feat(interop+security): v2.0.0 — interop tests fix + TOTP MFA + Loki SIEM

Fix: 18 → 0 errores en interop test suite (BESSAI-SPEC-001 §5.1)
- src/drivers/simulator_driver.py: 6 tags SPEC-001 normalizadas (SOC_%, P_kW, T_battery_C, V_dc_V, alarm_code, mode)
- src/drivers/simulator_driver.py: KeyError para tags desconocidos (SPEC-001 §4.5)
- src/drivers/simulator_driver.py: ValueError para valores inf/nan en write_tag (SPEC-001 §4.6)
- tests/conftest.py: root conftest para --driver-class
- pytest.ini: cambio [tool:pytest] → [pytest] para asyncio_mode=auto

Feat: IEC 62443 GAP-001 CLOSED — TOTP MFA (SR 1.3)
- src/interfaces/totp_auth.py: módulo TOTP con soft-dep pyotp
- src/interfaces/dashboard_api.py: TOTP en _check_auth + /api/v1/auth/totp-info
- tests/test_totp_auth.py: 17 tests TOTP
- requirements.txt: pyotp>=2.9.0

Feat: IEC 62443 GAP-002 CLOSED — Loki SIEM log forwarding (SR 6.1, SR 6.2)
- infrastructure/docker/otel-collector-config.yaml: exporter loki + pipeline logs
- infrastructure/docker/docker-compose.yml: servicio bessai-loki (perfil monitoring)
- infrastructure/loki/loki-config.yaml: Loki config edge (filesystem, 30d retención)

Test: 410 passed, 4 skipped — suite completa sin failures ni errors

Author: BESS Solutions

CHANGELOG.md

@@ -7,10 +7,33 @@
 
 ---
 
-## 🤖 AGENT HANDOFF — Estado actual del proyecto (2026-02-22T13:37 -03:00)
+## 🤖 AGENT HANDOFF — Estado actual del proyecto (2026-02-22T19:22 -03:00)
 
 > [!IMPORTANT]
-> **v1.8.0 — Global Standard Foundations Release** (2026-02-22)
+> **v2.0.0 — Interop Tests Fix + TOTP MFA + Loki SIEM** (2026-02-22)
+>
+> ### Cambios v2.0.0
+>
+> **Fix: 18 → 0 errores en interop test suite**
+> - `src/drivers/simulator_driver.py` — 6 tags SPEC-001 normalizadas: `SOC_%`, `P_kW`, `T_battery_C`, `V_dc_V`, `alarm_code`, `mode`
+> - `src/drivers/simulator_driver.py` — Excepción `KeyError` para tags desconocidos (SPEC-001 §4.5)
+> - `src/drivers/simulator_driver.py` — `write_tag()` lanza `ValueError` para valores `inf`/`nan` (SPEC-001 §4.6)
+> - `tests/conftest.py` — Root conftest registra `--driver-class` antes de colección
+> - `pytest.ini` — Cambiado a `[pytest]` para habilitar `asyncio_mode = auto`
+>
+> **IEC 62443 GAP-001 CLOSED: TOTP MFA (SR 1.3)**
+> - `src/interfaces/totp_auth.py` — Módulo TOTP con soft-dep pyotp; fallback dev-mode
+> - `src/interfaces/dashboard_api.py` — TOTP en `_check_auth()` + endpoint `/api/v1/auth/totp-info`
+> - `tests/test_totp_auth.py` — Suite TOTP: 17 passed, 4 skipped (pyotp no instalado)
+> - `requirements.txt` — `pyotp>=2.9.0`
+>
+> **IEC 62443 GAP-002 CLOSED: Loki SIEM log forwarding (SR 6.1, SR 6.2)**
+> - `infrastructure/docker/otel-collector-config.yaml` — Exporter Loki + pipeline `logs`
+> - `infrastructure/docker/docker-compose.yml` — Servicio `bessai-loki` (perfil `monitoring`)
+> - `infrastructure/loki/loki-config.yaml` — Config Loki: filesystem, retención 30 días
+>
+> **Resultado:** `410 passed, 4 skipped` — suite completa sin failures ni errors.
+
 > - Commit `TBD` → main: docs(standard): plan de ejecución global — 18 archivos nuevos, 3 modificados
 >
 > ### Cambios v1.8.0 — Path to Global Standard

