v0.18.5

• Update author to Danny Burrow
• Add real world Loki query example to README

v0.18.3

• Fix README image not rendering on PyPI by using absolute URL

v0.18.2

• Add TUI flow report screenshot to README
• Add recommended Cilium Helm values section for policyAuditMode
• Clean up README prose

v0.18.0

What's new

• PyPI publishing: Package is now available on PyPI (pip install hubble-audit2policy). A GitHub Actions workflow automatically publishes new releases via OIDC trusted publishing.
• Updated install instructions: README now points to PyPI with a pipx alternative for isolated installs.

v0.17.1

Fixed

• Drop re.escape() from LogQL line filters. Python's re.escape injects backslashes before hyphens (e.g. kube\-system) that are invalid in LogQL Go-style string literals, causing -n kube-system and other hyphenated namespace filters to silently return 0 results from Loki.

v0.17.0

What's new

fluent-bit Loki support

Loki log lines wrapped in a fluent-bit JSON envelope ({"log": "..."}) are now automatically detected and unwrapped, so flows ingested via fluent-bit work out of the box alongside promtail.

Default query updated

Default --loki-query changed from {container="cilium-agent"} (promtail) to {app_kubernetes_io_name="cilium-agent"} (fluent-bit). Promtail users can override with --loki-query '{container="cilium-agent"}'.

Format-agnostic server-side filters

Loki line filters now use regex patterns that match both promtail (plain quotes) and fluent-bit (escaped quotes) log formats, keeping server-side filtering effective regardless of the log shipper.

v0.16.0

Changes

• Move Loki TUI from --watch to --report-only: --watch is now exclusively for live hubble monitoring. The interactive TUI for browsing historical flows (from files or Loki) is available via --report-only, which launches a full curses TUI on a terminal and falls back to plain text otherwise.

• Fix Loki TUI black screen: the old --watch path re-parsed all flows on every refresh cycle, blocking the first frame render on large datasets. The TUI now parses once up front.

• Add --since/--until validation: inverted Loki time windows (e.g. --since 5m --until 1h) now produce a clear error instead of silently returning no results.

• Fix misleading _parse_flow_list docstring: the code handles both wrapped and unwrapped flow dicts; the docstring now reflects this.

Breaking changes

• --watch --from loki now exits with an error. Use --report-only instead for the same interactive TUI experience.

v0.15.0

What's Changed

Bug Fixes

• Fixed critical data loss in Loki pagination (#34): Loki can return fewer entries than the requested limit at storage block boundaries and ingester splits. The previous pagination check (batch_count < limit) treated short pages as end-of-data, silently discarding remaining entries in each chunk. This caused data loss on large queries (e.g. 24h windows with millions of flows). Changed to paginate until an empty response, matching logcli behavior.
• Track global max timestamp across all streams for correct cursor advancement instead of using the last-iterated stream's timestamp.
• Deduplicate entries at pagination boundaries to prevent duplicates when entries share a nanosecond timestamp.
• Annotate parts list to resolve Pyright unknown-type errors (#33).

Improvements

• Reduced default --loki-threads from 8 to 4 for better reliability over kubectl port-forward connections.
• Auto-scaling now targets ~200 chunks (min 1m) instead of ~48 (min 5m), reducing the blast radius of individual chunk failures.

Full Changelog: v0.14.0...v0.15.0

v0.14.0

What's new

Loki progress indicator

A live spinner now displays elapsed time, chunk completion percentage, and cumulative flow counts during Loki fetches. Previously, long fetches showed no output until completion.

Gzip compression for Loki responses

HTTP requests to Loki now request gzip-compressed responses and decompress them transparently, reducing bandwidth on large result sets.

Server-side verdict filtering

Verdict filters (--verdict AUDIT, --verdict DROPPED) are now pushed into LogQL queries as line filters. Loki discards non-matching flows server-side instead of shipping everything over the wire, significantly reducing response sizes when filtering to specific verdicts.

Shared TUI infrastructure

The curses TUI loop shared between live watch mode and Loki watch mode has been extracted into reusable components, eliminating ~200 lines of duplicated code with no behavioral changes.

Misc

• _loki_watch_mode() uses parser.error() for argument validation (consistent with the rest of the CLI)
• LokiResult converted to a dataclass
• Docstrings standardized to inline parameter style
• Version bumped to 0.14.0

v0.13.0

What's New

• Loki retry with exponential backoff -- Transient errors (timeouts, connection resets) during Loki chunk fetches are now retried up to 3 times with 1s/2s/4s backoff delays, significantly improving reliability for data-heavy namespaces.
• --loki-retries N flag -- Configure the number of retries per chunk (default: 3, set to 0 to disable).
• Server-side verdict filter -- All Loki queries now include a verdict line filter, reducing data transfer by filtering out non-flow cilium-agent log lines at the Loki level.
• Post-fetch warning summary -- When retries or chunk failures occur, a warning is printed with hints to adjust --loki-timeout or --loki-chunk.
• Partial Loki results are now properly flagged when any chunk failed after exhausting retries.