cleanup(claude): update CLAUDE.md with latest project changes

[Molter73]

Description

Add more detail about modules in the fact project. Small clarifications on the fact-ebpf module.
Update event flow section.
Add note on protobuf definitions living in a git submodule.

Assisted-by: Claude Code (Opus 4.6) claude-code/1.0.53

Checklist

• Patch has a change log entry OR does not need one.
• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Changes are documentation only.

Summary by CodeRabbit

• Documentation
  • Updated development documentation to clarify system architecture, component organization, event flow processes, and repository setup requirements.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates developer guidance in CLAUDE.md to align repository documentation with the current architecture. The workspace structure section is refreshed with additional subcomponent details, the event flow is rewritten to clarify host scanning and rate limiting responsibilities, and setup instructions are added regarding git submodule initialization for protobufs.

Changes

Repository Guidance Documentation

Layer / File(s)	Summary
Architecture overview and setup instructions CLAUDE.md	Workspace structure bullets expanded with subcomponent detail (checks, config, output, metrics, host scanner, rate limiter, pre-flight). Event flow section rewritten to describe periodic host scanning, inode tracking, and explicit rate-limiting step. Setup note added documenting that fact-api protobufs live in third_party/stackrox git submodule and require initialization.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

coderabbit-review

Suggested reviewers

• Stringy

Poem

📚 A rabbit hops through docs with care,
Refining words both true and fair,
The architecture now laid bare,
With submodules and steps to spare—
A clearer path for all to share! 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating CLAUDE.md documentation with latest project details. It is specific, concise, and directly related to the primary purpose of the PR.
Description check	✅ Passed	The description includes the required template sections with adequate detail about documentation changes. The Testing Performed section correctly identifies that changes are documentation-only, making additional automated tests unnecessary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mauro/cleanup/update-claude-md

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

CLAUDE.md (1)

47-52: ⚡ Quick win

Consider clarifying the event flow to distinguish parallel event sources.

The current step-by-step numbering suggests a purely linear flow, but step 4 (HostScanner) is described as "periodically scans," which implies it's a separate, parallel event source rather than a sequential step that processes events from step 3. This could be made clearer by restructuring to show that both kernel LSM events (steps 1-3) and HostScanner events (step 4) are independent sources that then converge at the rate limiting stage (step 5).

For example:

### Event Flow
1. Kernel LSM hooks trigger BPF programs (in `fact-ebpf/src/bpf/main.c`); `checks.c` runs kernel capability probes at startup
2. BPF programs write events to ring buffer
3. `Bpf` worker (in `fact/src/bpf/mod.rs`) reads from ring buffer, sends to channel
4. `HostScanner` (in `fact/src/host_scanner.rs`) independently and periodically scans monitored paths and handles userspace inode tracking, generating events
5. All events (from both kernel LSM hooks and HostScanner) pass through rate limiting (`fact/src/rate_limiter.rs`)
6. Output handlers (in `fact/src/output/`) send to gRPC or stdout as JSON

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLAUDE.md` around lines 47 - 52, The flow description reads as strictly
linear but HostScanner is a parallel event source; update the narrative in
CLAUDE.md to explicitly state that kernel LSM→BPF→Bpf worker (refer to
fact-ebpf/src/bpf/main.c, checks.c and fact/src/bpf/mod.rs) and HostScanner
(refer to fact/src/host_scanner.rs) generate events independently and then
converge into the shared rate limiter (fact/src/rate_limiter.rs) before reaching
output handlers (fact/src/output/); reword the steps to mark HostScanner as an
independent, periodic source and clearly state that steps 1–3 and step 4 are
parallel sources that merge at step 5.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@CLAUDE.md`:
- Around line 47-52: The flow description reads as strictly linear but
HostScanner is a parallel event source; update the narrative in CLAUDE.md to
explicitly state that kernel LSM→BPF→Bpf worker (refer to
fact-ebpf/src/bpf/main.c, checks.c and fact/src/bpf/mod.rs) and HostScanner
(refer to fact/src/host_scanner.rs) generate events independently and then
converge into the shared rate limiter (fact/src/rate_limiter.rs) before reaching
output handlers (fact/src/output/); reword the steps to mark HostScanner as an
independent, periodic source and clearly state that steps 1–3 and step 4 are
parallel sources that merge at step 5.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Enterprise

Run ID: 31de1054-9821-47a9-b07a-aa4e0d62e5f6

📥 Commits

Reviewing files that changed from the base of the PR and between 0e170db and f846ae1.

📒 Files selected for processing (1)

• CLAUDE.md