infrastructure/docker/docker-compose.yml

@@ -4,14 +4,16 @@
 # Services:
 #   modbus-simulator  — Simulated Modbus TCP device (dev/test only)
 #   gateway           — The BESSAI Edge Gateway application
-#   otel-collector    — OpenTelemetry Collector (OTLP receiver → console)
+#   otel-collector    — OpenTelemetry Collector (OTLP receiver → Loki + console)
 #   prometheus        — Metrics scraper (monitoring profile)
-#   grafana           — Metrics dashboard (monitoring profile)
+#   grafana           — Metrics + Logs dashboard (monitoring profile)
+#   bessai-loki       — Grafana Loki SIEM (monitoring profile, IEC 62443 GAP-002)
 #
 # Profiles:
 #   (default)   — gateway + otel-collector  (requires real INVERTER_IP in .env)
 #   simulator   — modbus-simulator + gateway-sim + otel-collector (dev mode)
-#   monitoring  — prometheus + grafana (add to any profile for dashboards)
+#   monitoring  — prometheus + grafana + loki (add to any profile for dashboards)
+#                 Set LOKI_ENDPOINT=http://bessai-loki:3100/loki/api/v1/push
 #
 # Usage:
 #   # Development mode (with Modbus simulator):
@@ -41,6 +43,7 @@ volumes:
   otel-data:
   prometheus-data:
   grafana-data:
+  loki-data:  # IEC 62443 GAP-002: SIEM audit log persistence
 
     # ── Services ──────────────────────────────────────────────────────────────────
 services:
@@ -192,6 +195,36 @@ services:
       - bess-net
     depends_on:
       - prometheus
+      - bessai-loki  # IEC 62443 GAP-002: Loki datasource
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "2"
+
+  # ── Grafana Loki — SIEM log store (monitoring profile) ────────────────────
+  # IEC 62443-3-3 SR 6.1 / SR 6.2: Audit log generation and review.
+  # GAP-002: Structured audit logs from OTel Collector → Loki → Grafana.
+  # Access: http://localhost:3100/ready
+  bessai-loki:
+    image: grafana/loki:2.9.8
+    container_name: bessai-loki
+    profiles: [ "monitoring" ]
+    restart: unless-stopped
+    command: -config.file=/etc/loki/loki-config.yaml
+    volumes:
+      - ../loki/loki-config.yaml:/etc/loki/loki-config.yaml:ro
+      - loki-data:/loki
+    ports:
+      - "3100:3100"  # Loki push API + query API
+    networks:
+      - bess-net
+    healthcheck:
+      test: [ "CMD", "wget", "-q", "--spider", "http://localhost:3100/ready" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
     logging:
       driver: "json-file"
       options:

infrastructure/docker/otel-collector-config.yaml

@@ -1,6 +1,8 @@
 # =============================================================================
 # OpenTelemetry Collector — BESSAI Edge Gateway Configuration
 # Used by docker-compose.yml
+# IEC 62443-3-3 SR 6.1 / SR 6.2: Audit log generation + review
+# GAP-002 CLOSED: log forwarding to Loki SIEM via otlp logs pipeline
 # =============================================================================
 
 receivers:
@@ -27,15 +29,38 @@ processors:
         value: "production"
         action: insert
 
+  # Add site_id resource attribute for SIEM correlation
+  transform/add_site_id:
+    log_statements:
+      - context: resource
+        statements:
+          - set(attributes["bessai.site_id"], "${SITE_ID:-edge-001}")
+          - set(attributes["bessai.component"], "edge-gateway")
+          - set(attributes["iec62443.zone"], "OT")
+
 exporters:
-  # Log spans/metrics to stdout — replace with your backend exporter
-  # (e.g. googlecloud, datadog, jaeger) in production.
+  # Stdout logging — always on for local debugging
   logging:
     loglevel: info
     sampling_initial: 5
     sampling_thereafter: 200
 
-  # Example: Google Cloud Monitoring / Trace (uncomment if using GCP)
+  # SIEM forwarding: Grafana Loki (IEC 62443 GAP-002)
+  # Set LOKI_ENDPOINT env var; defaults to monitoring profile's Loki service.
+  loki:
+    endpoint: "${LOKI_ENDPOINT:-http://bessai-loki:3100/loki/api/v1/push}"
+    default_labels_enabled:
+      exporter: false
+      job: true
+    labels:
+      resource_attributes:
+        service.name: "true"
+        host.name: "true"
+        bessai.site_id: "true"
+        bessai.component: "true"
+        iec62443.zone: "true"
+
+  # GCP Cloud Monitoring (uncomment for cloud deployment)
   # googlecloud:
   #   project: "${GCP_PROJECT_ID}"
 
