wiki: drop macOS host-install guide+links — host is Linux only; macOS stays an analysis target

Juwon1405 committed Jun 15, 2026

wiki: align evidence model with code — per-case evidence_root, drop obsolete shared sample-evidence, link live demo video

Juwon1405 committed Jun 15, 2026

docs(wiki): reconcile tactic coverage to 10/12 (was 11) FAQ/Phase-1/Roadmap claimed TA0011 (C2) was covered by detect_dns_tunneling (only TA0009 deferred = 11/12), contradicting accuracy-report + README + DEVPOST + Pages (10/12). Per the conservative scoped-rule standard, both TA0009 (Collection) and full TA0011 (C2) are Phase-2; detect_dns_tunneling adds partial DNS-tunneling C2 indicators. Dated v0.6.1 history rows left as-is.

Juwon1405 committed Jun 13, 2026

docs(wiki): fix stale tool-count tripwire in FAQ The surface is 72 tools, so the 'exact set' tripwire is a 73rd tool appearing, not a 68th. Also drop a doubled 'the'.

Juwon1405 committed Jun 13, 2026

wiki: reflect v0.6.1 TA0011 entry — detect_dns_tunneling ships Three pages had TA0011 (Command-and-Control) listed as 'deferred to Phase 2' or 'partial coverage'. v0.6.1's detect_dns_tunneling adds: - Iodine and dnscat2 tool signature detection - Shannon-entropy on subdomain labels (threshold 3.8) - Long-label heuristic (>50 chars, near DNS spec max 63) - Rare query-type flagging (TXT / NULL / CNAME with subdomain) - Per-parent-domain volume in sliding window - BIND9 / dnsmasq / generic FQDN-extraction fallback parsers This opens active TA0011 coverage at the analysis layer. Full PCAP-based C2 detection is still Phase 2, but the typed MCP surface now meaningfully covers the tactic via DNS log analysis. Pages updated: FAQ.md L99, Phase-1.md L36, Roadmap.md L41. TA0009 Collection remains the single tactic explicitly deferred — that is collector-side (live memory capture) rather than analysis-side, which is by design for an architecture that consumes pre-collected evidence.

Juwon1405 committed May 14, 2026

wiki: naturalize hardcoded counts (Source of Truth lives in README Hero) Following the same Single-Source-of-Truth cleanup applied to the main repo: wiki pages no longer hardcode '67 typed functions / 42 native + 25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad MITRE enterprise tactic coverage'. Phase-1.md historical version table preserves period-specific numbers (v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because those are historical facts about what shipped on those dates, not claims about current state. The canonical exact name set continues to live in tests/test_mcp_surface.py — the only place that needs editing when a function is added or removed.

Juwon1405 committed May 14, 2026

wiki: sweep stale 35-native / 60-total counts to current 42 / 67 16 wiki pages had pre-v0.6.0 numeric references that survived earlier QA rounds. Surface count was bumped 60 -> 67 in v0.6.0 (six new supply-chain IOC functions in dart_mcp._v05_supply_chain), and native count went 35 -> 42, but a number of wiki pages still showed the old numbers. Pages corrected: About-the-name, Architecture-deep-dive, Architecture-first-vs-prompt-first, Case-PtH-Timestomp, FAQ, Glossary, Home, Live-mode, MCP-function-catalog, Phase-1, Roadmap, SIFT-adapter-layer, The-Memex-Bet, _Sidebar, dart-mcp Phase-1.md version history table preserves the historical numbers (v0.4 = 35 native, v0.5 = 60 functions) as those are historical facts, not current state. MITRE coverage also corrected from 11/12 -> 10/12 (TA0009 Collection and TA0011 C2 are Phase 2).

