Loupe documentation.
Two halves. Flows walk through specific scenarios — how to configure Loupe to do a specific job. Technical details are the reference: every option, every format, every wire-level detail your security review will ask about.
Flows
How to configure Loupe for a specific job.
Install Loupe
Download, drag-to-Applications, first-run Gatekeeper, and activation via the email link. Three-minute setup.
Investigate a database outage
Multi-source RCA from web, syslog, app, and email. The canonical case Loupe was built for.
Diagnose a 5xx burst
Web server access logs + upstream syslog. Identify the upstream service that triggered the cascade.
Verify an export bundle (recipient)
You received a Loupe bundle. How to confirm hashes, re-derive findings, and trust the chain.
Hand a case off to an auditor
Package the right artifacts, redact what needs redacting, and produce a single signed bundle.
Investigate a chaotic case (multi-cluster)
When Loupe refuses to commit one story, it surfaces every cluster as a thread. Analyze All runs each in sequence with one click.
Technical details
Reference for engineers, auditors, and IT.
Developer-level documentation: every option, every format, every guarantee — written for someone reviewing whether Loupe fits in their stack.
Hardware requirements
macOS version, Apple silicon, signing details, entitlements, optional dependencies.
Supported log formats
Eight first-class parsers: syslog 5424/3164, nginx CLF/Combined, JSONL, RFC 5322 email, macOS unified log, libpcap — plus a plaintext fallback.
Citation resolution
How Loupe resolves narrator citations to source. Three labelled tiers — captured raw bytes, live raw bytes, parser-normalized — so reviewers know what they are reading.
Archetype taxonomy
The eleven closed-vocabulary archetype cases anchored in NIST SP 800-61, ITIL 4, and ENISA. Schema-layer constrained — hallucinated labels are structurally impossible.
MITRE ATT&CK integration
30 bundled techniques. Inline rendering on every rule fire. 8 hand-rolled rules tagged at v1.0; full Sigma corpus carries upstream tags resolved at runtime.
Sigma rule import
35 keyword-only detections from a pinned SigmaHQ commit, converted at build time. Skip-reason breakdown for every rule that did not fit v1.0.
Testing methodology
500 unit tests, 6 real-model end-to-end scenarios, adversarial input coverage, 87.58% logic-surface coverage. Numbers a hostile auditor can reproduce.
License storage
Where the license actually lives, why it is in Application Support and not the Keychain, and what travels between Macs.
Export bundle anatomy
What ships in a Loupe bundle: PDF, IODEF XML, CSV, source originals, hash-chained audit log, Hashes.txt.
Audit log format
Hash-chained mutation history. The schema, the verification recipe, and what each event records.
Activation envelope wire format
The Ed25519-signed JSON that activates Loupe.app. Schema, signature scheme, and verification.
Settings reference
Every knob in Settings → General, Privacy, Diagnostics — with defaults and where state lives.
Release notes
What ships in each release. v1.0 today, plus the v1.x and v2 candidates already on the workbench.