@simbimbo/brainstem 0.0.4 → 0.0.5

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 0.0.5 — 2026-03-22
+
+Source capability reporting and docs/runtime alignment pass.
+
+### Highlights
+- exposes compact source-support matrix in `/runtime` (`capability_flags.source_capabilities`)
+- documents LogicMonitor-shaped ingest path as implemented runtime API surface
+- aligns README/docs/examples with runtime API surface and active source drivers
+- keeps behavior intact for existing ingestion/canonicalization paths
+
+### Validation
+- local test suite passed (with updated runtime capability coverage)
+
 ## 0.0.4 — 2026-03-22
 
 Release-prep alignment for the current intake foundation state.

package/README.md

@@ -53,17 +53,18 @@ For a given tenant or environment, brAInstem should answer:
 Current implementation is intentionally bounded:
 - FastAPI runtime at `brainstem.api:app`
 - Implemented API endpoints include:
-  - `POST /ingest/event`, `POST /ingest/batch`, `POST /replay/raw`
+  - `POST /ingest/event`, `POST /ingest/batch`, `POST /ingest/logicmonitor`, `POST /replay/raw`
   - `GET /interesting`, `GET /candidates`, `GET /signatures`, `GET /canonical_events`
   - `GET /stats`, `GET /failures`, `GET /failures/{id}`
   - `GET /raw_envelopes`, `GET /ingest/recent`, `GET /sources`, `GET /sources/status`
   - `GET /runtime`, `GET /status`, `GET /healthz`
 - UDP syslog listener at `brainstem.listener`
-- source-driver intake for `syslog` and `file`
+- source-driver intake for `syslog`, `file`, and narrow `logicmonitor` connector payload shape
 - SQLite-backed persistence with default DB at `.brainstem-state/brainstem.sqlite3`
 - optional API token in `BRAINSTEM_API_TOKEN`
 
-Runtime config can also be inspected at `/runtime` and includes listener defaults (`syslog_host`, `syslog_port`, thresholds, limits).
+Runtime config can also be inspected at `/runtime`. The runtime summary now includes explicit `source_capabilities`
+(`source_types` + per-source ingest modes) and auth/capabilities flags.
 
 ## Quick run path (API + listener + file/syslog intake)
 

package/brainstem/__init__.py

@@ -1,3 +1,3 @@
 """brAInstem — operational memory for weak signals."""
 
-__version__ = "0.0.4"
+__version__ = "0.0.5"

package/brainstem/api.py

@@ -11,12 +11,13 @@ import json
 from fastapi import Depends, FastAPI, Header, HTTPException, Query
 from pydantic import BaseModel, Field
 
-from .ingest import ReplayAttempt, replay_raw_envelopes_by_ids, run_ingest_pipeline
+from .ingest import ReplayAttempt, run_ingest_logicmonitor_events, replay_raw_envelopes_by_ids, run_ingest_pipeline
 from .interesting import interesting_items
 from .config import get_runtime_config
 from .fingerprint import normalize_message
 from . import __version__
 from .models import Candidate, RawInputEnvelope
+from .source_drivers import list_source_driver_types
 from .storage import (
     RAW_ENVELOPE_STATUSES,
     extract_source_raw_envelope_ids,
@@ -53,6 +54,7 @@ CAPABILITIES = {
     "ingest_endpoints": {
         "single_event": True,
         "batch_events": True,
+        "logicmonitor_events": True,
         "replay_raw": True,
     },
     "inspection_endpoints": {
@@ -137,6 +139,14 @@ class ReplayRawRequest(BaseModel):
     allowed_statuses: List[str] = Field(default_factory=lambda: list(DEFAULT_REPLAY_ALLOWED_STATUSES))
 