@@ -58,3 +83,8 @@ service:
       receivers:  [otlp]
       processors: [memory_limiter, batch]
       exporters:  [logging]
+    # IEC 62443 GAP-002: structured audit log forwarding to SIEM (Loki)
+    logs:
+      receivers:  [otlp]
+      processors: [memory_limiter, transform/add_site_id, batch]
+      exporters:  [logging, loki]

infrastructure/loki/loki-config.yaml

@@ -0,0 +1,76 @@
+# BESSAI Edge Gateway — Grafana Loki Configuration
+# IEC 62443-3-3 SR 6.1 / SR 6.2: Audit log generation and review (GAP-002)
+# Receives structured logs from OTel Collector via HTTP push API (:3100)
+# Minimal single-binary configuration for edge deployment
+
+auth_enabled: false  # No auth within the bess-net Docker network (Bearer auth handled by OTel)
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+  log_level: info
+
+# Ingester: in-memory write-ahead log
+ingester:
+  wal:
+    enabled: true
+    dir: /loki/wal
+  lifecycler:
+    address: 127.0.0.1
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 5m
+  max_chunk_age: 1h
+  chunk_retain_period: 30s
+  max_transfer_retries: 0
+
+# Schema for chunks (TSDB — recommended since Loki 2.8)
+schema_config:
+  configs:
+    - from: 2024-01-01
+      store: tsdb
+      object_store: filesystem
+      schema: v12
+      index:
+        prefix: index_
+        period: 24h
+
+# Storage: local filesystem (suitable for edge deployment)
+storage_config:
+  tsdb_shipper:
+    active_index_directory: /loki/index
+    cache_location: /loki/index_cache
+    cache_ttl: 24h
+  filesystem:
+    directory: /loki/chunks
+
+# Limits — conservative for edge hardware
+limits_config:
+  enforce_metric_name: false
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h  # 7 days
+  max_cache_freshness_per_query: 10m
+  max_entries_limit_per_query: 50000
+
+# Retention: 30 days for IEC 62443 audit compliance
+chunk_store_config:
+  max_look_back_period: 720h  # 30 days
+
+table_manager:
+  retention_deletes_enabled: true
+  retention_period: 720h  # 30 days
+
+# Query: minimize memory use on edge
+query_range:
+  max_retries: 5
+  parallelise_shardable_queries: false
+
+# Compactor (runs retention rules)
+compactor:
+  working_directory: /loki/compactor
+  compaction_interval: 10m
+  retention_enabled: true
+  delete_request_store: filesystem

pytest.ini

@@ -1,4 +1,4 @@
-[tool:pytest]
+[pytest]
 testpaths = tests
 asyncio_mode = auto
 addopts =

requirements.txt

@@ -104,3 +104,11 @@ paho-mqtt>=2.0.0
 # ---------------------------------------------------------------------------
 cryptography>=46.0.0
 
+# ---------------------------------------------------------------------------
+# v2.0.0 — TOTP MFA (IEC 62443-3-3 SR 1.3 — Account Management, GAP-001)
+# ---------------------------------------------------------------------------
+# TOTP/HOTP two-factor authentication for the admin dashboard API.
+# Soft dependency: if not installed, TOTP enforcement is disabled (dev mode).
+# GAP-001 CLOSED when DASHBOARD_MFA_SECRET is configured and pyotp is installed.
+pyotp>=2.9.0
+

src/drivers/simulator_driver.py

@@ -216,6 +216,13 @@ async def read_tag(self, tag_name: str) -> float:
     async def write_tag(self, tag_name: str, value: float) -> None:
         if not self._connected:
             raise DataProviderError("SimulatorDriver not connected")
+        # BESSAI-SPEC-001 §4.6: reject non-finite values (inf, nan)
+        import math as _math
+        if not _math.isfinite(value):
+            raise ValueError(
+                f"write_tag('{tag_name}', {value}): non-finite value rejected. "
+                "BESSAI-SPEC-001 §4.6 requires all values to be finite floats."
+            )
         if tag_name not in self._writable and self._tags:
             log.warning("simulator.write_readonly", tag=tag_name)
         log.debug("simulator.write_tag", tag=tag_name, value=value)
@@ -315,6 +322,23 @@ def noise(s=0.5):
             return random.uniform(-s, s)
 
