Include rules section

README.md

@@ -40,6 +40,24 @@ Mapping:
 - Relay address is private → set `relay-ip=` to a public IP
 - Relay echo fails → `min-port`/`max-port` range not publicly reachable
 
+## Rules
+
+| Code                          | Description                                                                                       | Severity            |
+|-------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `stun_turn.discovery`         | Verifies that at least one STUN/TURN endpoint could be discovered (explicit URI or SRV lookup).   | CRITICAL            |
+| `stun_turn.srv_stun`          | Verifies that at least one STUN endpoint is reachable via SRV (_stun/_stuns) or an explicit URI.  | WARNING             |
+| `stun_turn.srv_turn`          | Verifies that at least one TURN endpoint is reachable via SRV (_turn/_turns) or an explicit URI.  | CRITICAL            |
+| `stun_turn.dial`              | Verifies that every discovered endpoint accepts a connection (TCP/TLS handshake or UDP socket).   | CRITICAL            |
+| `stun_turn.tls_transport`     | Verifies that at least one TLS/DTLS transport (stuns/turns) succeeds when present.                | CRITICAL            |
+| `stun_turn.ipv6_coverage`     | Verifies at least one STUN/TURN hostname resolves to an IPv6 address.                             | WARNING             |
+| `stun_turn.stun_binding`      | Verifies that the STUN Binding request receives a XOR-MAPPED-ADDRESS reply.                       | CRITICAL            |
+| `stun_turn.reflexive_public`  | Flags endpoints that return a private/loopback reflexive address (server unaware of its public IP). | CRITICAL          |
+| `stun_turn.stun_latency`      | Compares the STUN Binding RTT against the configured warning/critical thresholds.                 | CRITICAL            |
+| `stun_turn.turn_open_relay`   | Verifies the TURN server requires authentication (challenges unauthenticated Allocate with 401).  | CRITICAL            |
+| `stun_turn.turn_auth`         | Verifies the supplied TURN credentials (or REST shared secret) yield a successful Allocate.       | CRITICAL            |
+| `stun_turn.relay_public`      | Flags TURN servers whose allocated relay address is private/loopback (missing public relay-ip).   | CRITICAL            |
+| `stun_turn.relay_echo`        | Verifies the TURN relay path can carry traffic to the configured probe peer (CreatePermission + Send). | WARNING        |
+
 ## Usage
 
 Build and run:

checker/definition.go

@@ -19,7 +19,6 @@ func (p *stunTurnProvider) Definition() *sdk.CheckerDefinition {
 		HasHTMLReport:   true,
 		ObservationKeys: []sdk.ObservationKey{ObservationKeyStunTurn},
 		Availability: sdk.CheckerAvailability{
-			ApplyToZone:    true,
 			ApplyToService: true,
 		},
 		Options: sdk.CheckerOptionsDocumentation{