docs: pre-release hygiene pass — remove aspirational + paid-tier-leaking docs

.gitignore

@@ -142,3 +142,4 @@ docs/plans
 **/*.local.*
 .context/
 todos/
+.claude/

.kiro/steering/structure.md

@@ -2,23 +2,19 @@
 
 ## Workspace Organization
 
-DaemonEye follows a **three-component security architecture** with strict privilege separation, extensible to multi-tier deployments:
+DaemonEye uses a **privilege-separated runtime architecture** within a six-crate workspace (three binaries plus three supporting library crates):
 
 ```text
 DaemonEye/
-├── procmond/         # Privileged Process Collector
-├── daemoneye-agent/    # User-Space Orchestrator
-├── daemoneye-cli/      # Command-Line Interface
-├── daemoneye-lib/     # Shared Library Components
-├── security-center/  # Centralized Management (Business/Enterprise)
-└── project_spec/     # Project Documentation
+├── procmond/             # Privileged Process Collector
+├── daemoneye-agent/      # User-Space Orchestrator
+├── daemoneye-cli/        # Command-Line Interface
+├── daemoneye-lib/        # Shared Library Components
+├── collector-core/       # Collector SDK (EventSource trait, runtime, IPC)
+└── daemoneye-eventbus/   # Embedded broker for cross-process pub/sub and RPC
 ```
 
-**Deployment Tiers:**
-
-- **Free Tier**: Standalone agents (procmond + daemoneye-agent + daemoneye-cli)
-- **Business Tier**: + Security Center + Enterprise integrations
-- **Enterprise Tier**: + Kernel monitoring + Federated architecture + Advanced SIEM
+> This repository contains the Community tier. Commercial tiers (fleet management, GUI, federation, kernel-level collectors) extend this foundation and are sold separately, not in this repo. See evilbitlabs.io for commercial details.
 
 ## Component Responsibilities
 
@@ -47,38 +43,35 @@ DaemonEye/
 ### daemoneye-lib/ (Shared Core)
 
 - **Purpose**: Common functionality shared across all components
-- **Modules**: config, models, storage, detection, alerting, crypto, telemetry, kernel, network
+- **Always-on modules**: config, crypto, integrity, ipc, models, proto, storage, telemetry
+- **Feature-gated modules**: alerting (`alerting`), collection (`process-collection`), detection (`detection-engine`), kernel (`kernel-monitoring`), network (`network-correlation`); the kernel and network modules back commercial-tier collectors and are gated off by default in this repo
 - **Security**: Trait-based abstractions with security boundaries
 
-### security-center/ (Centralized Management)
+### collector-core/ (Collector SDK)
+
+- **Purpose**: SDK providing shared operational infrastructure for collectors (`EventSource` trait, `Collector` runtime, capability negotiation, lifecycle management, IPC contracts)
+- **Contract**: Protobuf IPC (`ipc.proto`, `eventbus.proto`) — language-neutral boundary
 
-- **Purpose**: Centralized aggregation and management for Business/Enterprise tiers
-- **Security**: mTLS authentication, certificate management, role-based access
-- **Features**: Fleet management, rule distribution, data aggregation, web GUI
-- **Deployment**: Optional component for multi-agent environments
+### daemoneye-eventbus/ (Embedded Broker)
+
+- **Purpose**: Cross-process pub/sub and RPC broker embedded inside daemoneye-agent
+- **Features**: Topic hierarchy with wildcard subscriptions, correlation metadata, RPC patterns for collector lifecycle management
+- **Transport**: Unix domain sockets (Linux/macOS), named pipes (Windows)
 
 ## Coding Standards
 
 ### Workspace Configuration
 
-- **Edition**: Rust 2024 (MSRV: 1.85+)
+- **Edition**: Rust 2024 (MSRV: 1.95+, per `Cargo.toml`'s workspace `rust-version`)
 - **Resolver**: Version 3 for enhanced dependency resolution
 - **Lints**: `unsafe_code = "forbid"`, `warnings = "deny"`
 - **Quality**: Zero-warnings policy enforced by CI
 - **AI Restrictions**: Never remove clippy restrictions or allow linters marked as `deny` without explicit permission
-- **Commit Message Style**: Always follow the commit message style in #\[[file:.github/commit-instructions.md]\].
+- **Commit Message Style**: Always follow the commit message style in [`.github/commit-instructions.md`](../../.github/commit-instructions.md).
 
 ### Module Organization
 
-```rust,ignore
-// Library structure pattern
-pub mod alerting; // Multi-channel alert delivery
-pub mod config; // Configuration management
-pub mod crypto;
-pub mod detection; // SQL-based detection engine
-pub mod models; // Core data structures
-pub mod storage; // Database abstractions // Cryptographic audit functions
-```
+For the actual `daemoneye-lib` module surface (always-on vs feature-gated), see the [daemoneye-lib/](#daemoneye-lib-shared-core) section above. New modules should follow the same pattern: always-on for cross-component utilities, feature-gated when the module pulls in optional subsystems (alerting sinks, kernel integrations, network correlation).
 