Juwon1405 committed May 14, 2026

wiki(qa-r13-15): FAQ MITRE 10/12 fix + dart-corr DuckDB ASOF→regular JOIN == Round 13/14/15 — paired with main repo commit 4495790 == Two wiki fixes this round: ### FAQ.md — '11/12 MITRE ATT&CK enterprise tactics' over-claim Note: this fix is identical in shape to round 12's MITRE fix (already in commit ef63a96). This commit catches the second cite location in FAQ — the headline-metric paragraph at 'What's the headline metric?' — that the round-12 sweep missed. Measured by walking dart-mcp function names against MITRE tactic buckets: 10/12 enterprise tactics covered. TA0009 (Collection) and TA0011 (Command-and-Control) are roadmap items. C2 was already disclosed in the FAQ 'What would you change with more time?' answer; Collection wasn't. Fixed the headline metric to '10/12' with explicit TA list and a link to Phase-1 for the gap analysis. ### dart-corr.md — DuckDB ASOF JOIN syntax error The advertised SQL block was: ASOF JOIN mft m ON a.ts BETWEEN m.ts - INTERVAL 15 SECOND AND m.ts + INTERVAL 15 SECOND DuckDB's ASOF JOIN only accepts a single inequality (>=, <=, >, <) in the ON clause. BETWEEN is two inequalities, so this raises: BinderException: Multiple ASOF JOIN inequalities Reproduced on duckdb 1.5.2 (the version pinned in CI). The wiki narrative wants a symmetric ±15-second window for time proximity. The right shape for that is a regular JOIN with the BETWEEN clause in WHERE: FROM auth a, mft m WHERE a.ts BETWEEN m.ts - INTERVAL 15 SECOND AND m.ts + INTERVAL 15 SECOND AND m.timestomp = TRUE Verified the new block returns the expected contradiction row (alice@14:22:00 ↔ /etc/shadow timestomp@14:21:55, within window). == Verification == - Re-ran every Python block on every wiki page (7 total). 6/7 already clean; this fix brings it to 7/7. Each block now actually runs on a fresh duckdb 1.5.2 install. - Re-ran scripts/measure_accuracy.py — recall=1.0, FPR=0.0, hallucination=0 (no regression from the doc fix). == Pattern internalised == DuckDB's ASOF JOIN is a different beast from a regular range JOIN. ASOF is for 'find the most recent prior row' (single inequality); range JOINs are for 'find any row within window' (two inequalities). The wiki's narrative wanted the latter. Going forward, any wiki SQL that runs against DuckDB needs the same dry-run-on-fresh-duckdb check as the rest of the code blocks.

Juwon1405 committed May 8, 2026

wiki(qa-r12): kill 11/12 MITRE + UUID4 audit_id + 5KB audit + rm bypass hallucinations == Round 12 of QA — FAQ / Glossary / Comparison deep verification == FAQ.md, Glossary.md, Comparison.md were the 3 'reference' wiki pages that earlier rounds touched only at surface level. Round 12 went through every quantitative/categorical claim on each page and measured against actual code/runtime behavior. == Defects fixed == ### FAQ.md — audit log size claim 5-8x over Advertised: '~3-5 KB per MCP call. 25-iteration run ~120-200 KB' Measured: ~568 bytes per call (1704 bytes / 3 entries on the bundled find-evil-ref-01 demo). 25-iter projection ~13 KB. The advertised numbers were either pre-v0.5 estimates from when audit entries carried full output bodies, or just a guess. Either way, current reality is 5-8x smaller, which actually strengthens the architectural claim ('audit log is verifiable in one pass on any laptop'). Fixed to '500-700 bytes per MCP call' and '12-18 KB' for the 25-iter projection. ### FAQ.md — '11/12 MITRE ATT&CK enterprise tactics' over-claim Measured by walking dart-mcp function names against MITRE tactic buckets: 10/12 covered. The two gaps are TA0009 (Collection) and TA0011 (Command and Control). C2 was already disclosed in the FAQ 'What would you change with more time?' answer ('PCAP analysis for full TA0011 coverage'); Collection wasn't disclosed. Fixed the headline metric to '10/12' with explicit TA list and a link to Phase-1 for the gap analysis. The honest count makes the Phase-2 roadmap motivation crisper. ### Glossary.md — 'Audit ID — UUID4' (round-10 same defect, different page) Round 10 fixed wiki/dart-audit.md (UUID4 → 8-char hex) but Glossary carried the same wrong definition independently. Same code-vs-doc mismatch: secrets.token_hex(4) produces 8-character hex, never UUID4. Fixed. Also corrected the next sentence — it claimed 'the serializer refuses to emit findings'. There is no serializer.py file (round-10 defect class). The actual gate is the finding emitter inside DeterministicAnalyst (in dart_agent/__init__.py). Phrased it that way now. ### Glossary.md — 'Bypass test — execute_shell, eval, rm, etc.' rm is NOT in the bypass test's forbidden list. The actual list asserted by tests/test_mcp_bypass.py is: execute_shell, write_file, mount, umount, eval, exec_python, network_egress, delete_file, system, spawn_process, kill_process rm was a plausible-looking guess that doesn't appear in the code. Replaced with the actual full list, which is more concrete and more impressive than the 'execute_shell, eval, rm, etc.' summary. ### Comparison.md — verified clean Walked every external URL (Velociraptor docs, Plaso, Eric Zimmerman's site, SigmaHQ) — all 200. Walked every cross-reference to phase-2/phase-3 packages (dart-synth #23, dart-responder #26) — both have tracking issues. The TL;DR matrix entries were spot-checked against actual capabilities and stand. No fixes needed. == Verification methodology for this round == 1. Read each claim 2. If quantitative: measure with a script (audit log size, MITRE tactic count, response shape) 3. If categorical: read the cited code/test and confirm the claim is what the code actually does 4. If external: curl with 10s timeout and assert 200 5. Fix any mismatch; verify the fix doesn't introduce a new one == Verified == - 31/31 pytest green (zero regression — wiki-only changes, no code touched) - Bypass test list in Glossary now matches tests/test_mcp_bypass.py line 29-30 + line 127 'negative' set - Audit log size in FAQ now matches measured demo run output - MITRE tactic count in FAQ now matches the actual function-name coverage measurement

