feat(demo): add synthetic CloudTrail IAM investigation

[stacknil]

Summary

• add a synthetic CloudTrail-like IAM change investigation demo with one JSONL input, deterministic rules, ATT&CK mapping context, and committed artifacts
• wire the run-cloud-iam-change-demo CLI entrypoint and reviewer-facing docs matrix
• add regression tests for schema validation, bounded rule correlation, artifact determinism, CLI wiring, and privacy guardrails

Validation

• python -m telemetry_window_demo.cli run-cloud-iam-change-demo
• pytest tests/test_cloud_iam_change_investigation_demo.py tests/test_cli_errors.py tests/test_cli_subprocess.py tests/test_reviewer_docs.py tests/test_markdown_links.py
• pytest
• git diff --check

Boundaries

• synthetic CloudTrail-like events only
• no live AWS account or real account ID
• no production detection claim or final incident verdict
• no SIEM/dashboard/alert routing/case-management/realtime ingestion/autonomous response surface

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 12ef032a13

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Don't treat every UpdateTrail as logging disabled

When a synthetic sample contains a successful CloudTrail UpdateTrail near an IAM change, this rule emits cloudtrail_logging_disabled_near_iam_change even though UpdateTrail is a general trail update and does not by itself stop or delete logging; that produces a critical disabled-logging signal for benign trail edits. Limit this set to actions that actually disable/remove logging, or inspect the UpdateTrail parameters before classifying it this way.

Useful? React with 👍 / 👎.