 
+class IngestLogicMonitorRequest(BaseModel):
+    tenant_id: str
+    events: List[Dict[str, Any]] = Field(default_factory=list, min_length=1)
+    source_path: str = "/logicmonitor/ingest"
+    threshold: int = Field(default=DEFAULT_BATCH_THRESHOLD, ge=1)
+    db_path: Optional[str] = None
+
+
 def _raw_envelope_from_request(payload: RawEnvelopeRequest) -> RawInputEnvelope:
     return RawInputEnvelope(
         tenant_id=payload.tenant_id,
@@ -183,7 +193,7 @@ def _candidate_inspection_from_row(row, db_path: str | None) -> Dict[str, Any]:
         "attention_score": candidate.score_total,
         "score_total": candidate.score_total,
         "attention_explanation": [],
-+        "score_breakdown": candidate.score_breakdown,
+        "score_breakdown": candidate.score_breakdown,
     }
 
     raw_envelope_ids = extract_source_raw_envelope_ids(row["metadata_json"])
@@ -282,6 +292,30 @@ def _replay_attempt_from_item(item: ReplayAttempt) -> Dict[str, Any]:
     }
 
 
+def _source_capability_matrix() -> Dict[str, Any]:
+    source_types = list_source_driver_types()
+    modes_by_source_type: List[Dict[str, Any]] = []
+    for source_type in source_types:
+        if source_type == "logicmonitor":
+            modes = [
+                {"mode": "logicmonitor_webhook", "endpoint": "/ingest/logicmonitor"},
+            ]
+        else:
+            modes = [
+                {"mode": "single_event_api", "endpoint": "/ingest/event"},
+                {"mode": "batch_api", "endpoint": "/ingest/batch"},
+            ]
+            if source_type == "syslog":
+                modes.append({"mode": "udp_listener", "endpoint": "brainstem.listener"})
+
+        modes_by_source_type.append({"source_type": source_type, "modes": modes})
+
+    return {
+        "source_types": source_types,
+        "ingest_modes_by_source_type": modes_by_source_type,
+    }
+
+
 def _runtime_summary() -> Dict[str, Any]:
     runtime_config = get_runtime_config()
     return {
@@ -291,7 +325,10 @@ def _runtime_summary() -> Dict[str, Any]:
             "api_token_env": runtime_config.api_token_env_var,
             "config": runtime_config.as_dict(),
         },
-        "capability_flags": CAPABILITIES,
+        "capability_flags": {
+            **CAPABILITIES,
+            "source_capabilities": _source_capability_matrix(),
+        },
         "auth_state": {
             "api_token_configured": is_api_token_auth_enabled(),
             "supports_x_api_token_header": True,
@@ -346,6 +383,46 @@ def _run_ingest_batch(raw_events: List[RawInputEnvelope], *, threshold: int, db_
     }
 
 
+@app.post("/ingest/logicmonitor", dependencies=[Depends(_require_api_token)])
+def ingest_logicmonitor(payload: IngestLogicMonitorRequest) -> Dict[str, Any]:
+    result = run_ingest_logicmonitor_events(
+        payload.events,
+        tenant_id=payload.tenant_id,
+        source_path=payload.source_path,
+        threshold=payload.threshold,
+        db_path=payload.db_path,
+    )
+    events = result.events
+    parse_failed = result.parse_failed
+    item_results = [asdict(item) for item in result.item_results]
+
+    if not events:
+        return {
+            "ok": True,
+            "event_count": 0,
+            "signature_count": 0,
+            "candidate_count": 0,
+            "item_count": len(result.raw_envelopes),
+            "item_results": item_results,
+            "parse_failed": parse_failed,
+            "interesting_items": [],
+        }
+
+    signatures = result.signatures
+    candidates = result.candidates
+    return {
+        "ok": True,
+        "tenant_id": events[0].tenant_id if events else payload.tenant_id,
+        "event_count": len(events),
+        "signature_count": len({sig.signature_key for sig in signatures}),
+        "candidate_count": len(candidates),
+        "item_count": len(result.raw_envelopes),
+        "item_results": item_results,
+        "parse_failed": parse_failed,
+        "interesting_items": interesting_items(candidates, limit=max(1, 5)),
+    }
+
+
 @app.post("/replay/raw", dependencies=[Depends(_require_api_token)])
 def replay_raw(payload: ReplayRawRequest) -> Dict[str, Any]:
     if not payload.raw_envelope_ids:

package/brainstem/config.py

@@ -13,6 +13,26 @@ def resolve_default_db_path() -> str:
     return str(Path(".brainstem-state") / "brainstem.sqlite3")
 
 
+def _read_env_int(env_name: str, default: int) -> int:
+    value = os.getenv(env_name, "").strip()
+    if not value:
+        return default
+    try:
+        return int(value)
+    except ValueError:
+        return default
+
+
+def _read_env_float(env_name: str, default: float) -> float:
+    value = os.getenv(env_name, "").strip()
+    if not value:
+        return default
+    try:
+        return float(value)
+    except ValueError:
+        return default
+
+
 @dataclass(frozen=True)
 class ListenerConfig:
     syslog_host: str = "127.0.0.1"
@@ -25,6 +45,7 @@ class ListenerConfig:
 @dataclass(frozen=True)
 class RuntimeDefaults:
     ingest_threshold: int = 2
+    recurrence_threshold: int = 2
     batch_threshold: int = 2
     interesting_limit: int = 5
     failure_limit: int = 20
@@ -41,6 +62,22 @@ class RuntimeLimits:
     replay_allowed_statuses: tuple[str, ...] = ("received", "parse_failed")
 
 
+@dataclass(frozen=True)
+class CandidateAttentionProfile:
+    recurrence_count_normalizer: int = 10
+    recovery_signal_weight: float = 0.4
+    spread_signal_weight: float = 0.2
+    novelty_signal_weight: float = 0.3
+    impact_high_weight: float = 0.5
+    impact_default_weight: float = 0.2
+    precursor_weight: float = 0.3
+    memory_weight: float = 0.4
+    decision_band_promote: float = 0.85
+    decision_band_urgent_human_review: float = 0.65
+    decision_band_review: float = 0.45
+    decision_band_watch: float = 0.25
+
+
 @dataclass(frozen=True)
 class DBConfig:
     default_path: str
@@ -51,6 +88,7 @@ class RuntimeConfig:
     api_token_env_var: str = "BRAINSTEM_API_TOKEN"
     listener: ListenerConfig = ListenerConfig()
     defaults: RuntimeDefaults = RuntimeDefaults()
+    candidate_attention: CandidateAttentionProfile = CandidateAttentionProfile()
     limits: RuntimeLimits = RuntimeLimits()
     db: DBConfig = DBConfig(default_path=resolve_default_db_path())
 
@@ -59,12 +97,40 @@ class RuntimeConfig:
             "api_token_env_var": self.api_token_env_var,
             "listener": asdict(self.listener),
             "defaults": asdict(self.defaults),
+            "candidate_attention": asdict(self.candidate_attention),
             "limits": asdict(self.limits),
             "db": asdict(self.db),
         }
 
 
 def get_runtime_config() -> RuntimeConfig:
+    defaults = RuntimeDefaults(
+        ingest_threshold=_read_env_int("BRAINSTEM_INGEST_THRESHOLD", 2),
+        recurrence_threshold=_read_env_int("BRAINSTEM_RECURRENCE_THRESHOLD", 2),
+        batch_threshold=_read_env_int("BRAINSTEM_BATCH_THRESHOLD", 2),
+        interesting_limit=_read_env_int("BRAINSTEM_INTERESTING_LIMIT", 5),
+        failure_limit=_read_env_int("BRAINSTEM_FAILURE_LIMIT", 20),
+        ingest_recent_limit=_read_env_int("BRAINSTEM_INGEST_RECENT_LIMIT", 20),
+        sources_limit=_read_env_int("BRAINSTEM_SOURCES_LIMIT", 10),
+        sources_status_limit=_read_env_int("BRAINSTEM_SOURCES_STATUS_LIMIT", 20),
+        replay_threshold=_read_env_int("BRAINSTEM_REPLAY_THRESHOLD", 2),
+    )
+    candidate_attention = CandidateAttentionProfile(
+        recurrence_count_normalizer=_read_env_int("BRAINSTEM_CANDIDATE_RECURRENCE_NORMALIZER", 10),
+        recovery_signal_weight=_read_env_float("BRAINSTEM_CANDIDATE_RECOVERY", 0.4),
+        spread_signal_weight=_read_env_float("BRAINSTEM_CANDIDATE_SPREAD", 0.2),
+        novelty_signal_weight=_read_env_float("BRAINSTEM_CANDIDATE_NOVELTY", 0.3),
+        impact_high_weight=_read_env_float("BRAINSTEM_CANDIDATE_IMPACT_HIGH", 0.5),
+        impact_default_weight=_read_env_float("BRAINSTEM_CANDIDATE_IMPACT_DEFAULT", 0.2),
+        precursor_weight=_read_env_float("BRAINSTEM_CANDIDATE_PRECURSOR", 0.3),
+        memory_weight=_read_env_float("BRAINSTEM_CANDIDATE_MEMORY_WEIGHT", 0.4),
+        decision_band_promote=_read_env_float("BRAINSTEM_DECISION_BAND_PROMOTE", 0.85),
+        decision_band_urgent_human_review=_read_env_float("BRAINSTEM_DECISION_BAND_URGENT_HUMAN_REVIEW", 0.65),
+        decision_band_review=_read_env_float("BRAINSTEM_DECISION_BAND_REVIEW", 0.45),
+        decision_band_watch=_read_env_float("BRAINSTEM_DECISION_BAND_WATCH", 0.25),
+    )
     return RuntimeConfig(
+        defaults=defaults,
+        candidate_attention=candidate_attention,
         db=DBConfig(default_path=resolve_default_db_path()),
     )

package/brainstem/connectors/logicmonitor.py

@@ -1,8 +1,19 @@
 from __future__ import annotations
 
+import json
+from dataclasses import dataclass
+
+from ..adapters import RawInputAdapter, register_raw_input_adapter
+from ..models import RawInputEnvelope
 from .types import ConnectorEvent
 
 
+def _coerce_mapping(payload: object) -> dict:
+    if not isinstance(payload, dict):
+        raise ValueError("logicmonitor payload must be an object")
+    return payload
+
+
 def map_logicmonitor_event(payload: dict, *, tenant_id: str) -> ConnectorEvent:
     metadata = payload.get("metadata") or {}
     host = payload.get("host") or payload.get("resource_name") or ""
@@ -24,3 +35,49 @@ def map_logicmonitor_event(payload: dict, *, tenant_id: str) -> ConnectorEvent:
             "cleared_at": metadata.get("cleared_at"),
         },
     )
+
+
+def map_logicmonitor_payload_to_raw_envelope(payload: object, *, tenant_id: str, source_path: str = "") -> RawInputEnvelope:
+    event_payload = _coerce_mapping(payload)
+    event = map_logicmonitor_event(event_payload, tenant_id=tenant_id)
+    return RawInputEnvelope(
+        tenant_id=event.tenant_id,
+        source_type=event.source_type,
+        timestamp=event.timestamp,
+        message_raw=event.message_raw,
+        host=event.host,
+        service=event.service,
+        severity=event.severity,
+        source_path=source_path,
+        metadata=dict(event.metadata),
+    )
+
+
+@dataclass(frozen=True)
+class LogicMonitorRawInputAdapter:
+    """Adapter for LogicMonitor-shaped event payload objects."""
+
+    source_type: str = "logicmonitor"
+
+    def parse_raw_input(self, payload, *, tenant_id: str, source_path: str = "") -> RawInputEnvelope:
+        if isinstance(payload, (bytes, bytearray)):
+            payload_text = payload.decode("utf-8", errors="replace")
+            payload_obj = json.loads(payload_text)
+            return map_logicmonitor_payload_to_raw_envelope(payload_obj, tenant_id=tenant_id, source_path=source_path)
+
+        if isinstance(payload, dict):
+            return map_logicmonitor_payload_to_raw_envelope(payload, tenant_id=tenant_id, source_path=source_path)
+
+        if isinstance(payload, str):
+            payload_text = payload.strip()
+            if payload_text.startswith("{") and payload_text.endswith("}"):
+                return map_logicmonitor_payload_to_raw_envelope(
+                    json.loads(payload_text),
+                    tenant_id=tenant_id,
+                    source_path=source_path,
+                )
+
+        raise ValueError("logicmonitor payload must be a mapping or JSON object string")
+
+
+register_raw_input_adapter(LogicMonitorRawInputAdapter())

package/brainstem/demo.py

@@ -10,9 +10,18 @@ from .instrumentation import emit, span
 from .interesting import interesting_items
 from .recurrence import build_recurrence_candidates, digest_items
 from .storage import init_db, store_candidates, store_events, store_signatures
+from .config import get_runtime_config
 
 
-def run_syslog_demo(path: str, tenant_id: str, threshold: int = 2, db_path: str | None = None) -> Dict[str, Any]:
+def run_syslog_demo(
+    path: str,
+    tenant_id: str,
+    threshold: int | None = None,
+    db_path: str | None = None,
+) -> Dict[str, Any]:
+    if threshold is None:
+        threshold = get_runtime_config().defaults.recurrence_threshold
+
     with span("syslog_demo", path=path, tenant_id=tenant_id, threshold=threshold):
         init_db(db_path)
         events = ingest_syslog_file(path, tenant_id=tenant_id)
@@ -52,7 +61,12 @@ def main() -> int:
     parser = argparse.ArgumentParser(description="Run the brAInstem syslog weak-signal demo.")
     parser.add_argument("path", help="Path to a syslog-like input file")
     parser.add_argument("--tenant", default="demo-tenant", help="Tenant/environment identifier")
-    parser.add_argument("--threshold", type=int, default=2, help="Minimum recurrence count for candidate emission")
+    parser.add_argument(
+        "--threshold",
+        type=int,
+        default=get_runtime_config().defaults.recurrence_threshold,
+        help="Minimum recurrence count for candidate emission",
+    )
     parser.add_argument("--db-path", default=None, help="Optional SQLite path for persistent state")
     args = parser.parse_args()
     payload = run_syslog_demo(args.path, tenant_id=args.tenant, threshold=args.threshold, db_path=args.db_path)

package/brainstem/fingerprint.py

@@ -9,6 +9,54 @@ _WHITESPACE_RE = re.compile(r"\s+")
 _IPV4_RE = re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b")
 _NUMBER_RE = re.compile(r"\b\d+\b")
 
+_CONNECTIVITY_SERVICE_HINTS = {
+    "charon",
+    "ipsec",
+    "wireguard",
+    "strongswan",
+    "openvpn",
+    "bgp",
+}
+_CONNECTIVITY_ANCHORS = {
+    "vpn",
+    "tunnel",
+    "rekey",
+    "ipsec",
+    "handshake",
+    "peer",
+}
+_CONNECTIVITY_STATE_HINTS = {
+    "down",
+    "up",
+    "dropped",
+    "recovered",
+    "unreachable",
+    "timeout",
+    "flapped",
+}
+_RESOURCE_HINTS = {
+    "disk",
+    "memory",
+    "cpu",
+    "storage",
+    "inode",
+    "pressure",
+    "filesystem",
+    "out of space",
+    "swap",
+}
+
+
+def _has_any(text: str, values: set[str]) -> bool:
+    return any(value in text for value in values)
+
+
+def _has_connectivity_context(message: str, service: str) -> bool:
+    service_hint = service and _has_any(service, _CONNECTIVITY_SERVICE_HINTS)
+    anchor_hint = _has_any(message, _CONNECTIVITY_ANCHORS)
+    state_hint = _has_any(message, _CONNECTIVITY_STATE_HINTS)
+    return service_hint or (anchor_hint and state_hint)
+
 
 def normalize_message(message: str) -> str:
     text = (message or "").strip().lower()
@@ -21,10 +69,16 @@ def normalize_message(message: str) -> str:
 def event_family_for(event: Event) -> str:
     message_normalized = getattr(event, "message_normalized", None) or normalize_message(event.message_raw)
     base = message_normalized
+    service = (event.service or "").strip().lower()
+
     if "fail" in base or "error" in base:
         return "failure"
     if "restart" in base or "stopped" in base or "started" in base:
         return "service_lifecycle"
+    if _has_connectivity_context(base, service):
+        return "connectivity"
+    if _has_any(base, _RESOURCE_HINTS):
+        return "resource"
     if "auth" in base or "login" in base:
         return "auth"
     return "generic"

package/brainstem/ingest.py

@@ -6,6 +6,7 @@ from datetime import datetime
 from pathlib import Path
 from typing import Callable, Iterable, List, Optional
 
+from .config import get_runtime_config
 from .fingerprint import fingerprint_event, normalize_message
 from .models import Candidate, CanonicalEvent, Event, RawInputEnvelope, Signature
 from .recurrence import build_recurrence_candidates
@@ -214,12 +215,15 @@ def replay_raw_envelopes_by_ids(
     raw_envelope_ids: Iterable[int | str | object],
     *,
     db_path: str,
-    threshold: int = 2,
+    threshold: int | None = None,
     on_event: Optional[Callable[[CanonicalEvent], None]] = None,
     on_parse_error: Optional[ErrorHandler] = None,
     force: bool = False,
     allowed_statuses: Iterable[str] = ("received", "parse_failed"),
 ) -> ReplayResult:
+    if threshold is None:
+        threshold = get_runtime_config().defaults.replay_threshold
+
     requested_raw_envelope_ids = list(dict.fromkeys([_coerce_raw_envelope_id(item) for item in raw_envelope_ids]))
     requested_raw_envelope_ids = [item for item in requested_raw_envelope_ids if item is not None]
 
@@ -294,12 +298,15 @@ def replay_raw_envelopes_by_ids(
 def run_ingest_pipeline(
     raw_envelopes: Iterable[RawInputEnvelope],
     *,
-    threshold: int = 2,
+    threshold: int | None = None,
     db_path: str | None = None,
     store_raw: bool = True,
     on_event: Optional[Callable[[CanonicalEvent], None]] = None,
     on_parse_error: Optional[ErrorHandler] = None,
 ) -> IngestionResult:
+    if threshold is None:
+        threshold = get_runtime_config().defaults.ingest_threshold
+
     raw_envelopes_list = list(raw_envelopes)
     raw_envelope_ids: List[int] = []
     if db_path:
@@ -387,7 +394,7 @@ def run_ingest_source_payload(
     *,
     tenant_id: str,
     source_path: str,
-    threshold: int = 2,
+    threshold: int | None = None,
     db_path: Optional[str] = None,
     on_event: Optional[Callable[[CanonicalEvent], None]] = None,
     on_parse_error: Optional[ErrorHandler] = None,
@@ -407,12 +414,34 @@ def run_ingest_source_payload(
     )
 
 
+def run_ingest_logicmonitor_events(
+    events: Iterable[object],
+    *,
+    tenant_id: str,
+    source_path: str = "/logicmonitor/ingest",
+    threshold: int | None = None,
+    db_path: Optional[str] = None,
+    on_event: Optional[Callable[[CanonicalEvent], None]] = None,
+    on_parse_error: Optional[ErrorHandler] = None,
+) -> IngestionResult:
+    return run_ingest_source_payload(
+        "logicmonitor",
+        list(events),
+        tenant_id=tenant_id,
+        source_path=source_path,
+        threshold=threshold,
+        db_path=db_path,
+        on_event=on_event,
+        on_parse_error=on_parse_error,
+    )
+
+
 def run_ingest_file_lines(
     lines: Iterable[str],
     *,
     tenant_id: str,
     source_path: str,
-    threshold: int = 2,
+    threshold: int | None = None,
     db_path: str | None = None,
     on_event: Optional[Callable[[CanonicalEvent], None]] = None,
     on_parse_error: Optional[ErrorHandler] = None,
@@ -451,7 +480,7 @@ def run_ingest_file(
     path: str,
     *,
     tenant_id: str,
-    threshold: int = 2,
+    threshold: int | None = None,
     db_path: Optional[str] = None,
     on_event: Optional[Callable[[CanonicalEvent], None]] = None,
     on_parse_error: Optional[ErrorHandler] = None,

package/brainstem/listener.py

@@ -64,11 +64,14 @@ def run_ingest_syslog_datagram(
     *,
     tenant_id: str,
     source_path: str = LISTENER_CONFIG.syslog_source_path,
-    threshold: int = LISTENER_CONFIG.ingest_threshold,
+    threshold: int | None = None,
     db_path: Optional[str] = None,
     on_event: Optional[EventHandler] = None,
     on_parse_error: Optional[ErrorHandler] = None,
 ) -> IngestionResult:
+    if threshold is None:
+        threshold = get_runtime_config().listener.ingest_threshold
+
     return run_ingest_source_payload(
         "syslog",
         payload,
@@ -90,11 +93,14 @@ def run_udp_syslog_listener(
     on_event: Optional[EventHandler] = None,
     on_parse_error: Optional[ErrorHandler] = None,
     db_path: Optional[str] = None,
-    threshold: int = LISTENER_CONFIG.ingest_threshold,
+    threshold: int | None = None,
     max_datagrams: Optional[int] = None,
     socket_timeout: float = LISTENER_CONFIG.syslog_socket_timeout,
     socket_obj: Optional[socket.socket] = None,
 ) -> int:
+    if threshold is None:
+        threshold = get_runtime_config().listener.ingest_threshold
+
     sock = socket_obj
     owns_socket = sock is None
     if sock is None:

package/brainstem/recurrence.py

@@ -7,12 +7,15 @@ from typing import Iterable, List
 from .models import Candidate, Event, Signature
 from .interesting import _attention_explanation
 from .scoring import score_candidate
+from .config import get_runtime_config
 
 
 FAMILY_TITLES = {
     "failure": "Recurring failure pattern",
     "auth": "Recurring authentication failure pattern",
     "service_lifecycle": "Recurring service lifecycle instability",
+    "connectivity": "Recurring network connectivity pattern",
+    "resource": "Recurring resource pressure pattern",
     "generic": "Recurring operational pattern",
 }
 
@@ -75,7 +78,17 @@ def _signature_lineage_index(
     return per_signature_raw_ids
 
 
-def build_recurrence_candidates(events: List[Event], signatures: List[Signature], *, threshold: int = 2) -> List[Candidate]:
+def build_recurrence_candidates(
+    events: List[Event],
+    signatures: List[Signature],
+    *,
+    threshold: int | None = None,
+) -> List[Candidate]:
+    runtime_config = get_runtime_config()
+    profile = runtime_config.candidate_attention
+    if threshold is None:
+        threshold = runtime_config.defaults.recurrence_threshold
+
     counts = signature_counts(signatures)
     candidates: List[Candidate] = []
     signature_raw_envelope_ids = _signature_lineage_index(events, signatures)
@@ -83,13 +96,17 @@ def build_recurrence_candidates(events: List[Event], signatures: List[Signature]
         count = counts[signature.signature_key]
         if count < threshold:
             continue
-        recurrence = min(count / 10.0, 1.0)
-        recovery = 0.4
-        spread = 0.2
-        novelty = 0.3
-        impact = 0.5 if signature.event_family in {"failure", "auth"} else 0.2
-        precursor = 0.3
-        memory_weight = 0.4
+        recurrence = min(count / float(profile.recurrence_count_normalizer), 1.0)
+        recovery = profile.recovery_signal_weight
+        spread = profile.spread_signal_weight
+        novelty = profile.novelty_signal_weight
+        impact = (
+            profile.impact_high_weight
+            if signature.event_family in {"failure", "auth"}
+            else profile.impact_default_weight
+        )
+        precursor = profile.precursor_weight
+        memory_weight = profile.memory_weight
         candidate = score_candidate(
             recurrence=recurrence,
             recovery=recovery,

package/brainstem/scoring.py

@@ -1,16 +1,18 @@
 from __future__ import annotations
 
 from .models import Candidate
+from .config import get_runtime_config
 
 
 def decision_band(score_total: float) -> str:
-    if score_total >= 0.85:
+    profile = get_runtime_config().candidate_attention
+    if score_total >= profile.decision_band_promote:
         return "promote_to_incident_memory"
-    if score_total >= 0.65:
+    if score_total >= profile.decision_band_urgent_human_review:
         return "urgent_human_review"
-    if score_total >= 0.45:
+    if score_total >= profile.decision_band_review:
         return "review"
-    if score_total >= 0.25:
+    if score_total >= profile.decision_band_watch:
         return "watch"
     return "ignore"