docs: clean up README structure and ordering

Author: Crank-Git

README.md

@@ -1,10 +1,11 @@
 [![Tests](https://github.com/Crank-Git/ja4plus/actions/workflows/test.yml/badge.svg)](https://github.com/Crank-Git/ja4plus/actions/workflows/test.yml)
 [![PyPI version](https://badge.fury.io/py/ja4plus.svg)](https://pypi.org/project/ja4plus/)
 [![Python versions](https://img.shields.io/pypi/pyversions/ja4plus.svg)](https://pypi.org/project/ja4plus/)
+[![License](https://img.shields.io/badge/license-BSD--3--Clause-blue.svg)](LICENSE)
 
 # JA4+
 
-A Python library for JA4+ network fingerprinting. Implements all eight JA4+ methods for identifying and classifying network traffic based on TLS, TCP, HTTP, SSH, and X.509 characteristics.
+A Python library and CLI for JA4+ network fingerprinting. Implements all eight JA4+ methods for identifying and classifying network traffic based on TLS, TCP, HTTP, SSH, and X.509 characteristics.
 
 JA4+ is a set of network fingerprinting standards created by [FoxIO](https://foxio.io). This library is an independent Python implementation of the published specification. For the original spec, see the [FoxIO JA4+ repository](https://github.com/FoxIO-LLC/ja4).
 
@@ -27,69 +28,52 @@ JA4+ is a set of network fingerprinting standards created by [FoxIO](https://fox
 pip install ja4plus
 ```
 
-Or install from source:
+For fingerprint identification (browsers, malware, C2 frameworks):
 
 ```bash
-git clone https://github.com/Crank-Git/ja4plus.git
-cd ja4plus
-pip install -e .
+pip install ja4plus[lookup]
 ```
 
-## Licensing
-
-This library (ja4plus) is released under the **BSD 3-Clause License**.
-
-The JA4+ fingerprinting specifications were created by [FoxIO](https://foxio.io):
-
-- **JA4** (TLS Client Fingerprinting) is open source under **BSD-3-Clause** per FoxIO.
-- **JA4S, JA4H, JA4T, JA4TS, JA4L, JA4X, JA4SSH** implement FoxIO's specifications and are subject to the **FoxIO License 1.1**.
-
-The FoxIO License 1.1 is permissive for most use cases, including academic use, internal business use, and security research. Commercial productization or resale of these fingerprinting methods (other than JA4) may require a separate license from FoxIO.
-
-See the [FoxIO License](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE) for full terms, and [LICENSE](LICENSE) in this repository for the complete dual-license notice.
+## CLI
 
-## CLI Tool
-
-After installing, the `ja4plus` command is available:
+The `ja4plus` command is available after installation:
 
 ```bash
-# Fingerprint a PCAP file
+# Analyze a PCAP file
 ja4plus analyze capture.pcap
 
-# Output as JSON (for SIEM ingestion)
+# JSON output for SIEM ingestion
 ja4plus --format json analyze capture.pcap
 
-# Filter to specific fingerprint types
+# Only specific fingerprint types
 ja4plus --types ja4,ja4t analyze capture.pcap
 
-# Live capture from a network interface (requires root)
+# Live capture (requires root)
 sudo ja4plus live eth0
 
-# Fingerprint an X.509 certificate
+# Fingerprint a certificate
 ja4plus cert server.der
 
-# Identify known fingerprints (browsers, malware, C2)
+# Identify known fingerprints
 ja4plus --lookup analyze capture.pcap
 ```
 
-### Fingerprint Lookup
-
-ja4plus includes a bundled database of known JA4+ fingerprints from FoxIO's [ja4plus-mapping.csv](https://github.com/FoxIO-LLC/ja4/blob/main/ja4plus-mapping.csv), identifying browsers (Chrome, Firefox, Safari), malware (IcedID, Cobalt Strike, Sliver), and operating systems.
+Output formats: `--format table` (default), `json` (JSONL), `csv`
 
-```bash
-# Install with lookup support (adds optional requests dependency)
-pip install ja4plus[lookup]
+## Fingerprint Lookup
 
-# Use in CLI
-ja4plus --lookup analyze capture.pcap
+ja4plus includes a bundled database of known JA4+ fingerprints from FoxIO's [ja4plus-mapping.csv](https://github.com/FoxIO-LLC/ja4/blob/main/ja4plus-mapping.csv). Identifies Chrome, Firefox, Safari, Python, Cobalt Strike, Sliver, IcedID, and more.
 
-# Use in code
+```python
 from ja4plus.ja4db import lookup
+
 result = lookup("t13d1516h2_8daaf6152771_02713d6af862")
 # {"application": "Chromium Browser", "type": "ja4", "notes": ""}
 ```
 
-## Quick Start
+## Python API
+
+### Quick Start
 
 ```python
 from scapy.all import rdpcap
@@ -104,38 +88,6 @@ for packet in packets:
         print(f"JA4: {result}")
 ```
 
