docs: update documentation for clarity and completeness across multiple files

Author: axonstone

AGENTS.md

@@ -17,7 +17,7 @@
 | **Reference**              |                                                                                          |                                                                                           |
 | Config schema              | [`docs/reference/config-schema.md`](docs/reference/config-schema.md)                     | Every `CloudBurnConfig` field, defaults, merge behavior                                   |
 | Rule IDs                   | [`docs/reference/rule-ids.md`](docs/reference/rule-ids.md)                               | ID table, naming convention, presets                                                      |
-| Finding shape              | [`docs/reference/finding-shape.md`](docs/reference/finding-shape.md)                     | `Finding`, `ResourceLocation`, `ScanResult` type contracts                                |
+| Finding shape              | [`docs/reference/finding-shape.md`](docs/reference/finding-shape.md)                     | `Finding`, `SourceLocation`, `ScanResult` type contracts                                  |
 | **Infrastructure**         |                                                                                          |                                                                                           |
 | Testing                    | [`docs/TESTING.md`](docs/TESTING.md)                                                     | Three-package test strategy, fixtures, TDD flow                                           |
 | Turborepo                  | [`docs/TURBOREPO.md`](docs/TURBOREPO.md)                                                 | Task pipeline, boundaries, filtering                                                      |

CONTRIBUTING.md

@@ -24,66 +24,30 @@ pnpm prepare
 ## Verify Before Opening a PR
 
 ```bash
-pnpm lint
-pnpm typecheck
-pnpm test
-pnpm build
 pnpm verify
 ```
 
+This runs lint, typecheck, and test across the monorepo.
+
 ## Project Boundaries
 
-- `cloudburn` (cli): commands, formatting, exit code behavior.
-- `@cloudburn/sdk`: scanner API, engine orchestration, config, parsers, provider adapters.
-- `@cloudburn/rules`: rules and presets only (no parser/provider/engine logic).
+See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the full package graph and responsibility matrix.
+
+The dependency direction is `cli -> sdk -> rules`. No reverse imports.
 
 ## Code Style
 
 - Add TSDoc docstrings to all exports. Document purpose, parameters, and return values.
 
 ## Adding a New Rule
 
-1. Choose provider and service path under `packages/rules/src`.
-
-- AWS example: `packages/rules/src/aws/ec2/`
-
-2. Create a rule file using `createRule(...)` from `shared/helpers.ts`.
-3. Include mandatory metadata:
-
-- `id`, `name`, `description`, `message`, `provider`, `service`, `supports`
-
-Keep provider discovery, parsers, and cloud SDK calls in `@cloudburn/sdk`. Rule files in
-`@cloudburn/rules` should stay pure and expose evaluators over normalized inputs.
-
-4. Export it from service `index.ts` and provider `index.ts`.
-5. Ensure preset inclusion when appropriate (`presets/aws-core.ts`).
-6. Add or update tests in `packages/rules/test`.
-
-## Rule Metadata Expectations
-
-- IDs use the `CLDBRN-{PROVIDER}-{SERVICE}-{N}` format (uppercase, no zero-padding, sequential per service).
-- Keep descriptions user-facing and actionable.
-- Keep `message` as the generic public policy text for grouped scan output.
-- Prefer `supports: ['iac', 'discovery']` only when both are implemented.
-- Use `supports: ['discovery']` or `supports: ['iac']` when a rule only has one real evaluator.
-- `CLDBRN-AWS-EBS-1` (`volume-type-current-gen`) is the reference example for a rule supporting both discovery and IaC evaluation.
-
-## Testing Guidance for Rules
-
-- Add metadata/export coverage.
-- Add focused unit tests for rule behavior once rule logic is implemented.
-- Keep fixtures small and deterministic.
+See [`docs/guides/adding-a-rule.md`](docs/guides/adding-a-rule.md) for the full end-to-end walkthrough covering file placement, `createRule`, dataset dependencies, tests, and registration.
 
 ## Changesets
 
-Use Changesets for user-facing package changes:
-
-```bash
-pnpm changeset
-```
+Write `.changeset/<slug>.md` files directly for user-facing package changes. Published packages: `cloudburn` (cli), `@cloudburn/sdk`, `@cloudburn/rules`.
 
-Add the generated `.changeset/*.md` file to your PR when it changes a published package
-(`cloudburn` (cli), `@cloudburn/sdk`, or `@cloudburn/rules`).
+One changeset file per package — never list multiple packages in one file.
 
