wiki: drop macOS host-install guide+links — host is Linux only; macOS stays an analysis target
Home: add demo video link
docs(wiki): align Accuracy/Home with canonical evidence and tiered cases
Remove the public --variant / sample-evidence-realistic concept from Accuracy
(single canonical evidence_root + CI fixture), retier the case tables to
self-evaluation/external-evaluation, fix case links to the new index-only
paths, rename ground-truth.json to truth.json, and drop a stale tool-count.
Dated historical roadmap entries in Phase-1 keep their original case numbers.
docs: align wiki with current live-mode scope
Document live mode through ANTHROPIC_API_KEY and --dry-run, remove public zero-cost/OAuth setup claims, and update Claude MCP registration to dart_mcp.server_stdio.
Refresh accuracy evidence counts to 62 reference files and 67 realistic files, clarify that the measured identical result applies to case-01 F-001/F-013, and remove stale 50-file language.
Update operator, SIFT, macOS, roadmap, and Phase 1 pages to the 72-tool surface and current full-suite validation model without stale 35-tool or 75-test guidance.
Fix the Home architecture link and describe external entries as case-study slots instead of fully measured benchmark rows.
QA: git diff --check passed for the wiki.
wiki(dart-corr): reflect v0.7.1 — extracted to real package
Companion to agentic-dart commit 49e772c which extracts dart_corr
from a docs-only scaffold into a real standalone package with code,
14 unit tests, and an operator-tunable rule pack.
Wiki changes:
dart-corr.md
'Files' block — replaced the old tree (which showed a
nonexistent correlation-rules.yaml and pointed implementation
at dart_mcp) with the real v0.7.1 layout: pyproject.toml,
correlation-rules.yaml, src/dart_corr/__init__.py,
tests/test_dart_corr.py.
'Implementation note' — replaced the scaffold caveat with the
v0.7.1 reality: dart_corr is a real package, the MCP wire
surface is preserved through thin wrappers in dart_mcp, and
correlate_timeline keeps the SQL-injection defense at the
boundary.
Home.md
TOC entry for dart-corr — removed the '(implementation currently
inside dart_mcp; mid-2026 target)' subscript. The package is
real now.
Architecture-deep-dive.md
Package ownership table — removed the '*scaffold (v0.7.1) —
implementation lives in dart_mcp*' subscript on the dart_corr
row. dart_corr now genuinely owns what the table says it owns.
The agentic-dart README has been updated in lockstep with the
matching scaffold-removal language and the test count (79 → 93
total tests across both packages). All numbers and language now
reconcile across README, Wiki, and the dart_corr package itself.
fix(dart-corr): honest scaffold status across three Wiki pages
User flagged a real issue — dart_corr/ on github is a directory
containing only README.md, but multiple Wiki pages describe dart-corr
as if it were a functioning component with its own files. This commit
brings the Wiki language in line with the actual v0.7.1 source-tree
state.
Three changes:
(1) Wiki/dart-corr.md '## Files' section — the 'tree' diagram falsely
listed dart_corr/correlation-rules.yaml as a file that exists.
It does not exist in the repo. The Implementation note was
correct (it pointed at dart_mcp/__init__.py) but the file tree
contradicted it. Both replaced with an honest tree showing
only README.md under dart_corr/, plus exact line numbers for
the three real correlate_* functions inside dart_mcp.
(2) Wiki/Home.md Core-components TOC entry — added an inline
qualifier '(implementation currently inside dart_mcp; standalone
package is a mid-2026 target — see the page)' to the dart-corr
bullet, so a reader scanning the TOC does not click through
expecting a fully-populated package.
(3) Wiki/Architecture-deep-dive.md package-ownership table — added a
subscript '*scaffold (v0.7.1) — implementation lives in dart_mcp*'
to the dart_corr row, so the architectural diagram and the
ownership table tell the same truth.
What is NOT changed:
- The architectural design (dart-corr OWNS contradiction
detection as a logical responsibility) is correct and stays.
