[New] Documentation convention: level-2 README, banners, companion files

[New] README restructured to rfxn documentation convention (level-2)
[New] SVG banners (dark/light) with scan beam glyph in assets/
[New] SECURITY.md and CONTRIBUTING.md from RDF templates
[New] What's New, Integration, and Exit Codes sections in README
[Change] Badge row updated to flat-square style

Author: rfxn

CHANGELOG

@@ -1,3 +1,10 @@
+v2.0.1 | Mar 23 2026:
+[New] README restructured to rfxn documentation convention (level-2)
+[New] SVG banners (dark/light) with scan beam glyph in assets/
+[New] SECURITY.md and CONTRIBUTING.md companion files
+[New] What's New, Integration, and Exit Codes sections in README
+[Change] Badge row updated to flat-square style with centered layout
+
 v2.0.1 | Mar 10 2026:
 
   -- New Features --

CHANGELOG.RELEASE

@@ -1,3 +1,10 @@
+v2.0.1 | Mar 23 2026:
+[New] README restructured to rfxn documentation convention (level-2)
+[New] SVG banners (dark/light) with scan beam glyph in assets/
+[New] SECURITY.md and CONTRIBUTING.md companion files
+[New] What's New, Integration, and Exit Codes sections in README
+[Change] Badge row updated to flat-square style with centered layout
+
 v2.0.1 | Mar 10 2026:
 
   -- New Features --

CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# Contributing to linux-malware-detect
+
+## How to Contribute
+
+- **Bug reports**: Open a GitHub Issue with steps to reproduce
+- **Feature requests**: Open a GitHub Issue with use case and rationale
+- **Security vulnerabilities**: See [SECURITY.md](SECURITY.md)
+
+## Development Setup
+
+```bash
+git clone https://github.com/rfxn/linux-malware-detect.git
+cd linux-malware-detect
+# Project-specific setup instructions
+```
+
+## Code Standards
+
+- All shell scripts pass `bash -n` and `shellcheck`
+- Tests use the BATS framework: `make -C tests test`
+- Commit messages follow project conventions (see CHANGELOG for format)
+
+## Pull Requests
+
+1. Fork the repository
+2. Create a feature branch from the current release branch
+3. Make your changes with tests
+4. Ensure all tests pass: `make -C tests test`
+5. Submit a pull request with a clear description
+
+## License
+
+By contributing, you agree that your contributions will be licensed
+under the GNU GPL v2.

README.md

@@ -1,8 +1,19 @@
 # Linux Malware Detect (LMD)
 
-[![Version](https://img.shields.io/badge/version-2.0.1-blue.svg)](CHANGELOG)
-[![License: GPL v2](https://img.shields.io/badge/license-GPL_v2-green.svg)](COPYING.GPL)
-[![CI](https://github.com/rfxn/linux-malware-detect/actions/workflows/smoke-test.yml/badge.svg?branch=master)](https://github.com/rfxn/linux-malware-detect/actions/workflows/smoke-test.yml)
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="assets/banner-dark.svg">
+    <source media="(prefers-color-scheme: light)" srcset="assets/banner-light.svg">
+    <img alt="Linux Malware Detect" src="assets/banner-dark.svg" width="830">
+  </picture>
+</p>
+
+<p align="center">
+  <a href="https://github.com/rfxn/linux-malware-detect/actions/workflows/smoke-test.yml"><img src="https://github.com/rfxn/linux-malware-detect/actions/workflows/smoke-test.yml/badge.svg?branch=master" alt="CI"></a>
+  <a href="CHANGELOG"><img src="https://img.shields.io/badge/version-2.0.1-blue.svg?style=flat-square" alt="Version"></a>
+  <a href="COPYING.GPL"><img src="https://img.shields.io/badge/license-GPL_v2-green.svg?style=flat-square" alt="License: GPL v2"></a>
+  <a href="#1-introduction"><img src="https://img.shields.io/badge/platform-Linux-orange.svg?style=flat-square" alt="Platform: Linux"></a>
+</p>
 
 **Malware scanner for Linux** — multi-stage threat detection (MD5, SHA-256, HEX, YARA,
 statistical analysis), ClamAV integration, real-time inotify monitoring,
@@ -13,7 +24,9 @@ Discord).
 > (C) 2026, Ryan MacDonald &lt;ryan@rfxn.com&gt;<br>
 > Licensed under [GNU GPL v2](COPYING.GPL)
 