 Do not run the versioning step in feature PRs. Versioning happens in the automated
 release PR on `main`.

docs/REVIEW.md

@@ -6,19 +6,13 @@ Non-obvious conventions and constraints that reviewers must enforce. If a rule h
 
 ## Architecture Boundaries
 
-Dependency direction is **`cli -> sdk -> rules`**. No reverse imports.
+See [`docs/ARCHITECTURE.md`](ARCHITECTURE.md) for the full package responsibility matrix.
 
-| Package            | Owns                                                 | Must NOT contain                                 |
-| ------------------ | ---------------------------------------------------- | ------------------------------------------------ |
-| `cloudburn` (cli)  | Commands, formatters, exit codes                     | Scan logic, rule definitions, config loading     |
-| `@cloudburn/sdk`   | Scanner facade, config, engine, parsers, providers   | Rule definitions, CLI concerns                   |
-| `@cloudburn/rules` | Rule declarations, finding types, helpers, presets   | I/O, AWS SDK calls, engine logic, config loading |
-
-`@cloudburn/rules` must stay pure — no I/O, no AWS SDK, no engine imports.
+Dependency direction is **`cli -> sdk -> rules`**. No reverse imports. `@cloudburn/rules` must stay pure — no I/O, no AWS SDK, no engine imports.
 
 ## Finding Shape Gotchas
 
-Output is a three-level hierarchy: `providers -> rules -> findings`.
+Output is a three-level hierarchy: `providers -> rules -> findings`. See [`docs/reference/finding-shape.md`](reference/finding-shape.md) for full type contracts.
 
 - `source` (`'discovery' | 'iac'`) and `message` live on the rule group (`Finding`), not on `FindingMatch` or `ScanResult`.
 - Evaluators return one grouped `Finding` or `null` — never a flat array, never an empty `findings: []`.
@@ -28,40 +22,33 @@ Output is a three-level hierarchy: `providers -> rules -> findings`.
 
 ## Rule Conventions
 
+See [`docs/guides/adding-a-rule.md`](guides/adding-a-rule.md) for the full authoring guide and [`docs/reference/rule-ids.md`](reference/rule-ids.md) for ID conventions.
+
+Key reviewer checks:
+
 - All rules must use `createRule()`.
-- Rule IDs follow `CLDBRN-{PROVIDER}-{SERVICE}-{N}`. No zero-padding.
-- IDs are permanent — never renumber, even if a rule is removed.
 - Rule names describe the policy, not the remediation.
-- The canonical `message` is set once on the `Rule` object and must work for both `discovery` and `iac`.
 - Only implement evaluators for modes declared in `supports`.
-- Static-capable rules with `evaluateStatic` must declare `staticDependencies`.
-- Discovery-capable rules with `evaluateLive` must declare `discoveryDependencies`.
 - Rules must not declare Terraform type strings, CloudFormation type strings, Resource Explorer `resourceTypes`, or loader wiring directly.
-- Static evaluators should read from `StaticEvaluationContext.resources.get('<dataset-key>')`.
-- Discovery evaluators should read from `LiveEvaluationContext.resources.get('<dataset-key>')`.
 
 ## Testing Layers
 
-Vitest across all three packages. When adding or modifying a rule, all three test layers must be updated:
+See [`docs/TESTING.md`](TESTING.md) for the full test strategy and mock boundaries.
+
+When adding or modifying a rule, all three `@cloudburn/rules` test layers must be updated:
 
 1. `exports.test.ts`
 2. `rule-metadata.test.ts`
 3. `{rule-name}.test.ts`
 
-Mock boundaries:
-
-| Package            | What to mock                                                                                                     |
-| ------------------ | ---------------------------------------------------------------------------------------------------------------- |
-| `@cloudburn/rules` | Nothing — pure unit tests                                                                                        |
-| `@cloudburn/sdk`   | Static dataset loaders/orchestration seams, Resource Explorer catalog helpers, discovery hydrators, `loadConfig` |
-| `cloudburn` (cli)  | `CloudBurnClient.scanStatic()` / `.discover()`                                                                   |
-
 ## Build Pipeline
 
-`pnpm verify` = `pnpm lint && pnpm typecheck && pnpm test`. This is the gate before committing.
+`pnpm verify` is the gate before committing.
 
