Improve alert triage timeline fidelity gates

[shensz2017]

Bounty type

Skill Improvement ($50-150 potential bounty)

Requested bounty tier: Moderate ($100)

Related review issue: #2079

Summary

This improves alert-triage by adding timeline fidelity evidence gates for temporal correlation, ingestion latency, timezone normalization, clock skew, deduplication, and raw event reproducibility.

The current playbook tells analysts to correlate within a +/- 30 minute window. This change prevents delayed or mis-normalized telemetry from being treated as negative evidence.

Changes

• Bump alert-triage skill version to 1.0.1.
• Add timeline fidelity to required triage context.
• Add a timeline fidelity section to the Correlate phase.
• Require event time and ingestion time, UTC normalization, clock-skew checks, latency-aware window expansion, stable dedup keys, raw event IDs, and explicit timeline-gap documentation.
• Add a Timeline Fidelity table to the output template.
• Add a common pitfall for treating timeline gaps as negative evidence.
• Add vulnerable and benign fixtures for delayed telemetry vs. verified timeline fidelity.

Tests

Added scenario fixtures:

• tests/vulnerable/alert-triage-correlation-window-misses-delayed-events.yaml
• tests/benign/alert-triage-timeline-fidelity-verified.yaml

Local validation performed:

• git diff --check
• verified required YAML keys in both new fixtures
• marker checks for timeline fidelity, timeline gaps, output table, pitfall, and changelog

Payment preference

GitHub Sponsors, if accepted.