-
-
Notifications
You must be signed in to change notification settings - Fork 0
report
1-3-7 edited this page Jun 17, 2026
·
1 revision
disrobe report consolidates a completed run into a single forensic summary: input identity, chain topology, per-stage verdicts and recovery scores, the recovered-artifact inventory, and timings. It is the read-side companion to auto and chain.
disrobe report ./out/sample-auto # a completed single-file run
disrobe report ./out/samples-batch # a completed batch run
disrobe report ./malware.bin # raw input: runs auto first, then reports
disrobe report ./out/sample-auto --format markdown
disrobe report ./out/sample-auto --format html > report.html # self-contained, offlineThe single positional argument can be:
| Target | Behavior |
|---|---|
A directory with manifest.json
|
Read it and render a batch report. |
A directory with chain.json + recovery.json
|
Read them and render a single-run report. |
| A raw input file | Run auto into ./out/<stem>-auto/ first, then report. |
| A raw directory (not an out dir) | Run a batch into ./out/<dir>-batch/ first, then report. |
A non-existent target is a hard error (DR-CLI-0350).
--format text|json|markdown|html (default text). The global --json flag forces JSON regardless of --format.
- text: a clean, aligned human report for the terminal.
- markdown: a shareable report with tables, ready to paste into an issue or PR.
-
json: the machine-readable
disrobe.report/v1document. -
html: a single self-contained HTML file (printed to stdout; redirect to a
.html). CSS is inlined; there is no JavaScript and no external/CDN reference, so it renders offline when double-clicked. Flat neutral-gray dark theme, single green accent, JetBrains-Mono numerics. Sections: input identity, a chain-topology flow, per-stage verdicts with inline SVG recovery bars, a recovery-tier histogram, the recovered-artifact inventory, and, when the input is still readable, an IOC table (defanged) plus a behavior / MITRE ATT&CK summary. Every interpolated value is HTML-escaped (XSS-safe), and the renderer uses no clock or randomness, so the document is byte-stable for identical report data.
- Input identity: path, size, BLAKE3, detected format chain, final format.
- Topology + verdict: linear vs tree, and the overall chain verdict.
-
Recovery score: the mean per-stage confidence-tier rank normalized to
[0, 1], plus a tier label (skeleton / partial / semantic / exact). - Tier histogram: exact / semantic / partial / skeleton counts.
- Per-stage table: index, pass id, confidence, score, duration.
- Recovered-artifact inventory: the union of artifact names produced by the stages.
- Notes: detect-only and skeleton-tier caveats.
- The aggregate counts (
processed,recovered,detect-only,errors) and mean recovery score. - A per-file table: file, detected format, score, and status (recovered / detect-only / error).
This wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.
Getting started
Architecture
- Overview
- The five-rung IR ladder
- Passes and the capability model
- The chain runner
- The .dr envelope
- LLM sidecar and provenance
Reverse-engineering toolkit
Language and format guides
- Python
- JavaScript / TypeScript
- WebAssembly
- JVM and Android
- .NET / CIL
- Native (PE / ELF / Mach-O)
- Go
- Lua
- PHP
- Ruby
- BEAM (Erlang / Elixir)
- Swift / Objective-C
- ActionScript 3 / Flash
- Mobile (Hermes / Flutter)
- Python pickle
- Shell / PowerShell
- Containers and archives
Reference
- CLI overview
- Global flags
- Command reference
- Project configuration
- Batch directory processing
- Run reports
- Analysis-depth commands
- Diff and guard tooling
- The daemon: HTTP, gRPC, LSP, MCP
- Use it as a library
- Python bindings
- The browser playground
- Forensics and malware-safety posture
- Threat model
Integrations
Project