 ## Formatter and Exit Code Contract
 
+See [`docs/architecture/cli.md`](architecture/cli.md) for the full exit-code table and formatter pipeline.
+
 All stdout-producing commands should build a typed `CliResponse` and render it through the shared `renderResponse(response, format)` pipeline.
 
 Supported stdout formats are `json` and `table` only.
@@ -70,14 +57,6 @@ Supported stdout formats are `json` and `table` only.
 - `table` output should remain stable ASCII tables, including `rules list`.
 - Runtime errors should continue to emit the JSON `stderr` envelope rather than following the selected stdout format.
 
-Exit codes:
-
-- `0` — clean scan, or `--exit-code` not passed
-- `1` — findings exist and `--exit-code` was passed
-- `2` — runtime error
-
-`--exit-code` counts nested matches across all providers and rules.
-
 ## Config System
 
 - `.cloudburn.yml` and `.cloudburn.yaml` are both supported; treat both present in one directory as a real bug.

docs/TURBOREPO.md

@@ -13,9 +13,7 @@ packages/
 
 ## Dependency Graph
 
-```text
-cloudburn -> @cloudburn/sdk -> @cloudburn/rules
-```
+See [`docs/ARCHITECTURE.md`](ARCHITECTURE.md) for the full package graph and responsibility matrix.
 
 ## Root Scripts
 

docs/architecture/cli.md

@@ -12,6 +12,7 @@ graph TD
   Root --> Completion["completion"]
   Rules --> RulesList["list"]
   Discover --> DiscoverInit["init"]
+  Discover --> DiscoverStatus["status"]
   Discover --> DiscoverTypes["supported-resource-types"]
   Completion --> CompletionBash["bash"]
   Completion --> CompletionFish["fish"]
@@ -51,6 +52,7 @@ All stdout-producing commands return a typed `CliResponse` and share the same fo
 - `discover --region <region>` overrides the current AWS region resolved from `AWS_REGION`, `AWS_DEFAULT_REGION`, `aws_region`, then the AWS SDK region provider chain.
 - The CLI targets one explicit AWS region per discover run.
 - Multi-region discovery remains an SDK capability through `target: { mode: 'regions', regions: [...] }` and requires a Resource Explorer aggregator index.
+- `discover status` reports the current Resource Explorer index state and uses the shared `json|table` renderer.
 - `discover supported-resource-types` uses the shared `json|table` renderer.
 - `discover init` bootstraps Resource Explorer through the SDK, defaults to the current AWS region, accepts `--region <region>` as an override, and falls back to local-only setup when cross-region bootstrap is denied.
 - `discover init` status output includes the resolved setup `indexType` so users can distinguish local-only setup from aggregator setup.

