fix(cloud-iam): harden time and config contracts

[stacknil]

Summary

• normalize CloudTrail-like eventTime into event_time and preserve optional observedTime as observed_time
• make cloud IAM demo config reject unknown top-level, rule, and ATT&CK mapping fields
• regenerate cloud IAM artifacts and align event-time docs/README status

Validation

• python -m telemetry_window_demo.cli run-cloud-iam-change-demo
• python -m pytest tests/test_cloud_iam_change_investigation_demo.py tests/test_event_time_model_docs.py tests/test_reviewer_docs.py
• python -m pytest
• git diff --check

Privacy / safety

• synthetic CloudTrail-like data remains placeholder-only
• no live AWS account, real account ID, machine path, or secret added

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5d0b82ae2b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject mismatched ATT&CK mapping ids

With the new strict-field contract, raw attack_mappings may now contain an id, but validate_attack_mapping never checks that value—it always emits the YAML mapping key as the id. When a reviewer edits or copies a mapping and mistypes this now-whitelisted nested id, validation succeeds and silently discards the configured value, so the hardening no longer catches ATT&CK mapping identity mistakes in the config.

Useful? React with 👍 / 👎.