Skip to content

v0.8.0: Session Log Similarity Search

Choose a tag to compare

View all tags
@sydney-nebulock sydney-nebulock released this 15 Feb 18:13
· 59 commits to main since this release
v0.8.0
4f91794

What's New

Session Log Similarity Search (athf similar)

Session decisions and rationales are now indexed alongside hunt files for semantic similarity search. When you search for "telegram bot" or "orphaned CDN", you'll find the session where those patterns were investigated — not just the parent hunt if it happens to mention those terms.

Default: Session Folding (0.75x weight)

Session text from decisions.yaml and summary.md is automatically folded into the parent hunt's searchable text, boosting its similarity score:

athf similar "credential dumping"
# Sessions with credential dumping decisions boost their parent hunt's score

New: --sessions Flag

Add --sessions to see individual session entries as separate results with auto-generated titles:

athf similar "telegram bot" --sessions
# Score  Source   ID                     Title
# 0.634  session  H-0026-2026-02-13     Benign email preview, Telegram...
# 0.412  hunt     H-0026                AgreeToSteal DNS Investigation

Session Content Indexed

  • decisions.yamldecision + rationale fields
  • summary.md → "Key Decisions" and "Lessons" sections
  • Excluded: queries.yaml (SQL noise), session.yaml (metadata only)

Recursive Hunt Discovery

athf similar now finds hunts in nested directories (hunts/production/2026/Q1/H-0026.md) instead of only the root hunts/ folder. Duplicate hunt IDs across paths are deduplicated, preferring the deeper (organized) path.

Weighting Summary

Content Weight
Hunt title 3x
Hunt hypothesis 2x
ABLE sections 1.5x
Tactics/techniques/platform 1x
Session decisions+rationales (folded) 0.75x
Session decisions+rationales (standalone) 1x

Commits since v0.7.2

  • feat(similar): add _extract_session_text for session log parsing
  • feat(similar): fold session logs into hunt similarity scores
  • feat(similar): add --sessions flag with session row display
  • docs(similar): update epilog and docstring for session search
  • chore: bump version to 0.8.0
  • fix(similar): use recursive glob and deduplicate hunt files

Invariants

  • No new dependencies
  • Hunt-only results identical when no sessions exist
  • --hunt flag continues to work
  • Graceful degradation if session files missing or malformed
Assets 2
Loading