Juwon1405 committed May 8, 2026

wiki(qa-r11): 11 hallucinations across 9 pages — function signatures, CLI flags, file refs Pairs with main repo commit c34f661. Round 11 extended round 10's 'wiki/docs cite-vs-reality' sweep to all wiki pages round 10 didn't touch. Found 11 hallucinations across 9 pages. == Defects fixed == ### dart-mcp.md — 22 function signatures wrong This page was the headline catalog of native MCP functions ('The 60 functions') and was citing every one of them with fictional kwargs like host=, target=, path=. This is the most important page after the README for anyone trying to understand the MCP surface. A judge clicking dart-mcp from the sidebar would have hit fictional signatures for nearly every function. Fixed: get_amcache(path) → get_amcache(hive_path) parse_prefetch(target) → parse_prefetch(prefetch_path) parse_shimcache(host) → parse_shimcache(system_hive) get_process_tree(host) → get_process_tree(process_csv) analyze_usb_history(host, time_window) → analyze_usb_history(system_hive, setupapi_log) parse_shellbags(host) → parse_shellbags(ntuser_hive) extract_mft_timeline(host, start, end) → extract_mft_timeline(mft_path, start, end) list_scheduled_tasks(host) → list_scheduled_tasks() detect_persistence(host) → detect_persistence() analyze_event_logs(host, event_ids, time_window) → analyze_event_logs(events_json) parse_unified_log(host, subsystem, time_window) → parse_unified_log(unifiedlog_json) parse_knowledgec(host) → parse_knowledgec(knowledgec_db) parse_fsevents(host) → parse_fsevents(fsevents_csv) parse_browser_history(host, browser) → parse_browser_history(history_db) analyze_downloads(host) → analyze_downloads(downloads_source) correlate_download_to_execution(host) → correlate_download_to_execution(downloads, executions) detect_exfiltration(host, time_window) → detect_exfiltration() analyze_windows_logons(host) → analyze_windows_logons(security_events_json) detect_lateral_movement(host) → detect_lateral_movement() analyze_kerberos_events(host) → analyze_kerberos_events(security_events_json) analyze_unix_auth(host, time_window) → analyze_unix_auth(auth_log_path) detect_privilege_escalation(host) → detect_privilege_escalation() analyze_web_access_log(path, rules) → analyze_web_access_log(access_log) detect_webshell(path) → detect_webshell(webroot) detect_brute_force_rdp(host) → detect_brute_force_rdp(security_events_json) detect_credential_access(host) → detect_credential_access() detect_ransomware_behavior(host) → detect_ransomware_behavior() detect_defense_evasion(host) → detect_defense_evasion() detect_discovery(host) → detect_discovery() correlate_timeline(start, end, sources) → correlate_timeline(events) All verified against live inputSchema.required. No-arg functions (the post-Phase-1 detect_* family) had fictional '(host)' parameters that don't exist in the schema at all. ### Case-PtH-Timestomp.md — list_scheduled_tasks(host=...) Same residual fix as docs/case-pth-timestomp.md (round 10 caught 3 of 4 fictional signatures on this page; r11 caught the last one). ### Operator-guide.md / Running-on-macOS.md — --evidence flag Both pages advertised '--evidence /path/to/evidence' as a CLI flag. Round 10 caught the same hallucination in Live-mode.md but missed these two operator-facing pages — the SIFT VM install + macOS dev-mode pages a judge would land on after the README directs them to operator-guide. Fixed both to use 'export DART_EVIDENCE_ROOT=...' (the actual env-var pattern) before invoking the agent. ### Case-IP-KVM.md / Running-on-SIFT.md / Writing-case-studies.md — missing --out All three advertised 'python3 -m dart_agent --case ID --max- iterations 25' but --out is a required argparse argument. Without it the CLI errors with 'argument --out is required'. Added --out to the example invocations on all three pages. ### FAQ.md — '36th appears or one of the 35' The 'Is the MCP surface really fixed in size?' answer used '35' as the surface-count anchor. Total surface is 60 (35 native + 25 SIFT adapters), so the 'a 36th appears' phrasing has been stale since v0.5. Fixed to 'a 61st appears or any of the 60 (35 native + 25 SIFT adapters) disappears'. The same page's overview (line 99) already cited 60 correctly, making the line-25 mistake an inter-paragraph drift inside one page — caught by re-reading from a judge's flow rather than from a count-grep. ### dart-corr.md — illustrative pseudocode framing The pseudocode block was labeled '# dart_corr/__init__.py — simplified', which an attentive reader could mistake for a pointer at a real file. dart_corr/ contains only README.md; the actual correlation code is in dart_mcp/__init__.py. The page's 'Implementation note' at the bottom already says this, but reading the pseudocode header in isolation gives the wrong impression. Reframed the comment to 'Illustrative — real implementation lives in dart_mcp/__init__.py' inline so the framing is correct at point-of-read. == Verification approach == For each function-signature fix: 1. Pulled the live inputSchema.required from list_tools() 2. Verified the kwarg names match what dart_mcp/__init__.py actually accepts 3. Where the old wiki signature included optional kwargs that don't exist (e.g., 'time_window' on detect_exfiltration), dropped them rather than mapping to a different optional For CLI fixes: confirmed against 'python3 -m dart_agent --help' output (only --case, --out, --max-iterations, --mode, --prompt, --model, --dry-run exist). == Pattern internalized == Round 10 found a few signature hallucinations on the prominent Case-PtH page. Round 11 showed they were endemic on the headline catalog page (dart-mcp.md) — every single one of 22 cited functions had a fictional kwarg. Likely cause: the wiki was drafted from a v0.3-era memory of the surface, then never re-synced to the actual schema during the v0.4/v0.5 expansions. Going forward: any wiki page that lists multiple function signatures gets re-grep'd against list_tools() schema after every surface change, not just every release.

