From c1714e81715f790ef598594d49f9d5f09d236600 Mon Sep 17 00:00:00 2001
From: stacknil <stacknil@proton.me>
Date: Thu, 28 May 2026 11:43:31 +0800
Subject: [PATCH] docs(parser): document telemetry buckets

---
 README.md               | 5 +++++
 docs/parser-contract.md | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/README.md b/README.md
index d500ff6..a34522d 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,11 @@ LogLens also tracks parser coverage telemetry for unsupported or malformed lines
 - `parse_success_rate`
 - `top_unknown_patterns`
 
+Common unsupported-pattern buckets include `sshd_connection_closed_preauth`,
+`sshd_timeout_or_disconnection`, `sshd_negotiation_failure`, and
+`pam_unix_session_closed`. These buckets keep non-finding evidence reviewable
+without counting it as detector evidence.
+
 For the parser behavior contract, supported modes, and fixture map, see [`docs/parser-contract.md`](./docs/parser-contract.md).
 
 LogLens does not currently detect:
diff --git a/docs/parser-contract.md b/docs/parser-contract.md
index a969f4e..aac905e 100644
--- a/docs/parser-contract.md
+++ b/docs/parser-contract.md
@@ -41,6 +41,12 @@ Recognized success or audit families include accepted password, accepted publick
 
 This is the main trust boundary: unsupported input should remain inspectable, even when it does not produce a finding.
 
+Stable unsupported-pattern buckets currently exercised by the fixture corpus include
+`sshd_connection_closed_preauth`, `sshd_timeout_or_disconnection`,
+`sshd_negotiation_failure`, and `pam_unix_session_closed`. They are parser
+telemetry and warnings only; detector signal mappings decide which parsed events
+can contribute to findings.
+
 ## Detection signal boundary
 
 Parsing a line does not automatically mean it should drive a detector. LogLens keeps that boundary explicit through `AuthSignalConfig`.