Skip to content

Releases: stacknil/telemetry-lab

v1.1 Operator Reproduction Release

Choose a tag to compare

@stacknil stacknil released this 04 Jul 10:39
ff18175

v1.1 Operator Reproduction Release Notes

Theme: operator reproduction and issue triage, no demo expansion.

Release status: published as tag v1.1.

Scope

v1.1 keeps the existing five-demo matrix unchanged:

  1. telemetry-window-demo
  2. ai-assisted-detection-demo
  3. rule-evaluation-and-dedup-demo
  4. config-change-investigation-demo
  5. cloud-iam-change-investigation-demo

This release is about helping an outside operator reproduce the frozen v1.0
reviewer contract from a clean local checkout. It does not add a sixth demo, a
live data source, a dashboard, alert routing, case management, autonomous
response, or final incident verdicts.

Operator Reproduction

The maintained operator path is docs/operator-reproduction.md:

  1. install the repo with the dev extra
  2. run all five demos locally
  3. regenerate committed artifacts with python scripts/regenerate_artifacts.py --check
  4. validate schemas with python -m pytest tests/test_evidence_pipeline_schemas.py
  5. run the full test suite with python -m pytest

For a labeled one-command wrapper, run:

python scripts/check_release_contract.py

Issue Triage

v1.1 adds focused issue templates for operator-facing contract questions:

  • schema drift reports
  • artifact regeneration failures
  • demo boundary questions
  • documentation reproduction questions

These templates keep reports scoped to local, synthetic reviewer artifacts and
ask reporters not to include credentials, real account IDs, production telemetry,
or private data.

Validation Snapshot

The final release candidate was verified from clean Windows and Linux clones:

Environment Python Artifact gate Schema tests Full tests
Windows 3.14.3 23 committed artifacts matched; 6 visual snapshots regenerated as smoke checks 3 passed 182 passed
Linux (Ubuntu) 3.12.3 23 committed artifacts matched; 6 visual snapshots regenerated as smoke checks 3 passed 182 passed

The normalized SHA-256 manifests for all 30 tracked artifact paths were
identical across the two clones. Text artifacts were normalized from CRLF to
LF before hashing; binary artifacts were hashed byte-for-byte.

Artifact Diff

no-artifact-change: v1.1 does not change committed reviewer-facing artifact
content, field meaning, schemas, or filenames. It adds operator reproduction,
release-gate, and issue-triage surfaces around the frozen v1.0 artifact
contract.

v1.2 Blocker

Package identity mismatch must be resolved before v1.2: the repository and
release identity is telemetry-lab / v1.1, while pyproject.toml still
declares telemetry-window-demo==0.1.0. Resolve the project name and version as
one coordinated metadata change before a v1.2 tag or any package publication.
No package registry publication is part of v1.1.

Boundaries

  • No demo expansion.
  • No live ingestion.
  • No production SIEM or dashboard.
  • No alert routing or case-management service.
  • No autonomous response.
  • No final incident verdict.

v1.0 Reviewer Contract Release

Choose a tag to compare

@stacknil stacknil released this 30 Jun 15:31
e5ece41

v1.0 Reviewer Contract Release Notes

This is a reviewer-contract release, not a production SIEM.

Release status: v1.0 reviewer-contract release. Publication is gated by
docs/v1-readiness-gate.md.

Release Scope

v1.0 freezes the current five-demo reviewer contract:

  1. telemetry-window-demo
  2. ai-assisted-detection-demo
  3. rule-evaluation-and-dedup-demo
  4. config-change-investigation-demo
  5. cloud-iam-change-investigation-demo

Demo expansion is closed. The release consolidates the current local,
file-based workflows instead of adding another demo or production platform
surface.

Reviewer Contract

The v1.0 release contract requires:

  • fixed synthetic inputs for the five demos
  • fixed reviewer-visible output paths
  • JSON Schema validation for reviewer-facing JSON and JSONL evidence artifacts
  • reproducible committed artifacts
  • a passing full test suite

See docs/v1-contract-freeze.md for the freeze scope
and docs/evidence-pipeline-contract.md for the
schema matrix.

Artifact Compatibility

Relative to v0.6.0:

  • the fourth-demo artifact paths and committed contents remain unchanged
  • the fifth demo adds four reviewer-visible artifact paths under its own demo
    directory
  • the overall artifact compatibility label is additive-compatible
  • the two demo-local investigation_summary.json files use separate schemas
    and intentionally different root shapes

See docs/v0.6-to-v1-artifact-diff.md for the
field-level and semantic diff. Future release diffs follow
docs/reviewer-artifact-diff.md.

