This is the top-level reviewer pack for telemetry-lab.
Use it as a short, no-guessing path through the repository. The project is a local, file-based detection workflow lab: it is not a SIEM, not a dashboard, and not a production monitoring platform.
Start with the stable demo matrix in docs/reviewer-path.md. It maps common review questions to the demo and artifacts that answer them:
| Review question | Demo | Primary evidence |
|---|---|---|
| How are raw events converted to alert features? | telemetry-window-demo |
data/processed/features.csv, data/processed/alerts.csv, data/processed/summary.json, data/processed/run_manifest.json |
| How is AI constrained? | ai-assisted-detection-demo |
demos/ai-assisted-detection-demo/artifacts/case_summaries.json, demos/ai-assisted-detection-demo/artifacts/audit_traces.jsonl, guardrails in demos/ai-assisted-detection-demo/README.md |
| How are duplicate alerts reduced? | rule-evaluation-and-dedup-demo |
demos/rule-evaluation-and-dedup-demo/artifacts/rule_hits_before_dedup.json, demos/rule-evaluation-and-dedup-demo/artifacts/rule_hits_after_dedup.json, demos/rule-evaluation-and-dedup-demo/artifacts/dedup_explanations.json |
| How are risky config changes investigated? | config-change-investigation-demo |
demos/config-change-investigation-demo/artifacts/investigation_hits.json, demos/config-change-investigation-demo/artifacts/investigation_report.md |
| How are IAM changes investigated from CloudTrail-like events? | cloud-iam-change-investigation-demo |
demos/cloud-iam-change-investigation-demo/artifacts/investigation_signals.json, demos/cloud-iam-change-investigation-demo/artifacts/investigation_report.md |
See docs/architecture.md for the repository-level workflow diagram.
The important shape is:
- committed sample inputs and configs
- deterministic local pipelines
- bounded AI drafting only where explicitly marked
- committed or regenerated artifacts
- reviewer inspection through docs, tests, and reports
The current artifact names are reviewer-facing contracts for the v1 reviewer contract stabilization phase.
- Keep the demo matrix stable unless a demo is intentionally retired.
- Prefer additive artifacts over renaming existing reviewer-visible outputs.
- Use
docs/v0.6-to-v1-artifact-diff.mdfor the concrete fourth-to-fifth-demo compatibility baseline. - If an artifact must be renamed, update the README, reviewer path, this reviewer pack, demo README, tests, and committed sample outputs in the same change.
- For each release, add the diff described in
docs/reviewer-artifact-diff.md, usingno-artifact-changewhen reviewer-facing artifacts are unchanged. - Do not introduce platform-style names that imply alert routing, case management, real-time ingestion, or autonomous response.
See docs/evidence-pipeline-contract.md for the v1 JSON schema contract covering reviewer-facing JSON and JSONL evidence artifacts across the five-demo matrix.
See docs/schema-compatibility-matrix.md for schema versions, artifact paths, and v1.1-to-v1.2 compatibility labels.
See docs/vocabulary.md for the cross-demo meaning of event, signal, hit, finding, case_bundle, summary, report, and audit_trace.
In this repo, bounded correlation means evidence is attached only within fixed time windows, fixed entity or scope keys, and fixed event families or rule-local family sets. It is not cross-host, cross-account, or cross-source global attribution.
The current schema contract covers:
schemas/rule_hits.schema.jsonschemas/case_bundles.schema.jsonschemas/case_summaries.schema.jsonschemas/ai_audit_traces.schema.jsonschemas/dedup_rule_hits.schema.jsonschemas/dedup_explanations.schema.jsonschemas/config_change_events.schema.jsonschemas/config_investigation_hits.schema.jsonschemas/investigation_summary.schema.jsonschemas/cloudtrail_normalized_events.schema.jsonschemas/cloud_iam_findings.schema.jsonschemas/cloud_iam_summary.schema.jsonschemas/telemetry_summary.schema.jsonschemas/run_manifest.schema.json
| Area | Stable artifact paths |
|---|---|
| Default telemetry sample | data/processed/features.csv, data/processed/alerts.csv, data/processed/summary.json, data/processed/run_manifest.json, data/processed/event_count_timeline.png, data/processed/error_rate_timeline.png, data/processed/alerts_timeline.png |
| Richer telemetry sample | data/processed/richer_sample/features.csv, data/processed/richer_sample/alerts.csv, data/processed/richer_sample/summary.json, data/processed/richer_sample/run_manifest.json, data/processed/richer_sample/event_count_timeline.png, data/processed/richer_sample/error_rate_timeline.png, data/processed/richer_sample/alerts_timeline.png |