 ### Error Handling Pattern
 
@@ -117,9 +110,9 @@ All development tasks use the `just` command runner:
 Hierarchical configuration with clear precedence:
 
 1. Command-line flags (highest precedence)
-2. Environment variables (`DaemonEye_*`)
-3. User configuration files (`~/.config/DaemonEye/`)
-4. System configuration files (`/etc/DaemonEye/`)
+2. Environment variables, component-namespaced (`PROCMOND_*`, `DAEMONEYE_AGENT_*`, `DAEMONEYE_CLI_*`)
+3. User configuration files (`~/.config/daemoneye/`)
+4. System configuration files (`/etc/daemoneye/`)
 5. Embedded defaults (lowest precedence)
 
 ## Database Schema Design
@@ -133,24 +126,12 @@ Hierarchical configuration with clear precedence:
 - **alert_deliveries**: Delivery tracking with retry information
 - **audit_ledger**: Tamper-evident cryptographic chain
 
-### Business/Enterprise Tables
-
-- **agents**: Agent registration and status tracking
-- **agent_connections**: mTLS connection management and certificates
-- **fleet_events**: Centralized event aggregation from multiple agents
-- **rule_packs**: Curated rule pack management and distribution
-- **compliance_mappings**: Compliance framework mappings (NIST, ISO 27001, CIS)
-- **network_events**: Network activity correlation (Enterprise tier)
-- **kernel_events**: Kernel-level event monitoring (Enterprise tier)
-
 ### Access Patterns
 
 - **Event Store**: redb with concurrent access and ACID transactions
 - **Audit Ledger**: redb with write-only access for procmond
 - **Detection Queries**: Read-only database connections for rule execution
 - **Indexing**: Optimized for time-series queries and rule execution
-- **Federated Storage**: Hierarchical data aggregation across Security Centers
-- **Real-time Events**: Kernel-level event streaming (Enterprise tier)
 
 ### IPC Protocol
 
@@ -196,12 +177,13 @@ src/
 
 ### Configuration Files
 
-- **System**: `/etc/DaemonEye/config.yaml`
-- **User**: `~/.config/DaemonEye/config.yaml`
+- **System**: `/etc/daemoneye/config.yaml`
+- **User**: `~/.config/daemoneye/config.yaml`
 - **Service**: Platform-specific service definitions in `scripts/service/`
 
 ### Documentation Structure
 
-- **Specifications**: `project_spec/` directory with comprehensive docs
-- **API Documentation**: Generated from code with `cargo doc`
-- **Operator Guide**: User-facing documentation in `docs/`
+- **Specifications and design notes**: `spec/` directory
+- **Steering documents**: `.kiro/steering/` (this file lives here)
+- **API documentation**: Generated from code with `cargo doc`
+- **mdBook content**: `docs/` holds the sources; build them with `mise install` then `mdbook build docs`

.kiro/steering/tech.md

@@ -126,30 +126,17 @@ just run-daemoneye-agent --config /path   # Run orchestrator agent
 ### Process Enumeration
 
 - **Phase 1**: sysinfo crate for unified cross-platform baseline
-- **Phase 2**: Platform-specific enhancements (eBPF, ETW, EndpointSecurity)
-- **Phase 3**: Kernel-level real-time monitoring (Enterprise tier)
+- **Phase 2**: Platform-specific enhancements (Planned)
 - **Fallback**: Graceful degradation when enhanced features unavailable
 
-### Kernel Monitoring (Enterprise Tier)
-
-- **Linux**: eBPF programs for real-time process and syscall monitoring
-- **Windows**: ETW integration for kernel events and registry monitoring
-- **macOS**: EndpointSecurity framework for process and file system events
-- **Network**: Platform-specific network event correlation
+> Kernel-level monitoring (eBPF / ETW / EndpointSecurity) is provided by commercial-tier collectors that are sold separately, not in this repo.
 
 ### Privilege Management
 
 - **Linux**: CAP_SYS_PTRACE, immediate capability dropping
 - **Windows**: SeDebugPrivilege, token restriction after init
 - **macOS**: Minimal entitlements, sandbox compatibility
 
-### Enterprise Security Features
-
-- **Authentication**: mTLS with certificate chain validation
-- **Code Signing**: SLSA Level 3 provenance, Cosign signatures
-- **Compliance**: NIST, ISO 27001, CIS framework mappings
-- **Threat Intelligence**: STIX/TAXII integration, quarterly rule packs
-
 ## Testing Strategy
 
 ### Test Runner & Framework