feat: rebuild presentation deck to v1.5.0 (+5 slides, all v1.4 modules covered)

[Copilot]

Presentation was frozen at v1.3.1 while the codebase shipped a full Analyst OS layer (Alembic, plugins, RBAC, workflows, lineage, metrics, review queue). This PR bumps the version to 1.5.0 and rebuilds the deck to cover everything.

Version bump

• pyproject.toml: 1.3.1 → 1.5.0
• CHANGELOG.md: new [1.5.0] consolidation entry

New slides (22–26, inserted after Deployment)

Slide	Content
22	Database Migrations + Plugin System — Alembic 1.13, 3 migration scripts, gnat-db CLI, PluginRegistry, HookBus (14 known events)
23	Policy Engine + STIX Object Validator — Role/Permission matrix, audit middleware, FastAPI Depends; 19 SDO + 16 SCO + 2 SRO + 4 Meta type validation
24	Workflow DAG Engine — WorkflowStep/WorkflowContext/WorkflowResult, cycle detection, 6 step factories, PhishingTriage + IncidentResponse pre-builts
25	Data Lineage + Analyst Metrics — append-only LineageStore, LineageTracker; ring-buffer MetricsCollector, 9 metric types, MetricsAggregator
26	AI Intel Review Queue — ReviewService lifecycle (PENDING → APPROVED → PROMOTED), 8 REST endpoints, gnat review CLI, F6 TUI ReviewScreen

Updated existing slides

• Slide 1 / Slide 32 (Close): v1.3.1 · 1,500+ tests → v1.5.0 · 2,000+ tests
• Slide 9 (AI Agents): WorkflowEngine banner added
• Slide 15 (TAXII): write endpoints (POST ingest + DELETE soft-delete), test count 44 → 56, note TLP:AMBER/RED write permission
• Slide 17 (TUI): F1–F4 → F1–F6 (F5 Health, F6 Review)
• Slide 29 (By the Numbers): 150+ files → 200+; 4 hrs Curation → 5 New v1.5 Modules
• Slide 31 (All Roadmap): expanded to 15 + 15 items covering all v1.4/1.5 additions

Deck: 27 slides → 32 slides.

[Copilot]

Pull request overview

Updates the project’s published version and rebuilds the generated presentation deck to reflect the v1.4/v1.5 “Analyst OS” feature set.

Changes:

• Bump package version to 1.5.0.
• Add a consolidated 1.5.0 entry to CHANGELOG.md.
• Rework scripts/build_presentation.js to update existing slides and add 5 new module slides (migrations/plugins, RBAC+validator, workflow engine, lineage+metrics, review queue).

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 9 comments.

File	Description
scripts/build_presentation.js	Updates slide content and adds slides 22–26 covering new v1.4+/v1.5 modules; refreshes version/test counts and several feature callouts.
pyproject.toml	Bumps project.version from 1.3.1 to 1.5.0.
CHANGELOG.md	Adds a new 1.5.0 consolidation entry describing the v1.4+/v1.5 feature set and deck rebuild.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The changelog says it follows Keep a Changelog, but the new 1.5.0 section is placed above the "[Unreleased]" section. Keep a Changelog expects "Unreleased" to be the top section so new changes land there; please move the 1.5.0 entry below "[Unreleased]" (and keep versions in reverse chronological order under it).

Suggested change

	## [1.5.0]
	Consolidation release. Bumps the version tag to reflect the full Analyst OS feature set
	(Alembic migrations, Plugin System, Policy Engine, TAXII write endpoints, Workflow
	orchestration, Data Lineage, Analyst Metrics, AI Intel Review Queue, Discord connector,
	STIX Object Validator). Presentation deck rebuilt to v1.5.0 with 5 new slides covering
	all v1.4+ modules.
	→ Full feature breakdown is in `## [1.4.0]` below; this entry marks the version cut.

[Copilot]

This header uses reference-link syntax ("## [1.5.0]") but there is no corresponding link definition at the bottom of the file (only [v1.x.y] links exist). If you intend the version headers to be clickable like the earlier entries, add a link definition for 1.5.0 (and likely 1.4.0), or drop the brackets to avoid implying a link.

