loki-mode 5.42.2 → 5.43.0

package/docs/siem-integration.md

@@ -0,0 +1,579 @@
+# SIEM Integration Guide
+
+Integrate Loki Mode audit logs with Security Information and Event Management (SIEM) systems.
+
+## Overview
+
+Loki Mode supports integration with enterprise SIEM systems for:
+
+- Centralized security monitoring
+- Real-time threat detection
+- Compliance reporting (SOC2, HIPAA, PCI-DSS)
+- Incident response
+- Forensic analysis
+
+Supported SIEM platforms:
+- Splunk
+- IBM QRadar
+- Micro Focus ArcSight
+- Elastic SIEM
+- Datadog Security Monitoring
+- LogRhythm
+- SumoLogic
+
+## Syslog Forwarding (v5.38.0)
+
+### Enable Syslog
+
+```bash
+export LOKI_AUDIT_SYSLOG_HOST=syslog.example.com
+export LOKI_AUDIT_SYSLOG_PORT=514
+export LOKI_AUDIT_SYSLOG_PROTO=udp
+
+loki start ./prd.md
+```
+
+### Configuration
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `LOKI_AUDIT_SYSLOG_HOST` | - | Syslog server hostname or IP |
+| `LOKI_AUDIT_SYSLOG_PORT` | `514` | Syslog server port |
+| `LOKI_AUDIT_SYSLOG_PROTO` | `udp` | Protocol: `udp` or `tcp` |
+| `LOKI_SYSLOG_FACILITY` | `local0` | Syslog facility (local0-local7) |
+| `LOKI_SYSLOG_SEVERITY` | `info` | Minimum severity to forward |
+
+### Configuration File
+
+```yaml
+# .loki/config.yaml
+enterprise:
+  siem:
+    enabled: true
+    syslog:
+      host: syslog.example.com
+      port: 514
+      protocol: udp
+      facility: local0
+      severity: info
+      format: rfc5424  # RFC 5424 or RFC 3164
+```
+
+### Testing
+
+```bash
+# Test syslog connectivity
+loki syslog test
+
+# Send test event
+loki syslog test --message "Test event from Loki Mode"
+
+# Verify on syslog server
+tail -f /var/log/loki-mode.log
+```
+
+## Splunk Integration
+
+### Method 1: Splunk Universal Forwarder
+
+```bash
+# Install Splunk Universal Forwarder
+wget -O splunkforwarder.tgz 'https://download.splunk.com/...'
+tar -xzf splunkforwarder.tgz
+cd splunkforwarder
+
+# Configure to monitor audit logs
+./bin/splunk add monitor ~/.loki/dashboard/audit/ \
+  -sourcetype loki:audit \
+  -index security \
+  -hostname $(hostname)
+
+# Start forwarder
+./bin/splunk start
+```
+
+### Method 2: HTTP Event Collector (HEC)
+
+```bash
+# Enable HEC in Splunk Web:
+# Settings > Data Inputs > HTTP Event Collector > New Token
+
+# Configure Loki Mode
+export LOKI_SPLUNK_HEC_URL=https://splunk.example.com:8088/services/collector
+export LOKI_SPLUNK_HEC_TOKEN=your-hec-token
+
+# Or via config file
+cat > .loki/config.yaml <<EOF
+enterprise:
+  siem:
+    splunk:
+      hec_url: https://splunk.example.com:8088/services/collector
+      hec_token: your-hec-token
+      index: security
+      sourcetype: loki:audit
+EOF
+```
+
+### Splunk Searches
+
+```spl
+# Recent audit events
+index=security sourcetype=loki:audit
+| stats count by event level
+
+# Failed authentication attempts
+index=security sourcetype=loki:audit event="auth.fail"
+| table timestamp actor details.reason
+
+# High-cost sessions
+index=security sourcetype=loki:audit event="session.complete"
+| eval cost=tonumber('details.cost')
+| where cost > 4.0
+| table timestamp cost details.provider
+
+# Agent errors
+index=security sourcetype=loki:audit level=error
+| stats count by event agent
+```
+
+## IBM QRadar Integration
+
+### Syslog Setup
+
+```bash
+# Configure QRadar log source
+# 1. QRadar Console > Admin > Log Sources > Add Log Source
+# 2. Log Source Type: Syslog
+# 3. Protocol: UDP/TCP
+# 4. Port: 514
+
+# Configure Loki Mode
+export LOKI_AUDIT_SYSLOG_HOST=qradar.example.com
+export LOKI_AUDIT_SYSLOG_PORT=514