Juwon1405 committed May 8, 2026

wiki(qa-r2): sync 22→31 tests, add v0.5.1/v0.5.2 timeline, v1 playbook line count Follow-up sync after main repo's v0.5.2 landed (defensive runtime guards + 3 regression tests). The recent on-main 'wiki — 13 pages updated' sweep correctly moved every surface to 60 tools, but the test-count bumped from 22 to 31 in v0.5.2 and a few wiki pages hadn't caught up. Counts (5 files): - FAQ.md '22 / 22 tests passing' → 31 / 31 - Operator-guide.md 'All 22 tests should print OK' → 31 - Phase-1.md '22 of 22 tests passing' → 31 of 31 - Roadmap.md '22 of 22 tests passing' → 31 of 31 - Running-on-macOS.md 'Run all 22 tests' / 'All 22 tests pass on M1/M2/M3' → 31 Timeline (Phase-1.md): - Added v0.5.1 row (2026-05-03 — Evergreen visuals + full-surface QA) - Added v0.5.2 row (2026-05-03 — Defensive runtime guards + 31 tests) - Reordered v0.4.1 / Playbook v3 / v3.1 chronologically so the table reads top-to-bottom in actual ship order rather than the previous near-random sequence Playbook line counts (dart-playbook.md, 2 places): - senior-analyst-v1.yaml 128 → 133 lines (v0.5.2 patched the volatile_first phase to reference real registry tools; the Memory Capture phase grew by 5 lines with the explanatory rationale comment) - Annotated the legacy comment so future readers know why v1 still has a 'memory' phase even though native memory functions aren't on the v0.5 registry Phase-1's two intentionally-historical rows preserved verbatim: - 'v0.4 → 35 native, 20 tests' — release-time state - 'v0.5 → 60, 22 tests' — release-time state These are timeline facts, not status claims, so they do NOT bump.