[Copilot]

The STIX type grouping is inaccurate: "relationship" and "sighting" are SROs in STIX 2.1, but they are currently included in the SDO list as well. This also makes the stated SDO count misleading. Please remove SRO types from the SDO list and adjust the counts accordingly so the slide matches the STIX 2.1 spec (and your validator behavior).

[Copilot]

The RBAC slide's roles/permissions don't match the actual policy model in the codebase. gnat/policy/models.py defines roles VIEWER, ANALYST, SENIOR_ANALYST, REVIEWER, ADMIN and permissions like READ_INVESTIGATIONS/WRITE_INVESTIGATIONS/READ_REPORTS/etc., but the slide lists OPERATOR and permissions such as READ_OBJECTS/QUERY_NLP/WRITE_OBJECTS/PROMOTE_INTEL which don't exist. Please update the role list and permission examples to reflect the real enums/matrix so the deck stays consistent with the implementation.

[Copilot]

The TAXII endpoint paths shown here don't match the server router paths in gnat/dissemination/taxii/server.py (e.g., the implementation uses /taxii2/{api_root}/collections/{collection_id}/... and the delete path param is stix_id, not {id}). Consider switching the slide to placeholders like {api-root} / {collection_id} / {stix-id} (or the exact concrete api_root if you want it hard-coded) so the listed endpoints are accurate.

[Copilot]

The Workflow engine API described here doesn't align with gnat/agents/workflow.py. In code, WorkflowContext is investigation_id/shared/results, Workflow.run(ctx) executes, and WorkflowResult reports fields like steps_completed/steps_failed/elapsed_seconds (not steps_run/elapsed_ms), so the class summaries are currently misleading. Please update the slide text to match the actual dataclasses/method names.

[Copilot]

This example code doesn’t match the actual workflow usage shown in gnat/agents/workflow.py and gnat/agents/workflows/phishing_triage.py (the workflow object is run via .run(ctx), not .execute(ctx), and the builder parameters differ). Please align the snippet with the real API so readers can copy/paste it successfully.

Suggested change

	"from gnat.agents.workflows.phishing_triage import build_phishing_triage_workflow\nresult = build_phishing_triage_workflow(enricher, correlator, detector, drafter, svc).execute(ctx)"
	"from gnat.agents.workflows.phishing_triage import build_phishing_triage_workflow\nworkflow = build_phishing_triage_workflow(svc)\nresult = workflow.run(ctx)"

[Copilot]

The lifecycle diagram implies "PROMOTED" is a ReviewStatus, but gnat/review/models.py only defines PENDING/APPROVED/REJECTED/MODIFIED; promotion is tracked via promoted_at after calling ReviewService.promote(). Please adjust the diagram (e.g., show promotion as an action/side effect of APPROVED rather than a status) to match the real state machine.

[Copilot]

The ReviewService method signatures shown here don’t match the implementation in gnat/review/service.py (e.g., approve(item_id, reviewed_by, notes=None, confidence_override=None) and promote(item_id, workspace_manager=None)—promote() doesn’t take a reviewer arg). Please update the signatures/parameter names so the slide reflects the actual public API.

Suggested change

	["approve(id, reviewer, notes, confidence)", "Set APPROVED + optional confidence override (0-100)"],
	["reject(id, reviewer, reason)", "Set REJECTED with reason"],
	["modify(id, reviewer, modified_properties)", "Capture analyst property overrides (MODIFIED)"],
	["promote(id, reviewer, workspace_manager)", "Merge overrides + x_source_type=analyst_verified"],
	["approve(item_id, reviewed_by, notes=None, confidence_override=None)", "Set APPROVED + optional confidence override (0-100)"],
	["reject(item_id, reviewed_by, reason)", "Set REJECTED with reason"],
	["modify(item_id, reviewed_by, modified_properties)", "Capture analyst property overrides (MODIFIED)"],
	["promote(item_id, workspace_manager=None)", "Merge overrides + x_source_type=analyst_verified"],