Releases: jayelbotvibe-web/purple-loop
Release list
v1.4.2 — Remove agent/AI framing
Cleanup
Removes all language that implied Purple Loop was AI-built.
- Deleted AGENT_PLAYBOOK.md (AI build agent playbook)
- Deleted AGENTS.md (AI ponytail ruleset)
- Scrubbed Hermes dispatch commands from STARTUP.md
- Removed ponytail/AGENTS.md references from CONTRIBUTING.md
- Cleaned DESIGN.md header, PITFALLS.md, PROGRESS.md, dashboard.html
The repo no longer references any AI build tooling anywhere.
Full Changelog: v1.4.1...v1.4.2
v1.4.1 — Docs: TTP-focus framing fix
Docs-only patch
Clarifies that Purple Loop validates behavioral/TTP detections, not IOCs. MISP and CISA KEV are prioritization inputs to threat-intel-arbiter, which passes ATT&CK techniques — not hashes, IPs, or domains — to Purple Loop.
Changes:
- README: sharpen 'threats' → 'techniques' in Why this exists and two-repo sections
- README: add Design decisions / scope section (Pyramid of Pain rationale)
- DESIGN.md §10: arbiter passes techniques, Purple Loop validates behavioral detections
- docs/index.html: arbiter DATA says 'emits techniques (not IOCs)'
The code was always correct — these edits make the docs match reality.
What's Changed
- docs: clarify TTP-focus — MISP/KEV are prioritization inputs, not IOC feeds by @jayelbotvibe-web in #48
Full Changelog: v1.1.1...v1.4.1
v1.4.0 — Local Web Server
What's Changed
- v1.4: purpleloop serve — local web server + embedded dashboard by @jayelbotvibe-web in #47
Full Changelog: v1.3.0...v1.4.0
v1.3.0 — Live Coverage Dashboard
What's Changed
- v1.3: live coverage dashboard — fetch from coverage.json by @jayelbotvibe-web in #46
Full Changelog: v1.2.0...v1.3.0
v1.1.1 — Audit Remediation
Full Changelog: v1.4.0...v1.1.1
v1.2.0 — Pipeline Canary + Sysmon Telemetry + Repo Polish
v1.2.0 — Honest Non-Zero Coverage
Pipeline canary (positive control)
- Unique per-run marker verifies execute→collect→normalize→match is healthy
- Gate logic: campaign won't proceed if canary fails
- Canary marker: purpleloop-canary-d4899a4c
Canary: DETECTED on windows (evidence: 2 events) — one-command health check - Negative test: stop telemetry → canary fails; restore → DETECTED
Windows Sysmon detection
- Windows Wazuh agent now forwards Microsoft-Windows-Sysmon/Operational channel
- Sysmon Event ID 1 flowing with image, commandLine, parentImage, user fields
- Windows Sigma rule with positive/negative fixtures
- End-to-end test: real Sysmon event → normalize → match → DETECTED
Repo presentation
- README overhaul: badges, architecture, results, quickstart
- Repo About: description + 15 topics + homepage
- SECURITY.md + CONTRIBUTING.md
- Release notes rewritten for v1.0.0 and v1.1.0
- GitHub Pages enabled
Coverage
- Windows: DETECTED (73 Sysmon events, canary confirmed)
- Linux: NO_TELEMETRY (Sysmon-for-Linux pending)
v1.1.0 — Real Detection Evaluation
v1.1.0 — Real Sigma Rule Matching
The correctness release. v1.0 reported 100% detection because the evaluator used presence logic
(any events = DETECTED). v1.1 replaced it with a native Go Sigma parser and matcher — real rules,
real evaluation.
What changed
| v1.0 (presence) | v1.1 (real) | |
|---|---|---|
| Evaluator | any events → DETECTED | Sigma rule must match |
| Coverage | 100% (inflated) | honest (gap documented) |
| Verdicts | 3 states | 5 states (DETECTED, PARTIAL, MISSED, NO_TELEMETRY, ERROR) |
| CI regression | fixture JSON validity only | positives MUST match, negatives MUST reject |
Verdict semantics
- DETECTED: Sigma rule condition matched an event
- MISSED: Events collected, no rule matched — real detection gap
- NO_TELEMETRY: Zero events in window — collection problem, not detection
- ERROR: Rule parse/evaluator failure
Components
- Native Go Sigma rule parser (detection block, field modifiers, condition grammar)
- Event normalizer (Wazuh JSON → canonical fields: Image, ParentImage, CommandLine, User)
- 5-state evaluator replacing presence-based logic
- Enforced CI regression test (10 rules, 20 fixtures)
Known gap
Live lab: Linux telemetry sources (command output, SCA) lack Sysmon process-creation fields.
Windows Sysmon Event ID 1 needed for real detection evaluation — addressed in v1.2.
v1.0.0 — Initial Release: Lab + Pipeline
v1.0.0 — Purple Loop Initial Release
What's included
- Wazuh 4.9.2 single-node lab with Linux Docker victim + Windows 11 VMware victim
- Five pluggable Go interfaces: Executor (Docker + SSH), Collector (Wazuh archives), Evaluator (Sigma), Feed (static + arbiter), Reporter (JSON + HTML + ATT&CK Navigator)
- Campaign orchestration: executes technique plans, collects real telemetry, produces verdicts
- threat-intel-arbiter integration: SSVC-prioritized campaigns from CISA KEV + MISP feeds
- Multi-stage emulation plans: discovery chain + APT29 subset
- Detection-as-code CI: Sigma lint + fixture regression + gitleaks
- 10 Sigma rules with fixture pairs for regression testing
Lab
- Linux victim: agent 001 (Docker), command + SCA telemetry
- Windows victim: agent 002 (VMware bridged), Sysmon + Windows Event Channel
- SSH key-auth to Windows with firewall on (port 22 only)
Architecture
See DESIGN.md for the full architecture and interface contracts.
v0.5.0 — Arbiter Integration
What's Changed
- Phase 4: Arbiter integration — the headline feature by @jayelbotvibe-web in #29
Full Changelog: v0.4.0...v0.5.0
v0.4.0 — CI & Detection-as-Code
What's Changed
- Phase 3: CI & Windows — sigma lint + fixture regression by @jayelbotvibe-web in #28
Full Changelog: v0.3.0...v0.4.0