-### What's New in 2.0.1
+---
+
+## What's New in 2.0.1
 
 **43x faster native scan engine** — the native scanning pipeline has been completely
 rewritten with batch parallel processing. Real-world benchmark on ~10,000 files:
@@ -50,7 +63,7 @@ See [CHANGELOG](CHANGELOG) for full details.
   - [3.8 Remote ClamAV](#38-remote-clamav)
   - [3.9 ELK Integration](#39-elk-integration)
   - [3.10 Configuration Loading Order](#310-configuration-loading-order)
-- [4. CLI Usage](#4-cli-usage)
+- [4. Usage](#4-usage)
 - [5. Ignore Options](#5-ignore-options)
 - [6. Cron Daily](#6-cron-daily)
 - [7. Inotify Monitoring](#7-inotify-monitoring)
@@ -59,9 +72,10 @@ See [CHANGELOG](CHANGELOG) for full details.
   - [8.2 Custom Signatures](#82-custom-signatures)
 - [9. Quarantine & Cleaning](#9-quarantine--cleaning)
   - [9.1 Cleaner Rules](#91-cleaner-rules)
-- [10. Hook Scanning & Service Integration](#10-hook-scanning--service-integration)
-- [11. License](#11-license)
-- [12. Support Information](#12-support-information)
+- [10. Hook Scanning](#10-hook-scanning)
+- [Integration](#integration)
+- [License](#license)
+- [Support](#support)
 
 ---
 
@@ -94,6 +108,8 @@ maldet -u
 
 ## 1. Introduction
 
+LMD's architecture, detection stages, and supported platforms.
+
 Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is derived from user submissions with the LMD checkout feature and from malware community resources.
 
 LMD focuses on the malware classes that traditional AV products frequently miss: PHP shells, JavaScript injectors, base64-encoded backdoors, IRC bots, and other web-application-layer threats that target shared hosting user accounts rather than operating system internals.
@@ -151,6 +167,8 @@ LMD runs on any Linux distribution with bash and standard GNU utilities. Tested
 
 ## 2. Installation
 
+Installing, upgrading, and removing LMD from a system.
+
 The included `install.sh` script handles all installation tasks. Previous installations are automatically backed up.
 
 ```bash
@@ -177,6 +195,8 @@ Previous installs are saved to `/usr/local/maldetect.bk{PID}` with a `maldetect.
 
 ## 3. Configuration
 
+All user-facing settings and their defaults. See `man maldet`(1) for the complete reference.
+
 The main configuration file is `/usr/local/maldetect/conf.maldet`. All options are commented for ease of configuration. Options use `0`/`1` for disable/enable unless otherwise noted.
 
 Configuration can also be overridden at runtime using the `-co` flag:
@@ -356,7 +376,9 @@ Later sources override earlier values:
 
 ---
 
-## 4. CLI Usage
+## 4. Usage
+
+Command-line interface, exit codes, and common examples. See `man maldet`(1) for the complete option reference.
 
 ```
 usage: maldet [OPTION] [ARGUMENT]
@@ -407,7 +429,13 @@ OTHER:
   -h, --help                    show detailed help
 ```
 
-**Exit codes:** `0` = success / no hits, `1` = error or all scan paths non-existent, `2` = malware hits found.
+### 4.1 Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| `0` | Success, no malware hits |
+| `1` | Error or all scan paths non-existent |
+| `2` | Malware hits found |
 
 **Examples:**
 
@@ -451,6 +479,8 @@ enriched fields (hash, size, owner, etc.) as `null`.
 
 ## 5. Ignore Options
 
+Excluding paths, file types, and signatures from scans and monitoring.
+
 Four ignore files control what is excluded from scanning:
 
 | File | Format | Purpose |
@@ -486,6 +516,8 @@ base64.inject.unclassed
 
 ## 6. Cron Daily
 
+Automated daily scanning, data pruning, and signature updates.
+
 The cron job installed at `/etc/cron.daily/maldet` performs three tasks:
 
 1. **Prune** quarantine, session, and temp data older than `cron_prune_days` (default: 21)
@@ -518,6 +550,8 @@ A weekly watchdog script (`/etc/cron.weekly/maldet-watchdog`) provides independe
 
 ## 7. Inotify Monitoring
 
+Real-time file monitoring with kernel inotify, digest alerts, and supervisor management.
+
 Real-time file monitoring uses the kernel inotify subsystem to detect file creation, modification, and move events. Requires a kernel with `CONFIG_INOTIFY_USER` (standard on all modern kernels).
 