| AI-assisted detection demo | demos/ai-assisted-detection-demo/artifacts/rule_hits.json, demos/ai-assisted-detection-demo/artifacts/case_bundles.json, demos/ai-assisted-detection-demo/artifacts/case_summaries.json, demos/ai-assisted-detection-demo/artifacts/case_report.md, demos/ai-assisted-detection-demo/artifacts/audit_traces.jsonl, demos/ai-assisted-detection-demo/artifacts/run_manifest.json |
| Rule dedup demo | demos/rule-evaluation-and-dedup-demo/artifacts/rule_hits_before_dedup.json, demos/rule-evaluation-and-dedup-demo/artifacts/rule_hits_after_dedup.json, demos/rule-evaluation-and-dedup-demo/artifacts/dedup_explanations.json, demos/rule-evaluation-and-dedup-demo/artifacts/dedup_report.md, demos/rule-evaluation-and-dedup-demo/artifacts/run_manifest.json |
| Config-change investigation demo | demos/config-change-investigation-demo/artifacts/change_events_normalized.json, demos/config-change-investigation-demo/artifacts/investigation_hits.json, demos/config-change-investigation-demo/artifacts/investigation_summary.json, demos/config-change-investigation-demo/artifacts/investigation_report.md, demos/config-change-investigation-demo/artifacts/run_manifest.json |
| Cloud IAM change investigation demo | demos/cloud-iam-change-investigation-demo/artifacts/normalized_cloudtrail_events.json, demos/cloud-iam-change-investigation-demo/artifacts/investigation_signals.json, demos/cloud-iam-change-investigation-demo/artifacts/investigation_summary.json, demos/cloud-iam-change-investigation-demo/artifacts/investigation_report.md, demos/cloud-iam-change-investigation-demo/artifacts/run_manifest.json |
Before treating the repo as v1-style consolidated:
- Use
docs/v1-contract-freeze.mdas the v1.0 five-demo contract freeze checklist. - Use
docs/v1-readiness-gate.mdas the v1.0 readiness gate for fixed inputs, fixed outputs, schema validation, artifact regeneration, and test pass. - Keep the five-demo matrix stable, or document any intentional retirement in the README, reviewer path, reviewer pack, roadmap, and tests.
- Keep reviewer-visible artifact names stable, or update the artifact naming contract and committed sample outputs in the same change.
- Keep
docs/reviewer-path.md, this reviewer pack,docs/architecture.md, and demo READMEs aligned with actual CLI behavior. - Keep README, package metadata, and repository metadata aligned with the local, file-based detection workflow lab framing.
- Run
python scripts/regenerate_artifacts.py --checkto verify committed evidence artifacts match fresh pipeline output. - Regenerate and inspect committed artifacts after behavior changes.
- For every release, include a reviewer-facing artifact diff with added fields, removed fields, semantic changes, and compatibility notes, or an explicit
no-artifact-changestatement. - Run
pytestand confirm reviewer-doc tests still cover the demo matrix, artifact contract, and architecture boundaries. - Do not add SIEM, dashboard, alert routing, case-management, real-time ingestion, autonomous response, or final-verdict claims.
From the repository root:
python -m pip install -e ".[dev]"
telemetry-lab run window --config configs/default.yaml
telemetry-lab run ai-assisted
telemetry-lab run dedup
telemetry-lab run config-change
telemetry-lab run cloud-iam
python scripts/regenerate_artifacts.py --check
pytestUse the same Python interpreter for install, tests, and demo commands.
docs/README.md: docs index for the current route, supporting docs, and historical release evidencedocs/reviewer-brief.md: short problem / value summarydocs/reviewer-path.md: demo choice by review questiondocs/v1-contract-freeze.md: v1.0 five-demo contract freeze, release status, and contract scopedocs/v1-readiness-gate.md: v1.0 readiness gate for fixed inputs, fixed outputs, schema validation, artifact regeneration, and test passdocs/release-v1.0.md: v1.0 reviewer-contract release notes and explicit non-SIEM boundarydocs/release-v1.2.md: v1.2 architecture cohesion release notesdocs/v0.6-to-v1-artifact-diff.md: fourth-to-fifth-demo artifact contract and compatibility diffdocs/evidence-pipeline-contract.md: JSON/JSONL schema contracts for five-demo evidence artifactsdocs/schema-compatibility-matrix.md: schema versions and compatibility notes for reviewer artifactsdocs/reviewer-artifact-diff.md: release diff contract for reviewer-facing artifact changesdocs/vocabulary.md: cross-demo evidence workflow vocabularydocs/architecture.md: local file-based workflow diagramdocs/sample-output.md: committed output counts and sample artifactsdocs/roadmap.md: v1 reviewer contract stabilization phasetests/test_reviewer_docs.py: regression checks for reviewer-facing docs
- No production monitoring claims
- No real-time ingestion or streaming state
- No dashboard, alert routing, or case-management service
- No autonomous response actions
- No final incident verdicts from the AI-assisted demo