Validation Snapshot

Validation snapshot from the final v1.0 release commit:

python scripts/regenerate_artifacts.py --check
python -m pytest tests/test_evidence_pipeline_schemas.py
python -m pytest
  • Artifact regeneration: passed; 23 committed artifacts matched and 6
    visual snapshots completed smoke checks.
  • Schema validation: passed; 3 passed.
  • Full test suite: passed; 177 passed.

If any required command fails, v1.0 is not ready.

Boundaries

  • Synthetic, local, file-based inputs only.
  • No live AWS account or production telemetry source.
  • No real account ID or credentials.
  • No production detection claim or operational alerting claim.
  • No real-time ingestion, dashboard, alert routing, or case-management service.
  • No autonomous response.
  • No final incident verdict.

This release does not claim production readiness.

v0.6.0 — fourth demo and config-change investigation

Choose a tag to compare

@stacknil stacknil released this 02 Apr 05:03
769b3d0

v0.6.0 — fourth demo and config-change investigation

This is a small portfolio milestone release for telemetry-lab.

What changed

  • Added config-change-investigation-demo as a fourth local, file-based demo.
  • The new demo stays fully deterministic: risky config-change rules, bounded evidence correlation, committed artifacts, and a short investigation report.
  • The repository now reads as a four-demo portfolio repo instead of a three-demo repo with config-change investigation still treated as future work.

Included artifacts

The new demo commits reviewer-facing outputs such as:

  • change_events_normalized.json
  • investigation_hits.json
  • investigation_summary.json
  • investigation_report.md

Boundaries

  • No new AI stage
  • No autonomous response
  • No realtime ingestion or service deployment
  • Still scoped as a small review-oriented prototype, not a production system

Validation

  • python -m telemetry_window_demo.cli run-config-change-demo
  • python -m pytest
  • Full test suite: 51 passed

v0.5.0 — third demo and three-demo structure

Choose a tag to compare

@stacknil stacknil released this 01 Apr 06:33
96fba76

v0.5.0 — third demo and three-demo structure

This is a small portfolio milestone release for elemetry-lab.

What changed

  • Added
    ule-evaluation-and-dedup-demo as a third local, file-based demo focused on cooldown semantics and repeated-hit suppression.
  • Added committed before/after dedup artifacts so reviewers can inspect raw rule hits, retained alerts, suppression reasons, and the short dedup report without running the code.
  • The repository now reads clearly as a three-demo structure: elemetry-window-demo, �i-assisted-detection-demo, and
    ule-evaluation-and-dedup-demo.

Notes

This is a portfolio milestone release, not a product launch. The repository remains intentionally small, local, and review-oriented.

v0.4.0 — second demo and portfolio integration

Choose a tag to compare

@stacknil stacknil released this 31 Mar 08:02
ed46372

v0.4.0 — second demo and portfolio integration

This is a small portfolio milestone release for telemetry-lab.

The repository now presents a two-demo structure:

Demo Role
telemetry-window-demo Windowed telemetry analysis with deterministic rules, CSV outputs, and timeline artifacts
ai-assisted-detection-demo Deterministic detection and case grouping with constrained LLM summarization and auditable rejection paths

What changed

Repo structure and front door

  • The landing page now presents telemetry-lab as a two-demo repository
  • The top-level README includes direct navigation to both demos
  • The public repo story is now easier to scan from the landing page

New second demo

  • Added ai-assisted-detection-demo
  • The demo centers on:
    • deterministic detection
    • deterministic case grouping
    • constrained LLM summarization
    • audit traces and visible rejection paths

Guardrails and boundaries

  • human_verification is required
  • No autonomous response actions
  • No final incident verdict
  • No LLM-driven detection or grouping decisions
  • Fail-closed validation remains in place for invalid or disallowed outputs

Reviewer-facing documentation

  • Added a walkthrough for:
    • accepted summary path
    • rejected summary path
    • degraded coverage path
  • Added an explicit lifecycle contract and audit schema version in the design documentation

Why this milestone matters

This release moves telemetry-lab from a single-demo prototype toward a clearer portfolio repository with:

  • one telemetry/windowing workflow
  • one case-centric, AI-assisted investigation workflow
  • explicit guardrails around model output and operator review

Validation

  • Full test suite: 43 passed

Notes

This is a portfolio milestone release, not a product launch.
The repository remains intentionally scoped to small, reviewable prototypes.