- The MCP-surface functions (correlate_events, correlate_timeline,
correlate_download_to_execution) are real, registered, and
reachable — verified by tests/test_mcp_surface.py.
- Case-PtH-Timestomp and Case-IP-KVM walkthroughs accurately
describe what those functions do; the 'dart-corr' references
in those pages are correct as descriptions of the logical
component, not as claims about file locations.
Why the discrepancy existed:
v0.4-era plan was to ship dart_corr/ as a standalone package
before the SANS submission. When the v0.5 timeline tightened,
the correlation logic was inlined into dart_mcp (where the
type system was already enforced) and the dart_corr/ extraction
was deferred to mid-2026. The main README, the agentic-dart
README, and dart_corr/README.md all updated honestly at that
time; some Wiki pages did not. Now they do.
wiki: sync to v0.7.1 — 11 cases, 72 MCP functions, case-11 highlight
- Accuracy.md: '61 files' -> '49 files'; new v0.7.0 section covering
case-11 supply-chain attack class; new v0.7.0 case-library summary
table (11 cases / 99 findings split 69 layer-1 + 30 layer-2 + 32/36
function coverage)
- Glossary.md: 'As of v0.6.0' -> 'As of v0.7.1: 72 native MCP tools'
- Home.md: case-studies section rewritten to mention 11 cases / 99
findings plus case-11 as recommended judge walkthrough
- MCP-function-catalog.md: previously missed v0.6.1 functions
(parse_macos_quarantine, parse_linux_cron_jobs, detect_dns_tunneling)
+ v0.7.1 functions (parse_linux_text_log, parse_linux_shell_history)
now properly documented with MITRE technique mappings and references
- Phase-1.md: timeline extended with v0.5.4, v0.6.0, v0.6.1, v0.7.0,
v0.7.1 milestones
deliberately not touched — these are version-anchored historical
records: v0.5.4 CFReDS section (locked at first external benchmark),
playbook 'target_case_classes: 10 case classes' (playbook scenario
classes, not evidence cases), v0.4 / v0.5 release rows.
wiki: naturalize hardcoded counts (Source of Truth lives in README Hero)
Following the same Single-Source-of-Truth cleanup applied to the main
repo: wiki pages no longer hardcode '67 typed functions / 42 native +
25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing
shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad
MITRE enterprise tactic coverage'.
Phase-1.md historical version table preserves period-specific numbers
(v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because
those are historical facts about what shipped on those dates, not
claims about current state.
The canonical exact name set continues to live in
tests/test_mcp_surface.py — the only place that needs editing when a
function is added or removed.
wiki: sweep stale 35-native / 60-total counts to current 42 / 67
16 wiki pages had pre-v0.6.0 numeric references that survived earlier
QA rounds. Surface count was bumped 60 -> 67 in v0.6.0 (six new
supply-chain IOC functions in dart_mcp._v05_supply_chain), and native
count went 35 -> 42, but a number of wiki pages still showed the old
numbers.
Pages corrected:
About-the-name, Architecture-deep-dive,
Architecture-first-vs-prompt-first, Case-PtH-Timestomp, FAQ,
Glossary, Home, Live-mode, MCP-function-catalog, Phase-1,
Roadmap, SIFT-adapter-layer, The-Memex-Bet, _Sidebar, dart-mcp
Phase-1.md version history table preserves the historical numbers
(v0.4 = 35 native, v0.5 = 60 functions) as those are historical
facts, not current state.
MITRE coverage also corrected from 11/12 -> 10/12 (TA0009 Collection
and TA0011 C2 are Phase 2).
wiki QA pass: synchronize 13 pages to v0.5 reality (60 tools, 22 tests)
Companion to main repo commit 52f975d (v0.5.1 QA pass).
Updated to reflect the v0.5 SIFT adapter layer (35 native + 25 SIFT
= 60 typed read-only MCP tools) and the v0.5 test suite expansion
(20 → 22 cases):
About-the-name.md
'The 35 typed dart-mcp functions cover...' →
'The typed dart-mcp surface (35 native + 25 SIFT Workstation
adapters = 60 functions) covers...'
Test count 20/20 → 22/22 across all references.
Architecture-deep-dive.md
ASCII architecture box: 'dart-mcp 35 typed forensic functions'
→ 'dart-mcp 60 typed forensic functions (35 native + 25 SIFT)'
Architecture-first-vs-prompt-first.md
'The MCP surface is exactly 35 functions, by name' →
'The MCP surface is exactly 60 typed functions, by name (35
native + 25 SIFT Workstation adapters)'
Case-PtH-Timestomp.md (2 references) updated parallel to docs/.
FAQ.md
Question heading: 'Is the MCP surface really exactly 35
functions?' → 'Is the MCP surface really fixed in size?'
Answer body: counts updated to 60 / 22-22.
Glossary.md
dart-mcp definition: 35 → 60.
'For Agentic-DART v0.4: exactly 35' →
'For Agentic-DART v0.5: 60 (35 native + 25 SIFT Workstation
adapters)'
Home.md (TOC)
'the 35 forensic functions, schema, bypass tests' →
'the 60 forensic functions (35 native + 25 SIFT adapters),
schema, bypass tests'
'why the MCP surface is exactly 35 functions, not 28, not 35'
rephrased to avoid count-anchoring.
Live-mode.md (2 references) parallel to docs/.
MCP-function-catalog.md
Page title: '· 35 typed forensic functions'
→ '· 60 typed forensic functions (35 native + 25 SIFT
Workstation adapters)'
Operator-guide.md
'All 20 tests should print OK' → 'All 22 tests should print OK'
Phase-1.md
Body: '35 typed forensic functions' / '20 of 20 tests passing'
counts updated.
Timeline table: ADDED row for 2026-05-02 v0.5 (SIFT Workstation
tool adapter layer → 60 functions, 22 tests passing). v0.4
historic row preserved verbatim.
Roadmap.md
Three references to 35 / 20-20 updated to v0.5 numbers.
Running-on-macOS.md
'Step 3 — Run all 20 tests' → '... 22 tests'
'All 20 tests pass on M1/M2/M3' → 'All 22 tests pass on M1/M2/M3'
The-Memex-Bet.md
'MCP surface (35 typed functions)' →
'MCP surface (60 typed functions: 35 native + 25 SIFT adapters)'
'The 35 functions are not a guideline...' →
'The 60 functions (35 native + 25 SIFT Workstation adapters)
are not a guideline...'
_Sidebar.md
Two TOC labels: '(35 functions)' → '(60 functions: 35 native +
25 SIFT)'
dart-mcp.md
'exposes exactly 35 typed forensic functions' →
'exposes 60 typed forensic functions (35 native + 25 SIFT
Workstation adapters)'
Section heading 'The 35 functions' → 'The 60 functions (35
native + 25 SIFT adapters)'
SIFT-adapter-layer.md
Preserved verbatim — line 18 'its own 35 forensic functions'
is historic context describing the pre-v0.5 state.
wiki: add SIFT-adapter-layer page + Home TOC link
Documents the v0.5 SIFT Workstation tool adapter layer:
- 25 typed wrappers (Volatility 3 ×12, Eric Zimmerman ×8, YARA ×2, Plaso ×2)
- Binary resolution rules per adapter (env-var override -> PATH -> error)
- Architectural contract every adapter must satisfy (read-only sandbox,
SHA-256 audit, subprocess timeout, structured output, graceful
degradation, schema parity)
- Verification commands
Pairs with main repo commit 403a5ce.
wiki: Phase 1 boost — dedicated page + Roadmap expansion
== The problem ==
Phase 1 was visually understated relative to Phases 2/3/4:
Roadmap.md before: P1=35 lines, P2=40, P3=43, P4=24
P1 was the SMALLEST despite being the current focus.
This created the impression that Phase 1 was a thin foundation
followed by ambitious future plans, when in fact Phase 1 IS the
SANS submission and contains essentially all the load-bearing
architecture.