         mapping: dict[str, float] = {
+            # ----------------------------------------------------------------
+            # BESSAI-SPEC-001 §5.1 — Required normalized tag names
+            # These tags MUST be present in every conformant DataProvider.
+            # ----------------------------------------------------------------
+            "SOC_%":        self._soc + noise(0.1),           # 0–100 %
+            "P_kW":         self._power_kw + noise(0.05),    # kW (+charge, -discharge)
+            "T_battery_C":  self._temp_c + noise(0.2),       # −40 to 100 °C
+            "V_dc_V":       max(0.0, self._voltage + noise(2)),  # 0–∞ V
+            "alarm_code":   0.0 if self._mode != SimMode.FAULT else 16.0,  # 0–∞
+            # SPEC-001 §5.1 mode enum: 0=FAULT 1=STRESS 2=NORMAL(TOU) 3=IDLE
+            "mode":         (
+                2.0 if self._mode == SimMode.NORMAL else
+                3.0 if self._mode == SimMode.IDLE else
+                1.0 if self._mode == SimMode.STRESS else
+                0.0  # FAULT
+            ),
+            # ----------------------------------------------------------------
             # State of charge / health
             "luna_soc": self._soc + noise(0.1),
             "battery_soc": self._soc + noise(0.1),
@@ -405,8 +429,11 @@ def noise(s=0.5):
                 # Unknown tag but exists in profile — return plausible default
                 log.debug("simulator.unknown_tag_default", tag=tag_name)
                 return 0.0
-            raise DataProviderError(
-                f"SimulatorDriver: tag '{tag_name}' is not in profile '{self._profile_name}'"
+            # BESSAI-SPEC-001 §4.5: raise KeyError for unknown tags
+            raise KeyError(
+                f"Tag '{tag_name}' not found in SimulatorDriver "
+                f"(profile: '{self._profile_name}'). "
+                "See BESSAI-SPEC-001 §5 for the required tag set."
             )
 
         return round(mapping[tag_name], 4)

src/interfaces/dashboard_api.py

@@ -36,6 +36,7 @@
 
 from src.interfaces.arbitrage_engine import ArbitrageEngine
 from src.interfaces.cmg_predictor import CMgPredictor
+from src.interfaces.totp_auth import TOTPAuth
 
 # Optional: bessai_arbitrage data-flywheel pipeline (Parquet-backed, cached)
 try:
@@ -194,23 +195,46 @@ def __init__(
         state: DashboardState | None = None,
         port: int = 8080,
         api_key: str = "",
+        site_id: str = "edge-001",
     ) -> None:
         self.state = state or DashboardState()
         self.port = port
         self.api_key = api_key or os.getenv("DASHBOARD_API_KEY", "")
         self._app: Any | None = None
         self._runner: Any | None = None
+        # IEC 62443 SR 1.3 — TOTP MFA (optional, configured via DASHBOARD_MFA_SECRET)
+        self._totp = TOTPAuth(site_id=site_id)
 
     # ------------------------------------------------------------------
     # Route handlers
     # ------------------------------------------------------------------
 
     async def _check_auth(self, request: Any) -> bool:
-        """Return True if auth is satisfied (no-op in dev mode)."""
-        if not self.api_key:
-            return True
-        auth = request.headers.get("Authorization", "")
-        return bool(auth == f"Bearer {self.api_key}")
+        """Return True if auth is satisfied.
+
+        Auth flow (IEC 62443 SR 1.3):
+        1. Bearer token check (existing) → if configured and wrong, deny.
+        2. TOTP check (new) → if MFA enabled and token wrong/missing, deny.
+        """
+        # Step 1 — Bearer token
+        if self.api_key:
+            auth = request.headers.get("Authorization", "")
+            if auth != f"Bearer {self.api_key}":
+                log.warning("dashboard_api.auth_bearer_failed", remote=str(request.remote))
+                return False
+
+        # Step 2 — TOTP MFA (IEC 62443 SR 1.3)
+        if self._totp.is_enabled:
+            totp_token = request.headers.get("X-TOTP-Token", "")
+            if not self._totp.verify(totp_token):
+                log.warning(
+                    "dashboard_api.auth_totp_failed",
+                    remote=str(request.remote),
+                    token_received=bool(totp_token),
+                )
+                return False
+
+        return True
 
     def _json_response(self, data: dict) -> Any:
         return web.Response(
@@ -254,6 +278,14 @@ async def handle_version(self, request: Any) -> Any:
             }
         )
 
+    async def handle_totp_info(self, request: Any) -> Any:
+        """Report TOTP MFA configuration status (IEC 62443-3-3 SR 1.3).
+
+        This endpoint is *unauthenticated* intentionally — it only reports
+        whether MFA is enabled, not the secret itself.
+        """
+        return self._json_response(self._totp.info().to_dict())
+
     async def handle_health(self, request: Any) -> Any:
         return self._json_response(
             {
@@ -453,6 +485,7 @@ async def cors_middleware(request: Any, handler: Any) -> Any:
         self._app.router.add_get("/api/v1/ids", self.handle_ids)
         self._app.router.add_get("/api/v1/version", self.handle_version)
         self._app.router.add_get("/api/v1/health", self.handle_health)
+        self._app.router.add_get("/api/v1/auth/totp-info", self.handle_totp_info)
         self._app.router.add_options("/{path_info:.*}", self._cors_preflight)
 
         self._runner = web.AppRunner(self._app)