+export LOKI_AUDIT_SYSLOG_PROTO=tcp
+```
+
+### QRadar Rules
+
+Create custom rules in QRadar:
+
+```
+Rule: Loki Mode Authentication Failure
+Event: loki:audit AND event="auth.fail"
+Action: Alert, Create Offense
+Severity: High
+
+Rule: Loki Mode High Cost Session
+Event: loki:audit AND event="session.complete" AND cost > 4.0
+Action: Alert
+Severity: Medium
+
+Rule: Loki Mode Session Failure
+Event: loki:audit AND event="session.fail"
+Action: Alert, Create Offense
+Severity: Medium
+```
+
+## Elastic SIEM Integration
+
+### Filebeat Setup
+
+```yaml
+# /etc/filebeat/inputs.d/loki-audit.yml
+filebeat.inputs:
+  - type: log
+    enabled: true
+    paths:
+      - /home/user/.loki/dashboard/audit/*.jsonl
+    json.keys_under_root: true
+    json.add_error_key: true
+    fields:
+      log_type: audit
+      application: loki-mode
+      environment: production
+    tags: ["loki", "audit", "security"]
+
+# Elasticsearch output
+output.elasticsearch:
+  hosts: ["https://elasticsearch.example.com:9200"]
+  index: "loki-audit-%{+yyyy.MM.dd}"
+  username: "filebeat"
+  password: "${ELASTICSEARCH_PASSWORD}"
+
+# Kibana dashboards
+setup.kibana:
+  host: "https://kibana.example.com:5601"
+```
+
+### Elastic Detection Rules
+
+Create detection rules in Kibana Security:
+
+```
+Rule: Failed Authentication Attempts
+Query: event.dataset:"loki-audit" AND event:"auth.fail"
+Risk Score: 50
+Severity: Medium
+Actions: Slack notification, Create case
+
+Rule: Repeated Session Failures
+Query: event.dataset:"loki-audit" AND event:"session.fail"
+Threshold: 3 occurrences in 15 minutes
+Risk Score: 75
+Severity: High
+Actions: PagerDuty alert, Create case
+
+Rule: Unusual Agent Activity
+Query: event.dataset:"loki-audit" AND agent.count > 50
+Risk Score: 60
+Severity: Medium
+```
+
+## ArcSight Integration
+
+### SmartConnector Setup
+
+```bash
+# Install ArcSight SmartConnector for Syslog
+
+# Configure connector.properties
+agents[0].mode=syslogudp
+agents[0].port=514
+agents[0].parser=loki-audit
+
+# Custom parser for Loki JSON format
+# Create loki-audit.parser.properties:
+parser.name=loki-audit
+parser.type=json
+parser.fields.timestamp=timestamp
+parser.fields.event=event
+parser.fields.level=level
+parser.fields.actor=actor
+```
+
+### ArcSight CEF Format
+
+```bash
+# Enable CEF output format
+export LOKI_SYSLOG_FORMAT=cef
+
+# CEF message example:
+# CEF:0|Autonomi|Loki Mode|5.42.2|session.start|Session Started|3|
+# rt=2026-02-15T14:30:00Z suser=user cs1=claude cs1Label=Provider
+```
+
+## Datadog Security Monitoring
+
+### Log Collection
+
+```yaml
+# /etc/datadog-agent/conf.d/loki_mode.d/conf.yaml
+logs:
+  - type: file
+    path: /home/user/.loki/dashboard/audit/*.jsonl
+    service: loki-mode
+    source: loki-audit
+    tags:
+      - env:production
+      - team:security
+      - compliance:soc2
+
+# Process JSON logs
+logs_config:
+  processing_rules:
+    - type: multi_line
+      name: log_start_with_timestamp
+      pattern: ^\{
+```
+
+### Security Signals
+
+Create security signals in Datadog:
+
+```
+Signal: Multiple Failed Auth Attempts
+Query: source:loki-audit event:auth.fail
+Threshold: > 5 in 5 minutes
+Severity: High
+Notifications: Slack #security, PagerDuty
+
+Signal: High Cost Session Alert
+Query: source:loki-audit event:session.complete @cost:>4.5
+Severity: Medium
+Notifications: Email team@example.com
+
+Signal: Unusual Agent Spawning
+Query: source:loki-audit event:agent.spawn
+Threshold: > 20 in 1 minute
+Severity: High
+Notifications: PagerDuty, Slack #incidents
+```
+
+## Log Format Standards
