docs: sync README and changelog for current v0.3 status

stacknil · stacknil · commit 8fc08bea2c64 · 2026-03-24T03:17:50.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,8 @@ All notable user-visible changes should be recorded here.
 ### Added
 
 - Added sanitized golden `report.md` / `report.json` regression fixtures to lock report contracts.
-- Added conservative parser coverage for `Accepted publickey` plus selected `pam_faillock` / `pam_sss` variants.
-- Added compact host-level summaries to Markdown and JSON reports for multi-host inputs.
+- Expanded parser coverage for `Accepted publickey` and selected `pam_faillock` / `pam_sss` variants.
+- Added compact host-level summaries for multi-host reports.
 
 ### Changed
 
diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ LogLens currently detects:
 - One IP trying multiple usernames within 15 minutes
 - Bursty sudo activity from the same user within 5 minutes
 
-LogLens currently parses and reports these additional auth patterns:
+LogLens currently parses and reports these additional auth patterns beyond the core detector inputs:
 
 - `Accepted publickey` SSH successes
 - `Failed publickey` SSH failures, which count toward SSH brute-force detection by default
@@ -200,15 +200,14 @@ Tue 2026-03-10 08:31:18 UTC example-host sshd[2245]: Connection closed by authen
 
 - `syslog_legacy` requires an explicit year; LogLens does not guess one implicitly.
 - `journalctl_short_full` currently supports `UTC`, `GMT`, `Z`, and numeric timezone offsets, not arbitrary timezone abbreviations.
-- Parser coverage is intentionally narrow and focused on common `sshd`, `sudo`, `pam_unix`, and selected `pam_faillock` / `pam_sss` variants.
+- Parser coverage is still selective: it covers common `sshd`, `sudo`, `pam_unix`, and selected `pam_faillock` / `pam_sss` variants rather than broad Linux auth-family support.
 - Unsupported lines are surfaced as parser telemetry and warnings, not as detector findings.
 - `pam_unix` auth failures remain lower-confidence by default unless signal mappings explicitly upgrade them.
 - Detector configuration uses a fixed `config.json` schema rather than partial overrides or alternate config formats.
 - Findings are rule-based triage aids, not incident verdicts or attribution.
 
 ## Future Roadmap
 
-- Additional auth patterns and PAM coverage
-- Better host-level summaries
-- Optional CSV export
-- Larger sanitized test corpus
+- Additional auth patterns and PAM coverage
+- Optional CSV export
+- Larger sanitized test corpus