 ```bash
@@ -559,6 +593,8 @@ When using the `users` mode, only subdirectories matching `inotify_docroot` (def
 
 ## 8. Signature System
 
+Signature types, naming conventions, updates, and custom rule files.
+
 LMD ships with five signature types:
 
 | Type | File | Format | Count |
@@ -628,6 +664,8 @@ Remote import URLs can be configured for automatic download during signature upd
 
 ## 9. Quarantine & Cleaning
 
+Isolating, restoring, and cleaning malware-infected files.
+
 Quarantined files are stored under `/usr/local/maldetect/quarantine/` with permissions set to `000`. Original path, owner, permissions, and modification time are recorded in `/usr/local/maldetect/sess/quarantine.hist` for full restoration.
 
 ```bash
@@ -662,7 +700,9 @@ The cleaner is a sub-function of quarantine — files must be quarantined (or us
 
 ---
 
-## 10. Hook Scanning & Service Integration
+## 10. Hook Scanning
+
+Service hook API for ModSecurity, FTP, Exim, and custom integrations.
 
 LMD provides real-time file scanning for multiple services via the unified `hookscan.sh` API. A single script handles mode dispatch for ModSecurity, pure-ftpd, ProFTPD, Exim, and generic (custom) integrations.
 
@@ -801,7 +841,40 @@ For administrators replacing CXS with LMD:
 
 ---
 
-## 11. License
+## Integration
+
+Connecting LMD with external tools, automation pipelines, and third-party scanners.
+
+### ClamAV
+
+LMD signatures are automatically symlinked to ClamAV data directories by `install.sh`, providing dual-engine coverage. Set `scan_clamscan=auto` (default) for automatic ClamAV detection. See [3.7 ClamAV Integration](#37-clamav-integration) for engine selection and signature validation.
+
+### ELK Stack
+
+Enable `enable_statistic=1` with `elk_host`, `elk_port`, and `elk_index` to stream scan events to Elasticsearch. See [3.9 ELK Integration](#39-elk-integration).
+
+### Alerting Channels
+
+LMD supports four alert delivery channels beyond email: Slack (Block Kit), Telegram (MarkdownV2), Discord (webhook embeds), and SMTP relay for environments without a local MTA. See [3.2 Alerting](#32-alerting) for configuration.
+
+### JSON Reports
+
+Machine-readable scan output for CI/CD and automation:
+
+```bash
+maldet --format json -e SCANID    # JSON report to stdout
+maldet --json-report list         # list all scans as JSON
+```
+
+See `man maldet`(1) for the v1.0 JSON schema.
+
+### Hosting Panel Detection
+
+The daily cron auto-detects 12+ hosting control panels and adjusts scan paths. See [6. Cron Daily](#6-cron-daily) for the full panel matrix.
+
+---
+
+## License
 
 LMD is developed and supported on a volunteer basis by Ryan MacDonald [ryan@rfxn.com].
 
@@ -812,7 +885,7 @@ required under GNU GPL.
 
 ---
 
-## 12. Support Information
+## Support
 
 The LMD source repository is at: https://github.com/rfxn/linux-malware-detect
 

SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy — linux-malware-detect
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| latest release | Yes |
+| previous minor | Security fixes only |
+| older | No |
+
+## Reporting a Vulnerability
+
+**Do not open a public issue for security vulnerabilities.**
+
+Email: proj@rfxn.com
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Affected version(s)
+- Impact assessment (if known)
+
+## Response Timeline
+
+- **Acknowledgment**: within 48 hours
+- **Initial assessment**: within 5 business days
+- **Fix or mitigation**: best-effort, typically within 30 days for
+  confirmed vulnerabilities
+
+## Scope
+
+This policy covers the linux-malware-detect codebase. For vulnerabilities in
+dependencies, please report to the upstream maintainer and notify us
+if the dependency is bundled.