+
+### RFC 5424 (Syslog Protocol)
+
+```
+<134>1 2026-02-15T14:30:00.000Z dev-machine loki-mode 12345 - - {"event":"session.start","level":"info","actor":"user"}
+```
+
+### CEF (Common Event Format)
+
+```
+CEF:0|Autonomi|Loki Mode|5.42.2|session.start|Session Started|3|rt=2026-02-15T14:30:00Z suser=user cs1=claude cs1Label=Provider
+```
+
+### LEEF (Log Event Extended Format)
+
+```
+LEEF:1.0|Autonomi|Loki Mode|5.42.2|session.start|devTime=2026-02-15T14:30:00Z usrName=user provider=claude
+```
+
+## Event Correlation
+
+### Use Cases
+
+1. **Failed Auth + Session Start** - Potential brute force
+2. **Multiple Session Failures** - System instability
+3. **High Cost + Many Agents** - Resource abuse
+4. **Rapid Token Creation** - Possible token theft
+5. **Off-hours Activity** - Unauthorized access
+
+### Correlation Rules
+
+```yaml
+# .loki/config.yaml
+enterprise:
+  siem:
+    correlation_rules:
+      - name: "Brute Force Detection"
+        events:
+          - auth.fail
+        threshold: 5
+        window: 300  # seconds
+        action: alert
+        severity: high
+
+      - name: "Session Instability"
+        events:
+          - session.fail
+        threshold: 3
+        window: 600
+        action: alert
+        severity: medium
+```
+
+## Compliance Reporting
+
+### SOC2 Reports
+
+```bash
+# Generate SOC2 audit report
+loki enterprise audit export \
+  --from 2026-01-01 \
+  --to 2026-12-31 \
+  --format soc2 \
+  --output soc2-audit-report.pdf
+
+# Trust Services Criteria coverage
+loki compliance report --framework soc2
+```
+
+### HIPAA Reports
+
+```bash
+# PHI access audit trail
+loki enterprise audit search \
+  --event data.access \
+  --tag phi \
+  --from 2026-01-01 \
+  --format hipaa
+
+# Administrative safeguards report
+loki compliance report --framework hipaa --section administrative
+```
+
+### PCI-DSS Reports
+
+```bash
+# User access report (Requirement 8)
+loki enterprise audit search \
+  --event auth.token.create \
+  --event auth.token.revoke \
+  --format pci
+
+# Audit log review (Requirement 10)
+loki compliance report --framework pci --requirement 10
+```
+
+## Alerting
+
+### Critical Events
+
+Configure immediate alerts for:
+
+- `auth.fail` (3+ in 5 minutes)
+- `session.fail` (any occurrence)
+- `cost_exceeded` (budget threshold)
+- `token.revoke.all` (mass revocation)
+- `config.change` (production changes)
+
+### Alert Channels
+
+```yaml
+enterprise:
+  siem:
+    alerts:
+      - event: auth.fail
+        threshold: 3
+        window: 300
+        channels:
+          - slack: "#security-alerts"
+          - pagerduty: "P1234567"
+          - email: "security@example.com"
+
+      - event: session.fail
+        threshold: 1
+        channels:
+          - slack: "#loki-alerts"
+          - email: "devops@example.com"
+```
+
+## Best Practices
+
+### Configuration
+
+1. Use TCP for syslog (more reliable than UDP)
+2. Enable TLS for encrypted log forwarding
+3. Set appropriate log levels (info for production)
+4. Configure log buffering for high-volume environments
+5. Test failover scenarios
+
+### Security
+
+1. Encrypt logs in transit (TLS/SSL)
+2. Encrypt logs at rest
+3. Restrict SIEM access to security team
+4. Use service accounts with minimal permissions
+5. Rotate SIEM credentials regularly
+
+### Performance
+
+1. Use log aggregation to reduce SIEM load
+2. Filter low-value events before forwarding
+3. Compress logs during transmission
+4. Monitor SIEM ingestion rates
+5. Set up log retention policies
+
+### Monitoring
+
