From d7fcdac8cd7e0753fe48196aaa47b4f42e099b78 Mon Sep 17 00:00:00 2001 From: stacknil Date: Wed, 25 Mar 2026 17:18:09 +0800 Subject: [PATCH] docs: prep v0.3.0 release notes --- CHANGELOG.md | 26 ++++++++++++++++++++++---- README.md | 6 +++--- docs/release-v0.3.0.md | 21 +++++++++++++++++++++ 3 files changed, 46 insertions(+), 7 deletions(-) create mode 100644 docs/release-v0.3.0.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 52919b3..3e7c0aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,10 +6,7 @@ All notable user-visible changes should be recorded here. ### Added -- Added sanitized golden `report.md` / `report.json` regression fixtures to lock report contracts. -- Expanded parser coverage for `Accepted publickey` and selected `pam_faillock` / `pam_sss` variants. -- Added compact host-level summaries for multi-host reports. -- Added optional CSV export for findings and warnings when explicitly requested. +- None yet. ### Changed @@ -23,6 +20,27 @@ All notable user-visible changes should be recorded here. - None yet. +## v0.3.0 + +### Added + +- Broadened parser support for common Linux auth families by adding `Accepted publickey` handling plus selected `pam_faillock` and `pam_sss` auth failure variants. +- Added compact host-level summaries to `report.md` and `report.json` for multi-host inputs. +- Added optional CSV export for findings and warnings behind an explicit `--csv` flag. +- Added sanitized golden report-contract fixtures to lock deterministic Markdown, JSON, and CSV outputs. + +### Changed + +- Strengthened sanitized regression coverage with expanded parser fixture corpora and golden report-contract checks. + +### Fixed + +- Non-CSV runs now preserve pre-existing `findings.csv` and `warnings.csv` files instead of deleting them by default. + +### Docs + +- Synced release-facing documentation in `README.md` and added `docs/release-v0.3.0.md` for GitHub Release copy. + ## v0.2.0 ### Added diff --git a/README.md b/README.md index 088dd63..59ef294 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ LogLens includes two minimal GitHub Actions workflows: - `CI` builds and tests the project on `ubuntu-latest` and `windows-latest` - `CodeQL` runs GitHub code scanning for C/C++ on pushes, pull requests, and a weekly schedule -Both workflows are intended to stay stable enough to require on pull requests to `main`. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md). +Both workflows are intended to stay stable enough to require on pull requests to `main`. Regression coverage is backed by sanitized parser fixture matrices plus golden report-contract fixtures for `report.md`, `report.json`, and optional CSV outputs. Release-facing documentation is split across [`CHANGELOG.md`](./CHANGELOG.md), [`docs/release-process.md`](./docs/release-process.md), [`docs/release-v0.1.0.md`](./docs/release-v0.1.0.md), [`docs/release-v0.3.0.md`](./docs/release-v0.3.0.md), and the repository's GitHub release notes. The repository hardening note is in [`docs/repo-hardening.md`](./docs/repo-hardening.md), and vulnerability reporting guidance is in [`SECURITY.md`](./SECURITY.md). ## Threat Model @@ -58,7 +58,7 @@ LogLens currently detects: - One IP trying multiple usernames within 15 minutes - Bursty sudo activity from the same user within 5 minutes -LogLens currently parses and reports these additional auth patterns beyond the core detector inputs: +LogLens currently parses and reports these additional auth patterns beyond the core detector inputs, broadening coverage across common Linux auth families: - `Accepted publickey` SSH successes - `Failed publickey` SSH failures, which count toward SSH brute-force detection by default @@ -121,7 +121,7 @@ The CSV schema is intentionally small and stable: - `findings.csv`: `rule`, `subject_kind`, `subject`, `event_count`, `window_start`, `window_end`, `usernames`, `summary` - `warnings.csv`: `kind`, `message` -When an input spans multiple hostnames, both reports add compact host-level summaries without changing detector thresholds or introducing cross-host correlation logic. +When an input spans multiple hostnames, both reports add compact host-level summaries without changing detector thresholds or introducing cross-host correlation logic. In `report.md` this appears as a host summary table, and in `report.json` it appears as a `host_summaries` array. ## Sample Output diff --git a/docs/release-v0.3.0.md b/docs/release-v0.3.0.md new file mode 100644 index 0000000..ac8e442 --- /dev/null +++ b/docs/release-v0.3.0.md @@ -0,0 +1,21 @@ +# LogLens v0.3.0 + +LogLens v0.3.0 expands parser family coverage, strengthens deterministic regression coverage, and improves multi-host reporting while keeping the tool intentionally defensive and public-safe. + +## Highlights + +- broadened parser support for common Linux auth families +- strengthened sanitized corpus and golden regression coverage +- added multi-host host summaries in `report.md` and `report.json` +- added optional CSV export for findings and warnings + +## Notable changes + +- added parser support for `Accepted publickey` SSH successes plus selected `pam_faillock(...:auth)` and `pam_sss(...:auth)` failure variants +- expanded sanitized parser fixture matrices and added golden report-contract fixtures for Markdown, JSON, and CSV outputs +- added compact per-host summaries when one input file contains multiple hostnames, without introducing cross-host correlation or changing detector thresholds +- added explicit `--csv` output for `findings.csv` and `warnings.csv`, and kept non-CSV runs non-destructive toward existing CSV files + +## Scope note + +This release broadens the parser surface and improves report ergonomics, but LogLens remains a focused offline auth-log triage CLI rather than a SIEM, enrichment pipeline, or cross-host correlation platform.