wiki(qa-r11): 11 hallucinations across 9 pages — function signatures, CLI flags, file refs
Pairs with main repo commit c34f661. Round 11 extended round 10's
'wiki/docs cite-vs-reality' sweep to all wiki pages round 10 didn't
touch. Found 11 hallucinations across 9 pages.
== Defects fixed ==
### dart-mcp.md — 22 function signatures wrong
This page was the headline catalog of native MCP functions
('The 60 functions') and was citing every one of them with
fictional kwargs like host=, target=, path=. This is the most
important page after the README for anyone trying to understand
the MCP surface. A judge clicking dart-mcp from the sidebar
would have hit fictional signatures for nearly every function.
Fixed:
get_amcache(path) → get_amcache(hive_path)
parse_prefetch(target) → parse_prefetch(prefetch_path)
parse_shimcache(host) → parse_shimcache(system_hive)
get_process_tree(host) → get_process_tree(process_csv)
analyze_usb_history(host, time_window) → analyze_usb_history(system_hive, setupapi_log)
parse_shellbags(host) → parse_shellbags(ntuser_hive)
extract_mft_timeline(host, start, end) → extract_mft_timeline(mft_path, start, end)
list_scheduled_tasks(host) → list_scheduled_tasks()
detect_persistence(host) → detect_persistence()
analyze_event_logs(host, event_ids, time_window) → analyze_event_logs(events_json)
parse_unified_log(host, subsystem, time_window) → parse_unified_log(unifiedlog_json)
parse_knowledgec(host) → parse_knowledgec(knowledgec_db)
parse_fsevents(host) → parse_fsevents(fsevents_csv)
parse_browser_history(host, browser) → parse_browser_history(history_db)
analyze_downloads(host) → analyze_downloads(downloads_source)
correlate_download_to_execution(host) → correlate_download_to_execution(downloads, executions)
detect_exfiltration(host, time_window) → detect_exfiltration()
analyze_windows_logons(host) → analyze_windows_logons(security_events_json)
detect_lateral_movement(host) → detect_lateral_movement()
analyze_kerberos_events(host) → analyze_kerberos_events(security_events_json)
analyze_unix_auth(host, time_window) → analyze_unix_auth(auth_log_path)
detect_privilege_escalation(host) → detect_privilege_escalation()
analyze_web_access_log(path, rules) → analyze_web_access_log(access_log)
detect_webshell(path) → detect_webshell(webroot)
detect_brute_force_rdp(host) → detect_brute_force_rdp(security_events_json)
detect_credential_access(host) → detect_credential_access()
detect_ransomware_behavior(host) → detect_ransomware_behavior()
detect_defense_evasion(host) → detect_defense_evasion()
detect_discovery(host) → detect_discovery()
correlate_timeline(start, end, sources) → correlate_timeline(events)
All verified against live inputSchema.required. No-arg
functions (the post-Phase-1 detect_* family) had fictional
'(host)' parameters that don't exist in the schema at all.
### Case-PtH-Timestomp.md — list_scheduled_tasks(host=...)
Same residual fix as docs/case-pth-timestomp.md (round 10
caught 3 of 4 fictional signatures on this page; r11 caught
the last one).
### Operator-guide.md / Running-on-macOS.md — --evidence flag
Both pages advertised '--evidence /path/to/evidence' as a CLI
flag. Round 10 caught the same hallucination in Live-mode.md
but missed these two operator-facing pages — the SIFT VM
install + macOS dev-mode pages a judge would land on after the
README directs them to operator-guide.
Fixed both to use 'export DART_EVIDENCE_ROOT=...' (the actual
env-var pattern) before invoking the agent.
### Case-IP-KVM.md / Running-on-SIFT.md / Writing-case-studies.md — missing --out
All three advertised 'python3 -m dart_agent --case ID --max-
iterations 25' but --out is a required argparse argument.
Without it the CLI errors with 'argument --out is required'.
Added --out to the example invocations on all three pages.
### FAQ.md — '36th appears or one of the 35'
The 'Is the MCP surface really fixed in size?' answer used
'35' as the surface-count anchor. Total surface is 60 (35
native + 25 SIFT adapters), so the 'a 36th appears' phrasing
has been stale since v0.5. Fixed to 'a 61st appears or any of
the 60 (35 native + 25 SIFT adapters) disappears'.
The same page's overview (line 99) already cited 60 correctly,
making the line-25 mistake an inter-paragraph drift inside one
page — caught by re-reading from a judge's flow rather than
from a count-grep.
### dart-corr.md — illustrative pseudocode framing
The pseudocode block was labeled '# dart_corr/__init__.py —
simplified', which an attentive reader could mistake for a
pointer at a real file. dart_corr/ contains only README.md;
the actual correlation code is in dart_mcp/__init__.py. The
page's 'Implementation note' at the bottom already says this,
but reading the pseudocode header in isolation gives the wrong
impression. Reframed the comment to 'Illustrative — real
implementation lives in dart_mcp/__init__.py' inline so the
framing is correct at point-of-read.
== Verification approach ==
For each function-signature fix:
1. Pulled the live inputSchema.required from list_tools()
2. Verified the kwarg names match what dart_mcp/__init__.py
actually accepts
3. Where the old wiki signature included optional kwargs that
don't exist (e.g., 'time_window' on detect_exfiltration),
dropped them rather than mapping to a different optional
For CLI fixes: confirmed against 'python3 -m dart_agent --help'
output (only --case, --out, --max-iterations, --mode, --prompt,
--model, --dry-run exist).
== Pattern internalized ==
Round 10 found a few signature hallucinations on the prominent
Case-PtH page. Round 11 showed they were endemic on the headline
catalog page (dart-mcp.md) — every single one of 22 cited
functions had a fictional kwarg. Likely cause: the wiki was
drafted from a v0.3-era memory of the surface, then never
re-synced to the actual schema during the v0.4/v0.5 expansions.
Going forward: any wiki page that lists multiple function
signatures gets re-grep'd against list_tools() schema after
every surface change, not just every release.