+1. Monitor syslog connectivity
+2. Track log forwarding failures
+3. Alert on SIEM ingestion delays
+4. Review SIEM dashboards weekly
+5. Test incident response procedures quarterly
+
+## Troubleshooting
+
+### Logs Not Appearing in SIEM
+
+```bash
+# Check syslog connectivity
+nc -zv syslog.example.com 514
+
+# Test syslog send
+logger -n syslog.example.com -P 514 "Test from Loki Mode"
+
+# Verify syslog configuration
+echo $LOKI_AUDIT_SYSLOG_HOST
+loki syslog test
+
+# Check for forwarding errors
+loki enterprise audit tail --event syslog.error
+```
+
+### Format Issues
+
+```bash
+# Check log format
+tail -f ~/.loki/dashboard/audit/audit-2026-02-15.jsonl | jq
+
+# Verify SIEM parser configuration
+# Check SIEM logs for parsing errors
+
+# Test with manual syslog send
+cat ~/.loki/dashboard/audit/audit-2026-02-15.jsonl | \
+  head -1 | \
+  logger -n syslog.example.com -P 514
+```
+
+### Performance Issues
+
+```bash
+# Check log volume
+find ~/.loki/dashboard/audit/ -type f -exec wc -l {} + | awk '{sum+=$1} END {print sum " total events"}'
+
+# Monitor syslog queue
+ss -tunap | grep :514
+
+# Reduce log volume
+export LOKI_AUDIT_LEVEL=warning
+export LOKI_AUDIT_EXCLUDE_EVENTS=api.request,api.response
+```
+
+## Examples
+
+### Splunk Dashboard
+
+```xml
+<dashboard>
+  <label>Loki Mode Security Dashboard</label>
+  <row>
+    <panel>
+      <title>Failed Authentications</title>
+      <chart>
+        <search>
+          <query>index=security sourcetype=loki:audit event="auth.fail" | timechart count</query>
+        </search>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Session Costs</title>
+      <chart>
+        <search>
+          <query>index=security sourcetype=loki:audit event="session.complete" | eval cost=tonumber('details.cost') | timechart avg(cost)</query>
+        </search>
+      </chart>
+    </panel>
+  </row>
+</dashboard>
+```
+
+### Elastic Query DSL
+
+```json
+{
+  "query": {
+    "bool": {
+      "must": [
+        {"match": {"event": "auth.fail"}},
+        {"range": {"timestamp": {"gte": "now-1h"}}}
+      ]
+    }
+  },
+  "aggs": {
+    "by_actor": {
+      "terms": {"field": "actor.keyword"}
+    }
+  }
+}
+```
+
+## See Also
+
+- [Audit Logging](audit-logging.md) - Audit logging configuration
+- [Authentication Guide](authentication.md) - Authentication events
+- [Enterprise Features](../wiki/Enterprise-Features.md) - Complete enterprise guide
+- [Network Security](network-security.md) - Security controls

package/learning/__init__.py

@@ -154,4 +154,4 @@ __all__ = [
     'get_startup_tips',
 ]
 
-__version__ = '1.2.0'
+__version__ = '5.43.0'

package/mcp/__init__.py

@@ -21,4 +21,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '5.42.2'
+__version__ = '5.43.0'

package/memory/__init__.py

@@ -86,6 +86,8 @@ from .namespace import (
     GLOBAL_NAMESPACE,
 )
 
+__version__ = '5.43.0'
+
 __all__ = [
     # Embeddings
     "EmbeddingEngine",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "5.42.2",
+  "version": "5.43.0",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "autonomi",
@@ -49,6 +49,7 @@
   ],
   "scripts": {
     "postinstall": "node bin/postinstall.js",
+    "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; true",
     "prepublishOnly": "cd dashboard-ui && npm ci && npm run build:all",
     "test": "bash -n autonomy/run.sh && bash -n autonomy/loki && bash -n autonomy/completion-council.sh && echo 'All syntax checks passed'",
     "test:visual": "node --experimental-vm-modules node_modules/jest/bin/jest.js dashboard-ui/tests/visual-regression.test.js",