v0.3: make cooldown scoping more precise #12
Description
Summary
The current cooldown behavior is already effective at reducing repeated noise, but it suppresses alerts at the global rule_name level.
Problem
That coarse scope can flatten legitimately distinct alert bursts when the same rule is triggered by different entities, such as different source, target, or host values.
Goal
Investigate and implement a more precise cooldown scope, likely keyed by rule_name plus a relevant entity dimension, while keeping the rule-based design simple and explainable.
Scope
- evaluate whether cooldown should remain global per rule or become entity-aware
- keep the design local and rule-based
- preserve easy-to-explain demo behavior and README clarity
- add focused tests for same-rule alerts across different entities
Non-goals
- no incident correlation engine
- no streaming/stateful alert processor
- no alert routing or case management
Acceptance criteria
- cooldown behavior is more semantically precise than global per-rule suppression
- overlapping-window noise is still reduced
- tests show the intended distinction between same-entity and different-entity alerts
- README/config wording matches the implemented behavior