-## Usage
-
-### Class-Based API
-
-Each fingerprinter processes packets and collects results:
-
-```python
-from ja4plus import JA4Fingerprinter, JA4SFingerprinter, JA4TFingerprinter
-
-ja4 = JA4Fingerprinter()
-ja4s = JA4SFingerprinter()
-ja4t = JA4TFingerprinter()
-
-for packet in packets:
-    ja4.process_packet(packet)
-    ja4s.process_packet(packet)
-    ja4t.process_packet(packet)
-
-for entry in ja4.get_fingerprints():
-    print(entry["fingerprint"])
-```
-
-### Function-Based API
-
-For one-shot fingerprinting of individual packets:
-
-```python
-from ja4plus import generate_ja4, generate_ja4s, generate_ja4h
-
-fingerprint = generate_ja4(packet)
-```
-
 ### All Fingerprinters
 
 ```python
@@ -159,26 +111,39 @@ All fingerprinters share a common interface:
 | `get_fingerprints()` | Returns list of all collected fingerprint dicts |
 | `reset()` | Clears all collected state |
 
-See [`docs/usage.md`](docs/usage.md) for detailed usage of each fingerprinter.
+### Function-Based API
+
+For one-shot fingerprinting without maintaining state:
+
+```python
+from ja4plus import generate_ja4, generate_ja4s, generate_ja4h
+
+fingerprint = generate_ja4(packet)
+```
+
+See [`docs/usage.md`](docs/usage.md) for detailed usage of each fingerprinter and [`docs/api_reference.md`](docs/api_reference.md) for the full API.
 
 ## Fingerprint Formats
 
 | Type | Format | Example |
 |------|--------|---------|
-| JA4 | `{proto}{ver}{sni}{ciphcnt}{extcnt}{alpn}_{hash}_{hash}` | `t13d1516h2_8daaf6152771_e5627efa2ab1` |
-| JA4S | `{proto}{ver}{extcnt}{alpn}_{cipher}_{hash}` | `t130200_1301_a56c5b993250` |
-| JA4H | `{method}{ver}{cookie}{ref}{cnt}{lang}_{hash}_{hash}_{hash}` | `ge11cr0800_edb4461d7a83_4817af47a558_...` |
+| JA4 | `{proto}{ver}{sni}{ciphers}{exts}{alpn}_{hash}_{hash}` | `t13d1516h2_8daaf6152771_e5627efa2ab1` |
+| JA4S | `{proto}{ver}{exts}{alpn}_{cipher}_{hash}` | `t130200_1301_a56c5b993250` |
+| JA4H | `{method}{ver}{cookie}{ref}{cnt}{lang}_{h}_{h}_{h}` | `ge11cr0800_edb4461d7a83_...` |
 | JA4T | `{window}_{options}_{mss}_{wscale}` | `65535_2-4-8-1-3_1460_7` |
 | JA4TS | `{window}_{options}_{mss}_{wscale}` | `14600_2-4-8-1-3_1460_0` |
 | JA4L | `{latency_us}_{ttl}` | `2500_56` |
-| JA4X | `{issuer_hash}_{subject_hash}_{ext_hash}` | `a37f49ba31e2_a37f49ba31e2_dd4f1a0ef8b2` |
+| JA4X | `{issuer}_{subject}_{extensions}` | `a37f49ba31e2_a37f49ba31e2_dd4f1a0ef8b2` |
 | JA4SSH | `c{mode}s{mode}_c{pkts}s{pkts}_c{acks}s{acks}` | `c36s36_c51s80_c69s0` |
 
-## Requirements
+## Spec Validation
 
-- Python 3.8+
-- [scapy](https://scapy.net/) >= 2.4.0
-- [cryptography](https://cryptography.io/) >= 42.0.0
+ja4plus is validated against [FoxIO's official test vectors](https://github.com/FoxIO-LLC/ja4):
+
+```bash
+python tests/download_test_vectors.py
+pytest -m spec_validation -v
+```
 
 ## Development
 
@@ -189,19 +154,19 @@ pip install -e ".[dev]"
 pytest tests/ -v
 ```
 
-## Spec Validation
-
-ja4plus is validated against [FoxIO's official test vectors](https://github.com/FoxIO-LLC/ja4).
-Run the validation suite:
+### Requirements
 
-```bash
-python tests/download_test_vectors.py
-pytest -m spec_validation -v
-```
+- Python 3.8+
+- [scapy](https://scapy.net/) >= 2.4.0
+- [cryptography](https://cryptography.io/) >= 42.0.0
 
 ## License
 
-BSD 3-Clause License. See [LICENSE](LICENSE) for details.
+This library is released under the **BSD 3-Clause License**.
+
+The JA4+ fingerprinting specifications were created by [FoxIO](https://foxio.io). JA4 (TLS Client) is open source under BSD-3-Clause per FoxIO. Other JA4+ methods (JA4S, JA4H, JA4T, JA4TS, JA4L, JA4X, JA4SSH) implement FoxIO's specifications under the [FoxIO License 1.1](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE), which is permissive for academic, internal business, and security research use.
+
+See [LICENSE](LICENSE) for full details.
 
 ## Acknowledgments