From c40369566b57292329c52b02e5fc997b457f610f Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:45:25 +0700
Subject: [PATCH] Include rules section

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index f0f15af..b1045a6 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,24 @@ Mapping:
 - Relay address is private → set `relay-ip=` to a public IP
 - Relay echo fails → `min-port`/`max-port` range not publicly reachable
 
+## Rules
+
+| Code                          | Description                                                                                       | Severity            |
+|-------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `stun_turn.discovery`         | Verifies that at least one STUN/TURN endpoint could be discovered (explicit URI or SRV lookup).   | CRITICAL            |
+| `stun_turn.srv_stun`          | Verifies that at least one STUN endpoint is reachable via SRV (_stun/_stuns) or an explicit URI.  | WARNING             |
+| `stun_turn.srv_turn`          | Verifies that at least one TURN endpoint is reachable via SRV (_turn/_turns) or an explicit URI.  | CRITICAL            |
+| `stun_turn.dial`              | Verifies that every discovered endpoint accepts a connection (TCP/TLS handshake or UDP socket).   | CRITICAL            |
+| `stun_turn.tls_transport`     | Verifies that at least one TLS/DTLS transport (stuns/turns) succeeds when present.                | CRITICAL            |
+| `stun_turn.ipv6_coverage`     | Verifies at least one STUN/TURN hostname resolves to an IPv6 address.                             | WARNING             |
+| `stun_turn.stun_binding`      | Verifies that the STUN Binding request receives a XOR-MAPPED-ADDRESS reply.                       | CRITICAL            |
+| `stun_turn.reflexive_public`  | Flags endpoints that return a private/loopback reflexive address (server unaware of its public IP). | CRITICAL          |
+| `stun_turn.stun_latency`      | Compares the STUN Binding RTT against the configured warning/critical thresholds.                 | CRITICAL            |
+| `stun_turn.turn_open_relay`   | Verifies the TURN server requires authentication (challenges unauthenticated Allocate with 401).  | CRITICAL            |
+| `stun_turn.turn_auth`         | Verifies the supplied TURN credentials (or REST shared secret) yield a successful Allocate.       | CRITICAL            |
+| `stun_turn.relay_public`      | Flags TURN servers whose allocated relay address is private/loopback (missing public relay-ip).   | CRITICAL            |
+| `stun_turn.relay_echo`        | Verifies the TURN relay path can carry traffic to the configured probe peer (CreatePermission + Send). | WARNING        |
+
 ## Usage
 
 Build and run: