wiki: correct tool count to live 73 (48 native + 25 SIFT); drop v1.0.2 version pin The current-surface counts were stale: 72 (47 native) -> 73 (48 native) after the Sigma matcher tool landed. Fixed in Glossary, Live-mode, Phase-1 (the live-surface line), and Roadmap. The Glossary's 'As of v1.0.2' version pin is dropped so the count needn't carry a release number. The Phase-1 changelog row for v0.7.1 keeps its then-current '72' — that's an accurate historical record, not the live count.

Juwon1405 committed Jun 15, 2026

docs(wiki): update tool-surface as-of version to v1.0.2

Juwon1405 committed Jun 12, 2026

docs(wiki): fix remaining stale CFReDS case path and v1.0.0-as-current in Glossary

Juwon1405 committed Jun 11, 2026

docs: glossary tool-surface as of v1.0.0

Juwon1405 committed Jun 5, 2026

docs(wiki): align Accuracy and Glossary with the realistic-variant enrichment design - Accuracy.md: the realistic row claimed the generator synthesizes "security events 516" -- it does not; the security EventLog is hand-curated at ~11,530 lines. Only the two IOC-only logs (web access, unix auth) are noise-injected. Dropped the "production-shape / production-noise-injected" overstatement (the enriched ratio is ~1:30). - Glossary.md: the MCP surface is 47 native + 25 SIFT = 72, not "72 native".

Juwon1405 committed Jun 5, 2026

wiki: sync to v0.7.1 — 11 cases, 72 MCP functions, case-11 highlight - Accuracy.md: '61 files' -> '49 files'; new v0.7.0 section covering case-11 supply-chain attack class; new v0.7.0 case-library summary table (11 cases / 99 findings split 69 layer-1 + 30 layer-2 + 32/36 function coverage) - Glossary.md: 'As of v0.6.0' -> 'As of v0.7.1: 72 native MCP tools' - Home.md: case-studies section rewritten to mention 11 cases / 99 findings plus case-11 as recommended judge walkthrough - MCP-function-catalog.md: previously missed v0.6.1 functions (parse_macos_quarantine, parse_linux_cron_jobs, detect_dns_tunneling) + v0.7.1 functions (parse_linux_text_log, parse_linux_shell_history) now properly documented with MITRE technique mappings and references - Phase-1.md: timeline extended with v0.5.4, v0.6.0, v0.6.1, v0.7.0, v0.7.1 milestones deliberately not touched — these are version-anchored historical records: v0.5.4 CFReDS section (locked at first external benchmark), playbook 'target_case_classes: 10 case classes' (playbook scenario classes, not evidence cases), v0.4 / v0.5 release rows.

Juwon1405 committed May 16, 2026

wiki: naturalize hardcoded counts (Source of Truth lives in README Hero) Following the same Single-Source-of-Truth cleanup applied to the main repo: wiki pages no longer hardcode '67 typed functions / 42 native + 25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad MITRE enterprise tactic coverage'. Phase-1.md historical version table preserves period-specific numbers (v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because those are historical facts about what shipped on those dates, not claims about current state. The canonical exact name set continues to live in tests/test_mcp_surface.py — the only place that needs editing when a function is added or removed.

Juwon1405 committed May 14, 2026

wiki: sweep stale 35-native / 60-total counts to current 42 / 67 16 wiki pages had pre-v0.6.0 numeric references that survived earlier QA rounds. Surface count was bumped 60 -> 67 in v0.6.0 (six new supply-chain IOC functions in dart_mcp._v05_supply_chain), and native count went 35 -> 42, but a number of wiki pages still showed the old numbers. Pages corrected: About-the-name, Architecture-deep-dive, Architecture-first-vs-prompt-first, Case-PtH-Timestomp, FAQ, Glossary, Home, Live-mode, MCP-function-catalog, Phase-1, Roadmap, SIFT-adapter-layer, The-Memex-Bet, _Sidebar, dart-mcp Phase-1.md version history table preserves the historical numbers (v0.4 = 35 native, v0.5 = 60 functions) as those are historical facts, not current state. MITRE coverage also corrected from 11/12 -> 10/12 (TA0009 Collection and TA0011 C2 are Phase 2).

Juwon1405 committed May 14, 2026

wiki(qa-r12): kill 11/12 MITRE + UUID4 audit_id + 5KB audit + rm bypass hallucinations == Round 12 of QA — FAQ / Glossary / Comparison deep verification == FAQ.md, Glossary.md, Comparison.md were the 3 'reference' wiki pages that earlier rounds touched only at surface level. Round 12 went through every quantitative/categorical claim on each page and measured against actual code/runtime behavior. == Defects fixed == ### FAQ.md — audit log size claim 5-8x over Advertised: '~3-5 KB per MCP call. 25-iteration run ~120-200 KB' Measured: ~568 bytes per call (1704 bytes / 3 entries on the bundled find-evil-ref-01 demo). 25-iter projection ~13 KB. The advertised numbers were either pre-v0.5 estimates from when audit entries carried full output bodies, or just a guess. Either way, current reality is 5-8x smaller, which actually strengthens the architectural claim ('audit log is verifiable in one pass on any laptop'). Fixed to '500-700 bytes per MCP call' and '12-18 KB' for the 25-iter projection. ### FAQ.md — '11/12 MITRE ATT&CK enterprise tactics' over-claim Measured by walking dart-mcp function names against MITRE tactic buckets: 10/12 covered. The two gaps are TA0009 (Collection) and TA0011 (Command and Control). C2 was already disclosed in the FAQ 'What would you change with more time?' answer ('PCAP analysis for full TA0011 coverage'); Collection wasn't disclosed. Fixed the headline metric to '10/12' with explicit TA list and a link to Phase-1 for the gap analysis. The honest count makes the Phase-2 roadmap motivation crisper. ### Glossary.md — 'Audit ID — UUID4' (round-10 same defect, different page) Round 10 fixed wiki/dart-audit.md (UUID4 → 8-char hex) but Glossary carried the same wrong definition independently. Same code-vs-doc mismatch: secrets.token_hex(4) produces 8-character hex, never UUID4. Fixed. Also corrected the next sentence — it claimed 'the serializer refuses to emit findings'. There is no serializer.py file (round-10 defect class). The actual gate is the finding emitter inside DeterministicAnalyst (in dart_agent/__init__.py). Phrased it that way now. ### Glossary.md — 'Bypass test — execute_shell, eval, rm, etc.' rm is NOT in the bypass test's forbidden list. The actual list asserted by tests/test_mcp_bypass.py is: execute_shell, write_file, mount, umount, eval, exec_python, network_egress, delete_file, system, spawn_process, kill_process rm was a plausible-looking guess that doesn't appear in the code. Replaced with the actual full list, which is more concrete and more impressive than the 'execute_shell, eval, rm, etc.' summary. ### Comparison.md — verified clean Walked every external URL (Velociraptor docs, Plaso, Eric Zimmerman's site, SigmaHQ) — all 200. Walked every cross-reference to phase-2/phase-3 packages (dart-synth #23, dart-responder #26) — both have tracking issues. The TL;DR matrix entries were spot-checked against actual capabilities and stand. No fixes needed. == Verification methodology for this round == 1. Read each claim 2. If quantitative: measure with a script (audit log size, MITRE tactic count, response shape) 3. If categorical: read the cited code/test and confirm the claim is what the code actually does 4. If external: curl with 10s timeout and assert 200 5. Fix any mismatch; verify the fix doesn't introduce a new one == Verified == - 31/31 pytest green (zero regression — wiki-only changes, no code touched) - Bypass test list in Glossary now matches tests/test_mcp_bypass.py line 29-30 + line 127 'negative' set - Audit log size in FAQ now matches measured demo run output - MITRE tactic count in FAQ now matches the actual function-name coverage measurement