Juwon1405 committed May 3, 2026

wiki QA pass: synchronize 13 pages to v0.5 reality (60 tools, 22 tests) Companion to main repo commit 52f975d (v0.5.1 QA pass). Updated to reflect the v0.5 SIFT adapter layer (35 native + 25 SIFT = 60 typed read-only MCP tools) and the v0.5 test suite expansion (20 → 22 cases): About-the-name.md 'The 35 typed dart-mcp functions cover...' → 'The typed dart-mcp surface (35 native + 25 SIFT Workstation adapters = 60 functions) covers...' Test count 20/20 → 22/22 across all references. Architecture-deep-dive.md ASCII architecture box: 'dart-mcp 35 typed forensic functions' → 'dart-mcp 60 typed forensic functions (35 native + 25 SIFT)' Architecture-first-vs-prompt-first.md 'The MCP surface is exactly 35 functions, by name' → 'The MCP surface is exactly 60 typed functions, by name (35 native + 25 SIFT Workstation adapters)' Case-PtH-Timestomp.md (2 references) updated parallel to docs/. FAQ.md Question heading: 'Is the MCP surface really exactly 35 functions?' → 'Is the MCP surface really fixed in size?' Answer body: counts updated to 60 / 22-22. Glossary.md dart-mcp definition: 35 → 60. 'For Agentic-DART v0.4: exactly 35' → 'For Agentic-DART v0.5: 60 (35 native + 25 SIFT Workstation adapters)' Home.md (TOC) 'the 35 forensic functions, schema, bypass tests' → 'the 60 forensic functions (35 native + 25 SIFT adapters), schema, bypass tests' 'why the MCP surface is exactly 35 functions, not 28, not 35' rephrased to avoid count-anchoring. Live-mode.md (2 references) parallel to docs/. MCP-function-catalog.md Page title: '· 35 typed forensic functions' → '· 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Operator-guide.md 'All 20 tests should print OK' → 'All 22 tests should print OK' Phase-1.md Body: '35 typed forensic functions' / '20 of 20 tests passing' counts updated. Timeline table: ADDED row for 2026-05-02 v0.5 (SIFT Workstation tool adapter layer → 60 functions, 22 tests passing). v0.4 historic row preserved verbatim. Roadmap.md Three references to 35 / 20-20 updated to v0.5 numbers. Running-on-macOS.md 'Step 3 — Run all 20 tests' → '... 22 tests' 'All 20 tests pass on M1/M2/M3' → 'All 22 tests pass on M1/M2/M3' The-Memex-Bet.md 'MCP surface (35 typed functions)' → 'MCP surface (60 typed functions: 35 native + 25 SIFT adapters)' 'The 35 functions are not a guideline...' → 'The 60 functions (35 native + 25 SIFT Workstation adapters) are not a guideline...' _Sidebar.md Two TOC labels: '(35 functions)' → '(60 functions: 35 native + 25 SIFT)' dart-mcp.md 'exposes exactly 35 typed forensic functions' → 'exposes 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Section heading 'The 35 functions' → 'The 60 functions (35 native + 25 SIFT adapters)' SIFT-adapter-layer.md Preserved verbatim — line 18 'its own 35 forensic functions' is historic context describing the pre-v0.5 state.

Juwon1405 committed May 2, 2026

wiki: sync test count 17 → 20 (audit race fix added 3 tests)

Juwon1405 committed Apr 30, 2026

wiki: comprehensive sync 31 → 35 across all pages v0.4 raised the function count from 31 to 35. Wiki was tracking old number on multiple pages: About-the-name.md 'existing 31 functions stay' → 35 Architecture-deep-dive.md 'the 31 typed' → 35 Architecture-first-vs-prompt-first.md '31 functions, by name' → 35 FAQ.md 'is the surface really exactly 31?' → 35 Home.md 'the 31 forensic functions' → 35 Operator-guide.md '31' → '35' Roadmap.md '31 typed forensic functions' → 35 Threat-model.md (no 31 references — already clean) dart-mcp.md 'exactly 31 typed' → '35' MCP-function-catalog.md (header was already 35) Roadmap also gets a 'v0.4 (2026-04-30)' entry in the Done list to record the Linux+macOS expansion.

Juwon1405 committed Apr 30, 2026

feat: initial wiki — Home, About, Architecture-first, dart-mcp, FAQ, sidebar/footer Long-form documentation that doesn't fit in the README: - Home: overview + table of contents - About the name: DART acronym + four-phase plan - Architecture-first vs prompt-first: the central design claim - dart-mcp: the typed surface, all 31 functions, bypass tests - FAQ: judges, contributors, skeptics - _Sidebar / _Footer: auto-shown navigation on every page Other pages (Threat model, dart-agent / dart-corr / dart-audit / dart-playbook, Running on SIFT/macOS, Live mode, Accuracy, case studies, roadmap, glossary, comparison) are stubs in the sidebar — to be filled in as the project matures.

Juwon1405 committed Apr 30, 2026