v0.6.1 — macOS quarantine + Linux cron + DNS tunneling
Three new native MCP functions, plus the Single-Source-of-Truth cleanup that closes the v0.6.0 drift loop.
Added
| Function | Purpose | MITRE |
|---|---|---|
parse_macos_quarantine |
macOS LSQuarantineEvent reader — download provenance, non-browser downloader flagging, pastesite/raw-IP/darknet origin detection |
T1204, T1566.002, T1105 |
parse_linux_cron_jobs |
Enumerate /etc/crontab, cron.d/, cron.{hourly,daily,weekly,monthly}/, /var/spool/cron/ — flag curl-pipe-shell, base64 decode, @reboot triggers, /tmp/*.sh, netcat listeners |
T1053.003, T1059.004, T1546 |
detect_dns_tunneling |
DNS query log analysis (BIND9/dnsmasq/generic) — Shannon entropy + long-label + rare-qtype + volume + Iodine/dnscat2 signatures. Opens TA0011 (Command-and-Control) coverage | T1071.004, T1568.002, T1572 |
17 new unit tests in test_v06_macos_linux.py. Full test suite passes on a clean clone.
Fixed
- CI workflow (
ci.yml),examples/sift-adapter-demo.sh, andscripts/install.shno longer hardcode native/total counts. Drift-safe invariant checks (count > 0, native + sift == total, no forbidden tool names) replaced exact-count assertions. - This was the root cause of ten consecutive failed CI runs between v0.6.0 (2026-05-13) and the SoT cleanup commit on 2026-05-14.
Changed
- Companion repo agentic-dart-collector-adapter flipped from Apache-2.0 to MIT for ecosystem consistency.
- Hardcoded counts removed from ~25 locations across README body, docs, wiki, and profile surfaces. Numbers now live only in: README L92+L259 Hero, DEVPOST_SUBMISSION.md, DEMO_STORYBOARD.md, and
tests/test_mcp_surface.pycanonical name set.
Surface
Runtime list_tools() returns the typed read-only MCP surface (45 native pure-Python forensic functions + 25 SIFT Workstation adapters). The canonical name set is asserted in tests/test_mcp_surface.py::test_registered_tools_are_exact_set.
Full changelog: CHANGELOG.md