== Fixes ==
1. Roadmap.md Phase 1 section — expanded from 35 to 79 lines:
* NEW intro paragraph explaining what 'agentic DFIR' means
* NEW 'architecturally complete because' bullet block
enumerating the 5 architectural guarantees that propagate
unchanged into Phases 2/3/4
* REORGANIZED 'Done' into 4 subsections: Core architecture,
Cross-platform coverage, Methodology (3 playbook versions),
Validation, Documentation
* NEW 'Remaining for Phase 1' table with status + issue links
* NEW 'What Phase 1 explicitly does NOT do' section (5 items
with deferred-to-Phase explanation, each with issue link)
2. Roadmap.md intro — added at-a-glance phase summary table
showing Phase 1 status (~95% complete, closes 2026-06-15) at
the top of the page
3. NEW dedicated page: Phase-1.md (~140 lines)
* Operator's-eye summary written for someone who lands on
this page directly without reading the full Roadmap
* Sections: in-one-sentence / what ships / what remains /
what we explicitly DO NOT do / versions shipped / where
to go next
* Versions table chronicles every release Apr 28 → May 01
* Cross-links to Memex Bet, Architecture deep dive, Threat
model, Running guides, dart-playbook
4. _Sidebar.md — P1 link updated:
* Was: anchor link to Roadmap#phase-1
* Now: dedicated [Phase-1] page (more prominent)
* Sidebar Roadmap entry now shows '~95% complete' subtitle
5. Home.md — P1 link updated to dedicated page + bullets enriched
with status / closing date / Phase 2/3/4 timing
== Result ==
Roadmap.md after: P1=79 lines, P2=40, P3=43, P4=24
Plus dedicated Phase-1 page accessible from Sidebar + Home
Wiki broken links: 0 maintained
Wiki page count: 26 → 27
wiki: surface Phase 1 in Home + Sidebar (was previously omitted)
== Problem ==
The Roadmap section in both Home.md and _Sidebar.md jumped straight
from Phase 2 to Phase 4. Phase 1 — the SANS FIND EVIL! 2026 submission
that is the entire current focus — was conspicuously missing from the
top-level navigation surfaces.
This made the wiki read like 'we're already past Phase 1' to anyone
landing on Home or scanning the Sidebar — exactly the wrong impression
for a SANS judge or first-time visitor evaluating the submission.
== Fix ==
Home.md — Roadmap section:
Added Phase 1 as the FIRST entry, marked with ⭐ and 'current focus',
with deep link to the Phase 1 anchor in Roadmap.md.
_Sidebar.md — Project section:
Promoted the Roadmap link to a parent with four nested deep-links
(Phase 1 ⭐ / Phase 2 / Phase 3 / Phase 4), each pointing to the
matching anchor in Roadmap.md.
The Roadmap.md page itself already contained a complete Phase 1
section — only the navigation entries on Home / Sidebar were missing.
Wiki broken links: 0 maintained.
wiki: add 'The Memex Bet' concept page + remove dead Project link
== Marketing strengthening (inspired by Karpathy's LLM Wiki gist) ==
New concept page: 'The Memex Bet' (96 lines)
- Frames Agentic-DART within the lineage from Vannevar Bush's 1945
Memex through Karpathy's April 2026 LLM Wiki pattern
- Makes the bet explicit: senior-analyst reasoning IS the durable
compounding artifact, not the report
- Side-by-side mapping of LLM Wiki components to Agentic-DART
components — sources / wiki / schema → evidence / playbook / MCP
- Reading list for judges: Bush 1945, Karpathy 2026, Bianco,
Caltagirone, M-Trends, Lockheed Kill Chain
- Linked from Sidebar (top of Concepts) and Home page (top of
Concepts) with ⭐ marker — first impression for new visitors
== OPSEC / dead links cleanup ==
Removed dead Project link from _Sidebar.md
- https://github.com/users/Juwon1405/projects/4 was never set up
(project board abandoned — issues + milestones cover the work)
- The link 404'd, hurting professional impression
== Why this matters for SANS judging ==
A judge skimming the wiki for 60 seconds now sees:
1. ⭐ The Memex Bet (the philosophical hook)
2. About the name (what DART means)
3. Architecture-first vs prompt-first (the design claim)
4. Architecture deep dive (the implementation)
This trajectory — philosophy → naming → claim → implementation — mirrors
how Karpathy's gist is read in 2026. Putting Agentic-DART in that
intellectual lineage signals seriousness without arrogance.
wiki: add 12 missing pages, fix all 32 broken links
The wiki sidebar and Home page referenced 13 pages that didn't exist,
producing the GitHub 'create new page' UI when clicked. Adds:
Concepts:
Glossary — DFIR / agent / MCP terms
The 5 packages:
dart-agent — senior-analyst wrapper loop
dart-corr — cross-artifact correlation engine
dart-audit — SHA-256 chained audit log
dart-playbook — YAML sequencing rules
(dart-mcp already existed)
Reference:
Comparison — vs Velociraptor / Plaso / EZ tools / SOAR / vanilla LLMs
Running it:
Running-on-SIFT — SANS SIFT VM 5-minute setup
Running-on-macOS — macOS-specific mount conventions
Live-mode — real Claude API + MCP stdio integration
Case studies:
Case-PtH-Timestomp — Pass-the-Hash + timestomp pre-existence
Case-IP-KVM — IP-KVM remote-hands insider scenario
Writing-case-studies — guide for contributing new case studies
Project:
Accuracy — reproducible accuracy methodology + numbers
The Roadmap-Phase-2/3/4 links in Home.md were repointed to the
existing Roadmap page's anchors (those were never separate pages).
The Contributing link in dart-mcp.md now points to CONTRIBUTING.md
in the main repo.
_Sidebar.md restructured into 6 named sections so the 25-page wiki
is navigable. Final broken-link count: 0.
wiki: comprehensive sync 31 → 35 across all pages
v0.4 raised the function count from 31 to 35. Wiki was tracking
old number on multiple pages:
About-the-name.md 'existing 31 functions stay' → 35
Architecture-deep-dive.md 'the 31 typed' → 35
Architecture-first-vs-prompt-first.md '31 functions, by name' → 35
FAQ.md 'is the surface really exactly 31?' → 35
Home.md 'the 31 forensic functions' → 35
Operator-guide.md '31' → '35'
Roadmap.md '31 typed forensic functions' → 35
Threat-model.md (no 31 references — already clean)
dart-mcp.md 'exactly 31 typed' → '35'
MCP-function-catalog.md (header was already 35)
Roadmap also gets a 'v0.4 (2026-04-30)' entry in the Done list to
record the Linux+macOS expansion.
feat: initial wiki — Home, About, Architecture-first, dart-mcp, FAQ, sidebar/footer
Long-form documentation that doesn't fit in the README:
- Home: overview + table of contents
- About the name: DART acronym + four-phase plan
- Architecture-first vs prompt-first: the central design claim
- dart-mcp: the typed surface, all 31 functions, bypass tests
- FAQ: judges, contributors, skeptics
- _Sidebar / _Footer: auto-shown navigation on every page
Other pages (Threat model, dart-agent / dart-corr / dart-audit / dart-playbook,
Running on SIFT/macOS, Live mode, Accuracy, case studies, roadmap, glossary,
comparison) are stubs in the sidebar — to be filled in as the project matures.
feat: full wiki — Architecture / Operator / Threat model / Roadmap
Five pages, sidebar, written as long-form complement to the README:
Home landing + project status
_Sidebar navigation visible on every page
Architecture-deep-dive why the architecture is shaped this way
Operator-guide run dart-agent on a real SIFT case
Threat-model honest scope of the read-only MCP boundary
Roadmap phase 1-4, anti-roadmap (what we refuse)
Same voice as the README. No marketing language, no overclaim.
The threat model in particular is deliberately honest about what
the architecture does NOT defend against.