Loupe
Free trial
Documentation

Technical

Release notes.

Each release lands here with a flat list of what shipped, what changed, and what it breaks. v1.0 is the initial release; the roadmap below names the v1.x and v2 candidates already on the workbench.

v1.0 · currentApril 28, 2026

Initial release.

Loupe v1.0 is a self-contained macOS application for assembling audit-ready RCAs from log files. Local-only, no telemetry, no subscription. The full feature set below is present in the shipping build.

Ingest

  • Eight native parsers: syslog 5424 / 3164, nginx and Apache (Combined + Common log), JSON Lines, RFC 5322 email, macOS unified log JSON, libpcap.
  • Automatic format detection by magic bytes, first-line patterns, file extension, and content heuristics.
  • SHA-256 chain-of-custody hashing on every ingested file.
  • Per-source timezone + clock-skew adjustment (offset stored as a TimestampAdjustment, recomputed on the unified timeline).

Correlation + detection

  • Unified multi-source timeline with density chart, severity histogram, and click-and-drag windowing.
  • 30+ rule-engine detectors covering DB, web, system, auth, network, TLS, and DNS categories.
  • Anomaly detection: rate spikes, error bursts, severity escalations.
  • Event clustering across sources from the same time window.
  • Entity extraction: hosts, IPs, FQDNs, and email addresses surfaced from cited events.

Reporting

  • Five RCA templates: Google SRE Postmortem (CC BY 4.0), Atlassian Incident Postmortem, PagerDuty Incident Response, ITIL Post-Incident Review, DMAIC.
  • Interactive 5-Whys drill-down with per-step evidence citations.
  • Auto-populated Action Items, Timeline, and Affected Assets sections from the case.
  • Auto-computed MTTD / MTTA / MTTR from SLA timestamps.

AI narrator (optional)

  • On-device narrator via Apple’s FoundationModels framework — runs entirely on your Mac.
  • Multi-run consensus gate: ships only when ≥3 runs agree above threshold; otherwise surfaces the neutral “couldn't build a confident brief” message.
  • Citations are constrained to existing event indexes at generation time — hallucinated references are structurally impossible.
  • 90-second wall-clock budget; cancellable mid-run.

Export

  • Self-contained bundle: PDF + HTML + Markdown writeup, IODEF v2 XML, supporting CSVs, optional raw logs, hash-chained audit log, Hashes.txt verifier file, machine-readable Manifest.json.
  • Redaction of email addresses, IPv4 addresses, bearer tokens, and (optionally) UUIDs in the writeup.
  • Optional ZipCrypto-encrypted zip alongside the bundle for transport.
  • Recipient-side verification with standard Unix tools (shasum, xmllint, unzip) — no Loupe install required on the receiving end.

Security + privacy

  • Zero network calls from the application — verifiable in Console.app or via tcpdump on your Mac.
  • Hardened Runtime, Library Validation, Apple Developer Team 5UF3Q334K6 Developer ID signing, Apple notarization.
  • AES-256-GCM case encryption with per-case keys in macOS Keychain (AfterFirstUnlockThisDeviceOnly).
  • Hash-chained audit log: every case mutation appended with prevHash + hash; tampering is detectable.
  • Ed25519-signed activation envelopes (RFC 8032), public key embedded in the build.

Distribution

  • Notarized DMG distributed outside the Mac App Store.
  • Universal binary (Apple silicon and Intel x86_64).
  • macOS 26.0 minimum.
  • No subscription. Buy once, own that major version forever; $39 upgrade for future major versions.
v1.x · roadmap

What lands inside the v1 line.

All free for v1 license holders. No version dates because we ship when each item is ready, not on a calendar.

  • User-authored rules + RCA templates loaded from ~/Library/Application Support/Loupe/.
  • In-app updater (Sparkle integration) — current v1 install requires manual DMG replacement.
  • Manual format override UI for cases where auto-detection misclassifies.
  • Per-source clock skew controls surfaced in the UI.
  • age / PGP encrypted send (replaces ZipCrypto for recipient-keyed encryption).
  • MCP server (read-only loopback) for Claude / scripting integration.
  • File-IPC scripting tier — drop a request JSON, get an export JSON back.
  • IODEF XML import (currently export only).
  • journald JSON parser (covers RHEL, Fedora, Ubuntu, Debian, Arch, openSUSE).
  • Windows .evtx parser (covers Windows XP through Server 2025).
  • Pcap citation sidecar HTML for binary-source deep-linking.
v2 · candidates

What might justify a v2.

Themes large enough to warrant the major-version bump (and the $39 upgrade fee). On the workbench; not a commitment.

  • Multi-case corpus analytics + recurring-incident detection.
  • Sigma rule import + asset inventory CSV import (CMDB / Ansible / Terraform).
  • Vendor escalation panel — purpose-built for the email-thread + log-evidence reconstruction workflow.
  • Hypothesis / assertion mode for adversarial review.
  • Enterprise encryption mode: per-open biometric, sparsebundle container, exportable encryption posture report.
  • Pcap-native parser (no tshark dependency).

Stay in the loop

New releases ship with an email to license holders containing the updated DMG link and a one-page summary of what changed. There is no in-app updater in v1 — Sparkle integration is on the v1.x roadmap above.

Settings referenceAll docs