## Summary - extend sanitized fixture coverage for common Linux auth families beyond current sample patterns - parse `Accepted publickey` success events and selected `pam_faillock` / `pam_sss` failure variants - keep unsupported lines visible through telemetry rather than silently absorbing them ## Scope - add sanitized syslog and `journalctl_short_full` fixtures - add parser tests for recognized vs telemetry-only behavior - do not change detector thresholds in this issue - do not add cross-host correlation, enrichment, or SIEM-like logic ## Acceptance Criteria - `Accepted publickey` is parsed as a supported auth event - selected `pam_faillock` and `pam_sss` variants are either parsed explicitly or bucketed deterministically in telemetry - parser coverage metrics remain deterministic - existing golden report contract tests continue to pass
