fix: critical Keep-Alive correlation bug - network events evicted prematurely

- Fix cleanExpired() to use TTL map instead of event timestamp for B events
- Increase default correlation time window from 1s to 10s
- Increase default network TTL from 30s to 120s for long sessions
- Use payload timestamp for network events when available (fallback to now)
- Add comprehensive Keep-Alive tests (TTL reset, long session scenarios)
- Bump version to 1.1.7

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

internal/adapters/inbound/unixsocket/source.go

@@ -259,8 +259,23 @@ func parseJSONEvent(data []byte, sourceType string) (*domain.NormalizedEvent, er
 		// Assume nanoseconds
 		event.Timestamp = time.Unix(0, ts)
 	case domain.SourceB:
-		// For network source, always use local reception time
-		event.Timestamp = time.Now()
+		// For network source, try to use event timestamp if available,
+		// fallback to reception time. This improves correlation accuracy
+		// when network logs include their own timestamp (e.g., from packet capture).
+		if ts, ok := getInt64(raw, "timestamp"); ok {
+			event.Timestamp = time.Unix(0, ts)
+		} else if timeStr, ok := getString(raw, "time"); ok {
+			// Try RFC3339 format
+			if t, err := time.Parse(time.RFC3339, timeStr); err == nil {
+				event.Timestamp = t
+			} else if t, err := time.Parse(time.RFC3339Nano, timeStr); err == nil {
+				event.Timestamp = t
+			} else {
+				event.Timestamp = time.Now()
+			}
+		} else {
+			event.Timestamp = time.Now()
+		}
 	default:
 		return nil, fmt.Errorf("unsupported source type: %s", event.Source)
 	}

internal/adapters/inbound/unixsocket/source_test.go

@@ -62,9 +62,7 @@ func TestParseJSONEvent_Network(t *testing.T) {
 		"tcp_meta_flags": "SYN"
 	}`)
 
-	before := time.Now()
 	event, err := parseJSONEvent(data, "B")
-	after := time.Now()
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -78,8 +76,10 @@ func TestParseJSONEvent_Network(t *testing.T) {
 	if event.Source != domain.SourceB {
 		t.Errorf("expected source B, got %s", event.Source)
 	}
-	if event.Timestamp.Before(before.Add(-2*time.Second)) || event.Timestamp.After(after.Add(2*time.Second)) {
-		t.Errorf("expected network timestamp near now, got %v", event.Timestamp)
+	// Network source now uses payload timestamp if available
+	expectedTs := time.Unix(0, 1704110400000000000)
+	if !event.Timestamp.Equal(expectedTs) {
+		t.Errorf("expected network timestamp %v, got %v", expectedTs, event.Timestamp)
 	}
 }
 
@@ -114,11 +114,47 @@ func TestParseJSONEvent_SourceARequiresNumericTimestamp(t *testing.T) {
 	}
 }
 
-func TestParseJSONEvent_SourceBIgnoresPayloadTimestamp(t *testing.T) {
+func TestParseJSONEvent_SourceBUsesPayloadTimestamp(t *testing.T) {
+	expectedTs := int64(1704110400000000000)
 	data := []byte(`{
 		"src_ip": "192.168.1.1",
 		"src_port": 8080,
-		"timestamp": 1
+		"timestamp": 1704110400000000000
+	}`)
+
+	event, err := parseJSONEvent(data, "B")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	expectedTime := time.Unix(0, expectedTs)
+	if !event.Timestamp.Equal(expectedTime) {
+		t.Errorf("expected source B to use payload timestamp %v, got %v", expectedTime, event.Timestamp)
+	}
+}
+
+func TestParseJSONEvent_SourceBUsesTimeField(t *testing.T) {
+	data := []byte(`{
+		"src_ip": "192.168.1.1",
+		"src_port": 8080,
+		"time": "2024-01-01T12:00:00Z"
+	}`)
+
+	event, err := parseJSONEvent(data, "B")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	expectedTime := time.Unix(0, 1704110400000000000)
+	if !event.Timestamp.Equal(expectedTime) {
+		t.Errorf("expected source B to use time field %v, got %v", expectedTime, event.Timestamp)
+	}
+}
+
+func TestParseJSONEvent_SourceBFallbackToNow(t *testing.T) {
+	data := []byte(`{
+		"src_ip": "192.168.1.1",
+		"src_port": 8080
 	}`)
 
 	before := time.Now()