docs(wiki): fix stale 35/60 surface counts and default model name Live registry is 47 native + 25 SIFT = 72; code default is claude-haiku-4-5 (sonnet-4-6 is the --model higher-fidelity override). - dart-agent.md: default claude-sonnet-4 -> claude-haiku-4-5; 35-function -> 47. - Live-mode.md: default sonnet-4 -> haiku-4-5; 60 typed -> 72; cost-example model name sonnet-4 -> sonnet-4-6 with the haiku default made explicit. - SIFT-adapter-layer.md: 35 forensic functions -> 47. (Phase-1.md v0.4/v0.5 timeline rows keep 35/60 as point-in-time history.)

Juwon1405 committed Jun 5, 2026

wiki: naturalize hardcoded counts (Source of Truth lives in README Hero) Following the same Single-Source-of-Truth cleanup applied to the main repo: wiki pages no longer hardcode '67 typed functions / 42 native + 25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad MITRE enterprise tactic coverage'. Phase-1.md historical version table preserves period-specific numbers (v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because those are historical facts about what shipped on those dates, not claims about current state. The canonical exact name set continues to live in tests/test_mcp_surface.py — the only place that needs editing when a function is added or removed.

Juwon1405 committed May 14, 2026

wiki: sweep stale 35-native / 60-total counts to current 42 / 67 16 wiki pages had pre-v0.6.0 numeric references that survived earlier QA rounds. Surface count was bumped 60 -> 67 in v0.6.0 (six new supply-chain IOC functions in dart_mcp._v05_supply_chain), and native count went 35 -> 42, but a number of wiki pages still showed the old numbers. Pages corrected: About-the-name, Architecture-deep-dive, Architecture-first-vs-prompt-first, Case-PtH-Timestomp, FAQ, Glossary, Home, Live-mode, MCP-function-catalog, Phase-1, Roadmap, SIFT-adapter-layer, The-Memex-Bet, _Sidebar, dart-mcp Phase-1.md version history table preserves the historical numbers (v0.4 = 35 native, v0.5 = 60 functions) as those are historical facts, not current state. MITRE coverage also corrected from 11/12 -> 10/12 (TA0009 Collection and TA0011 C2 are Phase 2).

Juwon1405 committed May 14, 2026

wiki(qa-r5): playbook v3 surface — honest framing + line count + v2/v3 default fixes Pairs with main repo commit 77f2334. Twelve files touched on the wiki side: - dart-playbook.md ........... v3 'industrialization' section rewritten with 'data scaffold; runtime activation post-SANS' framing. Anatomy section flipped from senior-analyst-v2.yaml to senior-analyst-v3.yaml with v3-additions vs v2-carry-over grouping. Bundled-playbooks table line count 1135 → 1182. Forking instructions now point at v3 as source. Operator-notes citation moved to v3. 'Six principles every senior analyst remembers' sourced from v3 (inherited from v2). 'See also' adds v3 link. - Phase-1.md ................. v3 line count 1135 → 1182. 'Playbook v3.1' release-history row clarified to 'Playbook v3 patch (no separate v3.1 file)'. - Roadmap.md ................. v3 line item rewritten with 'YAML data scaffolds' framing + issue #44 link + line count update. - SIFT-adapter-layer.md ...... 'playbook v3.1' → 'playbook v3'. - The-Memex-Bet.md ........... 'Playbook v2' → 'Playbook v3 (default)'. - Case-IP-KVM.md ............. v1 historical context preserved with a 'now default in v3' annotation appended. - Case-PtH-Timestomp.md ...... same v1 historical / v3 current-default annotation pattern. - Writing-case-studies.md .... v1 reference → v3 default in the next_call_decisions tuning instruction. == Why this matters == A SANS judge reading dart-playbook.md and then opening dart_agent/__init__.py would have found the 'HMM operationalized in the agent' / 'every run self-classifies' / 'triggered when any phase exits' claims absent from the runtime path. Round 5 fixes that — documentation and code now agree, with the runtime activation work explicitly deferred and tracked at issue #44. No code changes on the wiki side; pure documentation. Main repo's 77f2334 covers the v3 yaml header and the source tree.

Juwon1405 committed May 3, 2026

wiki: add SIFT-adapter-layer page + Home TOC link Documents the v0.5 SIFT Workstation tool adapter layer: - 25 typed wrappers (Volatility 3 ×12, Eric Zimmerman ×8, YARA ×2, Plaso ×2) - Binary resolution rules per adapter (env-var override -> PATH -> error) - Architectural contract every adapter must satisfy (read-only sandbox, SHA-256 audit, subprocess timeout, structured output, graceful degradation, schema parity) - Verification commands Pairs with main repo commit 403a5ce.

Juwon1405 committed May 2, 2026