stun_turn.ipv6_coverage`     | Verifies at least one STUN/TURN hostname resolves to an IPv6 address.                             | WARNING             |
+| `stun_turn.stun_binding`      | Verifies that the STUN Binding request receives a XOR-MAPPED-ADDRESS reply.                       | CRITICAL            |
+| `stun_turn.reflexive_public`  | Flags endpoints that return a private/loopback reflexive address (server unaware of its public IP). | CRITICAL          |
+| `stun_turn.stun_latency`      | Compares the STUN Binding RTT against the configured warning/critical thresholds.                 | CRITICAL            |
+| `stun_turn.turn_open_relay`   | Verifies the TURN server requires authentication (challenges unauthenticated Allocate with 401).  | CRITICAL            |
+| `stun_turn.turn_auth`         | Verifies the supplied TURN credentials (or REST shared secret) yield a successful Allocate.       | CRITICAL            |
+| `stun_turn.relay_public`      | Flags TURN servers whose allocated relay address is private/loopback (missing public relay-ip).   | CRITICAL            |
+| `stun_turn.relay_echo`        | Verifies the TURN relay path can carry traffic to the configured probe peer (CreatePermission + Send). | WARNING        |
+
 ## Usage

 Build and run: