v0.6.0 — fourth demo and config-change investigation

v0.6.0 — fourth demo and config-change investigation

This is a small portfolio milestone release for telemetry-lab.

What changed

• Added config-change-investigation-demo as a fourth local, file-based demo.
• The new demo stays fully deterministic: risky config-change rules, bounded evidence correlation, committed artifacts, and a short investigation report.
• The repository now reads as a four-demo portfolio repo instead of a three-demo repo with config-change investigation still treated as future work.

Included artifacts

The new demo commits reviewer-facing outputs such as:

• change_events_normalized.json
• investigation_hits.json
• investigation_summary.json
• investigation_report.md

Boundaries

• No new AI stage
• No autonomous response
• No realtime ingestion or service deployment
• Still scoped as a small review-oriented prototype, not a production system

Validation

• python -m telemetry_window_demo.cli run-config-change-demo
• python -m pytest
• Full test suite: 51 passed

v0.5.0 — third demo and three-demo structure

v0.5.0 — third demo and three-demo structure

This is a small portfolio milestone release for elemetry-lab.

What changed

• Added
  ule-evaluation-and-dedup-demo as a third local, file-based demo focused on cooldown semantics and repeated-hit suppression.
• Added committed before/after dedup artifacts so reviewers can inspect raw rule hits, retained alerts, suppression reasons, and the short dedup report without running the code.
• The repository now reads clearly as a three-demo structure: elemetry-window-demo, �i-assisted-detection-demo, and
  ule-evaluation-and-dedup-demo.

Notes

This is a portfolio milestone release, not a product launch. The repository remains intentionally small, local, and review-oriented.

v0.4.0 — second demo and portfolio integration

v0.4.0 — second demo and portfolio integration

This is a small portfolio milestone release for telemetry-lab.

The repository now presents a two-demo structure:

Demo	Role
telemetry-window-demo	Windowed telemetry analysis with deterministic rules, CSV outputs, and timeline artifacts
ai-assisted-detection-demo	Deterministic detection and case grouping with constrained LLM summarization and auditable rejection paths

What changed

Repo structure and front door

• The landing page now presents telemetry-lab as a two-demo repository
• The top-level README includes direct navigation to both demos
• The public repo story is now easier to scan from the landing page

New second demo

• Added ai-assisted-detection-demo
• The demo centers on:
  • deterministic detection
  • deterministic case grouping
  • constrained LLM summarization
  • audit traces and visible rejection paths

Guardrails and boundaries

• human_verification is required
• No autonomous response actions
• No final incident verdict
• No LLM-driven detection or grouping decisions
• Fail-closed validation remains in place for invalid or disallowed outputs

Reviewer-facing documentation

• Added a walkthrough for:
  • accepted summary path
  • rejected summary path
  • degraded coverage path
• Added an explicit lifecycle contract and audit schema version in the design documentation

Why this milestone matters

This release moves telemetry-lab from a single-demo prototype toward a clearer portfolio repository with:

• one telemetry/windowing workflow
• one case-centric, AI-assisted investigation workflow
• explicit guardrails around model output and operator review

Validation

• Full test suite: 43 passed

Notes

This is a portfolio milestone release, not a product launch.
The repository remains intentionally scoped to small, reviewable prototypes.

Download reviewer artifact pack: telemetry-lab-reviewer-pack-v0.4.0.zip from the release assets.

v0.3.0 — Precise Cooldown Scoping, Richer Scenario Pack, and Run Summaries

Highlights

This release focuses on making the telemetry demo easier to explain, more realistic to inspect, and more reusable after each run.

Added

• a richer sample scenario pack with a compact but more expressive event story
• machine-readable summary.json outputs for both the default sample path and the richer sample path
• additional end-to-end coverage to keep the richer sample and summary outputs reproducible

Changed

• cooldown keying is now more precise: repeated alerts are scoped by (rule_name, scope) instead of only global rule_name
• cooldown scope now prefers the first available entity-like field in this order:
  • entity
  • source
  • target
  • host
• when no entity-like fields are present, cooldown behavior falls back to the original global per-rule behavior
• README examples now document the richer sample path and the run-summary artifact

Richer sample scenario pack

The bundled richer scenario path now demonstrates a more explainable detection story with four compact phases:

• normal background activity
• a login-failure burst
• a high-risk configuration change followed by policy_denied
• a repeated rare malware_alert sequence

This richer sample uses its own config entrypoint:

python -m telemetry_window_demo.cli run --config configs/richer_sample.yaml

Run summaries

Each run now writes a compact summary.json artifact alongside the existing CSV and PNG outputs.

Current summary fields:

• input_path
• output_dir
• normalized_event_count
• window_count
• feature_row_count
• alert_count
• triggered_rule_names
• triggered_rule_counts
• cooldown_seconds
• generated_artifacts

Both sample paths produce this artifact:

• configs/default.yaml -> data/processed/summary.json
• configs/richer_sample.yaml -> data/processed/richer_sample/summary.json

Scope

This is still a local, file-based telemetry analytics prototype.

It is not a production monitoring system and does not include:

• real-time ingestion
• streaming state management
• alert routing / on-call integration
• SIEM / SOC platform integration
• deployment, storage, or multi-tenant infrastructure

Included work

• #13: refine alert cooldown scope
• #14: add richer sample scenario pack
• #15: add machine-readable run summaries

Notes

Compared with v0.2.0, this release is less about repository governance and more about demo quality and output usability.

The repository now provides:

• more precise cooldown semantics
• a better bundled scenario narrative
• compact machine-readable run summaries for downstream inspection

This release is a usability and expressiveness milestone for the demo, while keeping the project intentionally small and local-first.

v0.2.0 — Validation, Edge Cases, Cooldown, and Minimal CI

Highlights

This release turns the initial telemetry MVP into a more stable and reviewable repository iteration.

Added

• edge-case test coverage for timestamp parsing, window boundaries, empty input, duplicate timestamps, threshold equality, and related normalization behavior
• stronger ingestion validation for both JSONL and CSV inputs
• a simple per-rule alert cooldown mechanism to reduce noisy repeated alerts
• minimal GitHub Actions CI for pytest on push and pull_request

Changed

• required-field validation now rejects both missing required columns and missing/blank required values
• malformed JSONL and malformed CSV inputs now raise clearer ValueError messages
• default alert behavior now suppresses repeated alerts from the same rule_name within a configurable cooldown window
• sample alert output was reduced substantially under the default configuration, making the demo output easier to inspect and explain

Repository hardening

• expanded test coverage around the most failure-prone parts of the prototype
• aligned README behavior notes with actual loader/runtime behavior
• added a small CI workflow so regressions are caught in pull requests instead of only in local runs

Scope

This is still a local, file-based prototype for telemetry analytics and rule-based alerting.

It is not a production monitoring system and does not include:

• real-time ingestion
• streaming state management
• alert routing / on-call integration
• SIEM / SOC platform integration
• deployment or storage infrastructure

Included work

• #5: edge-case coverage for windowing and rules
• #7: minimal GitHub Actions CI
• #8: stronger event ingestion validation
• #9: cooldown-based alert deduplication

Notes

The project now has:

• clearer ingestion contracts
• stronger regression protection
• lower default alert noise
• basic repository-level CI

This release is a stability and governance milestone rather than a major feature expansion.