Download reviewer artifact pack: telemetry-lab-reviewer-pack-v0.4.0.zip from the release assets.

v0.3.0 — Precise Cooldown Scoping, Richer Scenario Pack, and Run Summaries

Choose a tag to compare

@stacknil stacknil released this 25 Mar 05:20
c244023

Highlights

This release focuses on making the telemetry demo easier to explain, more realistic to inspect, and more reusable after each run.

Added

  • a richer sample scenario pack with a compact but more expressive event story
  • machine-readable summary.json outputs for both the default sample path and the richer sample path
  • additional end-to-end coverage to keep the richer sample and summary outputs reproducible

Changed

  • cooldown keying is now more precise: repeated alerts are scoped by (rule_name, scope) instead of only global rule_name
  • cooldown scope now prefers the first available entity-like field in this order:
    • entity
    • source
    • target
    • host
  • when no entity-like fields are present, cooldown behavior falls back to the original global per-rule behavior
  • README examples now document the richer sample path and the run-summary artifact

Richer sample scenario pack

The bundled richer scenario path now demonstrates a more explainable detection story with four compact phases:

  • normal background activity
  • a login-failure burst
  • a high-risk configuration change followed by policy_denied
  • a repeated rare malware_alert sequence

This richer sample uses its own config entrypoint:

python -m telemetry_window_demo.cli run --config configs/richer_sample.yaml

Run summaries

Each run now writes a compact summary.json artifact alongside the existing CSV and PNG outputs.

Current summary fields:

  • input_path
  • output_dir
  • normalized_event_count
  • window_count
  • feature_row_count
  • alert_count
  • triggered_rule_names
  • triggered_rule_counts
  • cooldown_seconds
  • generated_artifacts

Both sample paths produce this artifact:

  • configs/default.yaml -> data/processed/summary.json
  • configs/richer_sample.yaml -> data/processed/richer_sample/summary.json

Scope

This is still a local, file-based telemetry analytics prototype.

It is not a production monitoring system and does not include:

  • real-time ingestion
  • streaming state management
  • alert routing / on-call integration
  • SIEM / SOC platform integration
  • deployment, storage, or multi-tenant infrastructure

Included work

  • #13: refine alert cooldown scope
  • #14: add richer sample scenario pack
  • #15: add machine-readable run summaries

Notes

Compared with v0.2.0, this release is less about repository governance and more about demo quality and output usability.

The repository now provides:

  • more precise cooldown semantics
  • a better bundled scenario narrative
  • compact machine-readable run summaries for downstream inspection

This release is a usability and expressiveness milestone for the demo, while keeping the project intentionally small and local-first.

v0.2.0 — Validation, Edge Cases, Cooldown, and Minimal CI

Choose a tag to compare

@stacknil stacknil released this 24 Mar 04:08
7fa2b9a

Highlights

This release turns the initial telemetry MVP into a more stable and reviewable repository iteration.

Added

  • edge-case test coverage for timestamp parsing, window boundaries, empty input, duplicate timestamps, threshold equality, and related normalization behavior
  • stronger ingestion validation for both JSONL and CSV inputs
  • a simple per-rule alert cooldown mechanism to reduce noisy repeated alerts
  • minimal GitHub Actions CI for pytest on push and pull_request

Changed

  • required-field validation now rejects both missing required columns and missing/blank required values
  • malformed JSONL and malformed CSV inputs now raise clearer ValueError messages
  • default alert behavior now suppresses repeated alerts from the same rule_name within a configurable cooldown window
  • sample alert output was reduced substantially under the default configuration, making the demo output easier to inspect and explain

Repository hardening

  • expanded test coverage around the most failure-prone parts of the prototype
  • aligned README behavior notes with actual loader/runtime behavior
  • added a small CI workflow so regressions are caught in pull requests instead of only in local runs

Scope

This is still a local, file-based prototype for telemetry analytics and rule-based alerting.

It is not a production monitoring system and does not include:

  • real-time ingestion
  • streaming state management
  • alert routing / on-call integration
  • SIEM / SOC platform integration
  • deployment or storage infrastructure

Included work

  • #5: edge-case coverage for windowing and rules
  • #7: minimal GitHub Actions CI
  • #8: stronger event ingestion validation
  • #9: cooldown-based alert deduplication

Notes

The project now has:

  • clearer ingestion contracts
  • stronger regression protection
  • lower default alert noise
  • basic repository-level CI

This release is a stability and governance milestone rather than a major feature expansion.