Juwon1405 committed May 8, 2026

wiki QA pass: synchronize 13 pages to v0.5 reality (60 tools, 22 tests) Companion to main repo commit 52f975d (v0.5.1 QA pass). Updated to reflect the v0.5 SIFT adapter layer (35 native + 25 SIFT = 60 typed read-only MCP tools) and the v0.5 test suite expansion (20 → 22 cases): About-the-name.md 'The 35 typed dart-mcp functions cover...' → 'The typed dart-mcp surface (35 native + 25 SIFT Workstation adapters = 60 functions) covers...' Test count 20/20 → 22/22 across all references. Architecture-deep-dive.md ASCII architecture box: 'dart-mcp 35 typed forensic functions' → 'dart-mcp 60 typed forensic functions (35 native + 25 SIFT)' Architecture-first-vs-prompt-first.md 'The MCP surface is exactly 35 functions, by name' → 'The MCP surface is exactly 60 typed functions, by name (35 native + 25 SIFT Workstation adapters)' Case-PtH-Timestomp.md (2 references) updated parallel to docs/. FAQ.md Question heading: 'Is the MCP surface really exactly 35 functions?' → 'Is the MCP surface really fixed in size?' Answer body: counts updated to 60 / 22-22. Glossary.md dart-mcp definition: 35 → 60. 'For Agentic-DART v0.4: exactly 35' → 'For Agentic-DART v0.5: 60 (35 native + 25 SIFT Workstation adapters)' Home.md (TOC) 'the 35 forensic functions, schema, bypass tests' → 'the 60 forensic functions (35 native + 25 SIFT adapters), schema, bypass tests' 'why the MCP surface is exactly 35 functions, not 28, not 35' rephrased to avoid count-anchoring. Live-mode.md (2 references) parallel to docs/. MCP-function-catalog.md Page title: '· 35 typed forensic functions' → '· 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Operator-guide.md 'All 20 tests should print OK' → 'All 22 tests should print OK' Phase-1.md Body: '35 typed forensic functions' / '20 of 20 tests passing' counts updated. Timeline table: ADDED row for 2026-05-02 v0.5 (SIFT Workstation tool adapter layer → 60 functions, 22 tests passing). v0.4 historic row preserved verbatim. Roadmap.md Three references to 35 / 20-20 updated to v0.5 numbers. Running-on-macOS.md 'Step 3 — Run all 20 tests' → '... 22 tests' 'All 20 tests pass on M1/M2/M3' → 'All 22 tests pass on M1/M2/M3' The-Memex-Bet.md 'MCP surface (35 typed functions)' → 'MCP surface (60 typed functions: 35 native + 25 SIFT adapters)' 'The 35 functions are not a guideline...' → 'The 60 functions (35 native + 25 SIFT Workstation adapters) are not a guideline...' _Sidebar.md Two TOC labels: '(35 functions)' → '(60 functions: 35 native + 25 SIFT)' dart-mcp.md 'exposes exactly 35 typed forensic functions' → 'exposes 60 typed forensic functions (35 native + 25 SIFT Workstation adapters)' Section heading 'The 35 functions' → 'The 60 functions (35 native + 25 SIFT adapters)' SIFT-adapter-layer.md Preserved verbatim — line 18 'its own 35 forensic functions' is historic context describing the pre-v0.5 state.

Juwon1405 committed May 2, 2026

wiki: add 12 missing pages, fix all 32 broken links The wiki sidebar and Home page referenced 13 pages that didn't exist, producing the GitHub 'create new page' UI when clicked. Adds: Concepts: Glossary — DFIR / agent / MCP terms The 5 packages: dart-agent — senior-analyst wrapper loop dart-corr — cross-artifact correlation engine dart-audit — SHA-256 chained audit log dart-playbook — YAML sequencing rules (dart-mcp already existed) Reference: Comparison — vs Velociraptor / Plaso / EZ tools / SOAR / vanilla LLMs Running it: Running-on-SIFT — SANS SIFT VM 5-minute setup Running-on-macOS — macOS-specific mount conventions Live-mode — real Claude API + MCP stdio integration Case studies: Case-PtH-Timestomp — Pass-the-Hash + timestomp pre-existence Case-IP-KVM — IP-KVM remote-hands insider scenario Writing-case-studies — guide for contributing new case studies Project: Accuracy — reproducible accuracy methodology + numbers The Roadmap-Phase-2/3/4 links in Home.md were repointed to the existing Roadmap page's anchors (those were never separate pages). The Contributing link in dart-mcp.md now points to CONTRIBUTING.md in the main repo. _Sidebar.md restructured into 6 named sections so the 25-page wiki is navigable. Final broken-link count: 0.

Juwon1405 committed Apr 30, 2026