Releases: VaultGuardian/observer
REC coverage status: API + CLI
Surface the REC coverage model (active captures, skipped/excluded containers, REC_MAX_NAMESPACES blind spots, host-fallback state) over a new read-only GET /api/rec/coverage endpoint and a 'vaultguardian rec status' CLI command. Pure observability; no capture/verdict changes.
Add REC coverage-status model
Internal observability: REC now exposes a structured snapshot of what it's covering right now — active captures, skipped/excluded containers, cap blind spots, and host-fallback state. Pure data layer, no behavior change; foundation for the upcoming coverage dashboard and CLI.
Fix coordinator dropping late evidence verdicts
REC evidence reclassifications that ran past the coordinator's finalize window had their verdict silently dropped, stranding events as SUSPICIOUS/evidence_unavailable. The timeout now defers to an in-flight evidence check (bounded) so the check owns the final dispatch. Also makes evidence_unavailable non-terminal at the store layer so a trusted resolution can heal it (backstop, no caller wired yet).
Stream Docker events without a client timeout
REC's Docker /events listener no longer dies every ~10s to an HTTP client timeout. The long-lived stream now uses a client with no whole-request deadline, validates response status before decoding, and resets reconnect backoff for healthy long-lived streams. Coverage was already held by the rescan backstop; this restores the real-time event path.
Runtime REC namespace reconciliation
REC now tracks live Docker state continuously: a Docker /events listener plus a periodic rescan (REC_RESCAN_INTERVAL, default 60s) reconcile the monitored namespace set, so coverage self-heals on container restart, redeploy, and removal without an Observer restart. Host fallback runs only when no namespace is monitored. Legacy REC_NS_CONTAINER mode is unchanged.
Multi-namespace REC capture
REC auto-detect now opens a capture socket inside each discovered public-facing container's namespace instead of a single host capture. New REC_MAX_NAMESPACES (default 16) caps the count; REC_EXCLUDE_CONTAINERS opts containers out. Legacy REC_NS_CONTAINER mode is unchanged.
Parse morgan logs, cut REC emit latency, VIP for suspicious
Express/morgan access logs now parse for HTTP identity so REC correlates captured responses instead of parking them at SUSPICIOUS. Reduced REC reassembly emit latency (idle 250ms, ticker 200ms). Extended VIP pinning to suspicious cache hits.
Tier-1 classify stampede fix
Coalesces concurrent identical classifications into a single LLM call so burst-identical events stop each triggering a fresh classification.
nginx error-log timestamp normalization fix
Bare nginx error-log timestamps (2026/05/25 16:45:24) weren't normalized on the generic log path, so every error line in a scanner burst got a unique cache key and triggered a fresh LLM classification. Stabilizes the prefix so they collapse to one call plus cache hits.
VIP cross-consumption fix
Ownership-safe VIP evidence lookup prevents earlier investigations from consuming evidence promoted for later events on the same path.