docs/architecture/rules.md

@@ -58,7 +58,7 @@ classDiagram
   StaticEvaluationContext --> StaticResourceBag : contains
 ```
 
-Rules now return a single grouped `Finding` or `null`. The SDK is responsible for regrouping those rule findings under providers in the public `ScanResult`.
+Rules return a single grouped `Finding` or `null`. The SDK regroups those rule findings under providers in the public `ScanResult`.
 
 ## Rule Assembly Chain
 
@@ -73,56 +73,8 @@ graph LR
 
 ## Authoring Rules
 
-1. Use `createRule({ ... })`.
-2. Keep the stable rule metadata, including the canonical public `message`, on the `Rule` object itself.
-3. For static IaC rules, declare `staticDependencies` dataset keys.
-4. For live AWS rules, declare `discoveryDependencies` dataset keys.
-5. Build lean resource-level `FindingMatch` values inside the evaluator.
-6. Return `{ ruleId, service, source, message, findings }` when there are matches.
-7. Return `null` when nothing matches.
-
-Rule evaluators consume static and live datasets through `context.resources.get('<dataset-key>')`. Rules should not declare Terraform resource type strings, CloudFormation type strings, Resource Explorer `resourceTypes`, or loader wiring directly.
-
-## ID Convention
-
-- **Rule ID:** `CLDBRN-{PROVIDER}-{SERVICE}-{N}`
-- Rule IDs remain stable and drive presets, configuration, and public scan output.
-- There are no per-resource finding IDs in the public rules contract anymore.
+See [`docs/guides/adding-a-rule.md`](../guides/adding-a-rule.md) for the full end-to-end guide and [`docs/reference/rule-ids.md`](../reference/rule-ids.md) for the ID convention and complete rule table.
 
 ## Current Rules
 
-| ID                        | Name                                       | Service    | Supports       | Status      |
-| ------------------------- | ------------------------------------------ | ---------- | -------------- | ----------- |
-| `CLDBRN-AWS-CLOUDTRAIL-1` | CloudTrail Redundant Global Trails         | cloudtrail | discovery      | Implemented |
-| `CLDBRN-AWS-CLOUDTRAIL-2` | CloudTrail Redundant Regional Trails       | cloudtrail | discovery      | Implemented |
-| `CLDBRN-AWS-CLOUDWATCH-1` | CloudWatch Log Group Missing Retention     | cloudwatch | discovery      | Implemented |
-| `CLDBRN-AWS-CLOUDWATCH-2` | CloudWatch Log Group Inactive              | cloudwatch | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-1`        | EC2 Instance Type Not Preferred            | ec2        | iac, discovery | Implemented |
-| `CLDBRN-AWS-EC2-2`        | S3 Interface VPC Endpoint Used             | ec2        | iac            | Implemented |
-| `CLDBRN-AWS-EC2-3`        | Elastic IP Address Unassociated            | ec2        | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-4`        | VPC Interface Endpoint Inactive            | ec2        | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-5`        | EC2 Instance Low Utilization               | ec2        | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-10`       | EC2 Instance Detailed Monitoring Enabled   | ec2        | iac            | Implemented |
-| `CLDBRN-AWS-EC2-11`       | NAT Gateway Idle                           | ec2        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-1`        | EBS Volume Type Not Current Generation     | ebs        | discovery, iac | Implemented |
-| `CLDBRN-AWS-EBS-2`        | EBS Volume Unattached                      | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-3`        | EBS Volume Attached To Stopped Instances   | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-4`        | EBS Volume Large Size                      | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-5`        | EBS Volume High Provisioned IOPS           | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-6`        | EBS Volume Low Provisioned IOPS On io1/io2 | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-EBS-7`        | EBS Snapshot Max Age Exceeded              | ebs        | discovery      | Implemented |
-| `CLDBRN-AWS-ECR-1`        | ECR Repository Missing Lifecycle Policy    | ecr        | iac, discovery | Implemented |
-| `CLDBRN-AWS-RDS-1`        | RDS Instance Class Not Preferred           | rds        | iac, discovery | Implemented |
-| `CLDBRN-AWS-RDS-2`        | RDS DB Instance Idle                       | rds        | discovery      | Implemented |
-| `CLDBRN-AWS-S3-1`         | S3 Missing Lifecycle Configuration         | s3         | iac, discovery | Implemented |
-| `CLDBRN-AWS-S3-2`         | S3 Bucket Storage Class Not Optimized      | s3         | iac, discovery | Implemented |
-| `CLDBRN-AWS-SAGEMAKER-1`  | SageMaker Notebook Instance Running        | sagemaker  | discovery      | Implemented |
-| `CLDBRN-AWS-LAMBDA-1`     | Lambda Cost Optimal Architecture           | lambda     | iac, discovery | Implemented |
-
-`CLDBRN-AWS-LAMBDA-1` is an advisory rule. It recommends `arm64` only when compatibility is known or explicitly declared, and the static evaluator skips computed or otherwise unknown architecture values instead of treating them as definite `x86_64`.
-
-CloudTrail and CloudWatch discovery rules now rely on dedicated live datasets. CloudBurn seeds both CloudWatch datasets from Resource Explorer `logs:log-group` catalog results, then uses narrow CloudWatch Logs APIs to hydrate group retention metadata and enumerate log streams.
-
-EBS discovery rules now reuse the shared `aws-ebs-volumes` dataset for storage type, attachment, size, and IOPS checks, and use a dedicated `aws-ebs-snapshots` dataset seeded from Resource Explorer `ec2:snapshot` resources for snapshot-age review.
-
-NAT gateway and SageMaker notebook discovery follow the same catalog-first model: CloudBurn seeds NAT review from `ec2:natgateway` resources and hydrates 7-day traffic totals with `DescribeNatGateways` plus CloudWatch metrics, while SageMaker notebook review is seeded from `sagemaker:notebook-instance` resources and hydrated through `DescribeNotebookInstance`.
+See [`docs/reference/rule-ids.md`](../reference/rule-ids.md) for the complete rule table with descriptions and support modes.