wiki: naturalize hardcoded counts (Source of Truth lives in README Hero) Following the same Single-Source-of-Truth cleanup applied to the main repo: wiki pages no longer hardcode '67 typed functions / 42 native + 25 SIFT adapters / 10 of 12 MITRE / 55 tests / 1182 lines'. Phrasing shifts to 'the typed MCP surface', 'native + SIFT adapters', 'broad MITRE enterprise tactic coverage'. Phase-1.md historical version table preserves period-specific numbers (v0.3 = 31 functions, v0.4 = 35 native, v0.5 = 60 functions) because those are historical facts about what shipped on those dates, not claims about current state. The canonical exact name set continues to live in tests/test_mcp_surface.py — the only place that needs editing when a function is added or removed.

Juwon1405 committed May 14, 2026

wiki(qa-r6): kill v2-default residue + correct reference counts to ground truth Pairs with main repo commit 9ebdb97. Three pages touched: == _Sidebar.md (right-hand nav, every page) == Line 18 was advertising '(v2: 10 phases, 25 sources)' — appeared in the right-hand navigation of every wiki page, contradicting the v3-default story we'd told everywhere else. The user caught this exactly because it appeared next to every wiki page they opened. Now reads: '(v3 default: 10 phases, 42 references)'. == dart-playbook.md == Line 23 had a literal '**v2 is the default for any new case.**' sentence sitting on the same page as the v3-default header above it. Rewritten to '**v3 is the default for any new case.** v2 is retained as the methodology baseline...'. Line 79 (Reference corpus section) had '39 published references organized into 5 categories. v3 adds **14 new** vs v2'. Rewritten with ground-truth counts measured directly from the yaml: '42 published references organized into **6 categories**. v3 adds **+17 net items vs v2's 25**' with the per-category diff broken out (15 indust + 2 inspiration + 2 vendor − 2 primary consolidation). Line 92 was a top-level '## senior-analyst-v2 — methodology lineage' section sitting at the same heading depth as the v3 industrialization section. Re-framed as '## Methodology lineage (inherited from v2, still authoritative in v3)' so it reads as v3's foundation, not as a competing version. == Why this matters == A SANS judge — or any wiki reader — opening the dart-playbook page or the right-hand nav would have seen 'v2 default' in plain English right after reading 'v3 default' elsewhere. That contradiction looks worse than either single error: it looks like the project doesn't know its own state. Round 6 closes the loop.

Juwon1405 committed May 3, 2026

wiki(qa-r5): playbook v3 surface — honest framing + line count + v2/v3 default fixes Pairs with main repo commit 77f2334. Twelve files touched on the wiki side: - dart-playbook.md ........... v3 'industrialization' section rewritten with 'data scaffold; runtime activation post-SANS' framing. Anatomy section flipped from senior-analyst-v2.yaml to senior-analyst-v3.yaml with v3-additions vs v2-carry-over grouping. Bundled-playbooks table line count 1135 → 1182. Forking instructions now point at v3 as source. Operator-notes citation moved to v3. 'Six principles every senior analyst remembers' sourced from v3 (inherited from v2). 'See also' adds v3 link. - Phase-1.md ................. v3 line count 1135 → 1182. 'Playbook v3.1' release-history row clarified to 'Playbook v3 patch (no separate v3.1 file)'. - Roadmap.md ................. v3 line item rewritten with 'YAML data scaffolds' framing + issue #44 link + line count update. - SIFT-adapter-layer.md ...... 'playbook v3.1' → 'playbook v3'. - The-Memex-Bet.md ........... 'Playbook v2' → 'Playbook v3 (default)'. - Case-IP-KVM.md ............. v1 historical context preserved with a 'now default in v3' annotation appended. - Case-PtH-Timestomp.md ...... same v1 historical / v3 current-default annotation pattern. - Writing-case-studies.md .... v1 reference → v3 default in the next_call_decisions tuning instruction. == Why this matters == A SANS judge reading dart-playbook.md and then opening dart_agent/__init__.py would have found the 'HMM operationalized in the agent' / 'every run self-classifies' / 'triggered when any phase exits' claims absent from the runtime path. Round 5 fixes that — documentation and code now agree, with the runtime activation work explicitly deferred and tracked at issue #44. No code changes on the wiki side; pure documentation. Main repo's 77f2334 covers the v3 yaml header and the source tree.

Juwon1405 committed May 3, 2026

wiki(qa-r2): sync 22→31 tests, add v0.5.1/v0.5.2 timeline, v1 playbook line count Follow-up sync after main repo's v0.5.2 landed (defensive runtime guards + 3 regression tests). The recent on-main 'wiki — 13 pages updated' sweep correctly moved every surface to 60 tools, but the test-count bumped from 22 to 31 in v0.5.2 and a few wiki pages hadn't caught up. Counts (5 files): - FAQ.md '22 / 22 tests passing' → 31 / 31 - Operator-guide.md 'All 22 tests should print OK' → 31 - Phase-1.md '22 of 22 tests passing' → 31 of 31 - Roadmap.md '22 of 22 tests passing' → 31 of 31 - Running-on-macOS.md 'Run all 22 tests' / 'All 22 tests pass on M1/M2/M3' → 31 Timeline (Phase-1.md): - Added v0.5.1 row (2026-05-03 — Evergreen visuals + full-surface QA) - Added v0.5.2 row (2026-05-03 — Defensive runtime guards + 31 tests) - Reordered v0.4.1 / Playbook v3 / v3.1 chronologically so the table reads top-to-bottom in actual ship order rather than the previous near-random sequence Playbook line counts (dart-playbook.md, 2 places): - senior-analyst-v1.yaml 128 → 133 lines (v0.5.2 patched the volatile_first phase to reference real registry tools; the Memory Capture phase grew by 5 lines with the explanatory rationale comment) - Annotated the legacy comment so future readers know why v1 still has a 'memory' phase even though native memory functions aren't on the v0.5 registry Phase-1's two intentionally-historical rows preserved verbatim: - 'v0.4 → 35 native, 20 tests' — release-time state - 'v0.5 → 60, 22 tests' — release-time state These are timeline facts, not status claims, so they do NOT bump.

Juwon1405 committed May 3, 2026

wiki: dart-playbook — add Yamato Security as external reference Wiki update following v3.1 patch (commit 45580dd in main repo). == Changes == - vendor_research count updated (10, +2 vs v2 — Roberto Rodriguez OTRF and Zach Mathis Yamato Security Tokyo) - New 'related_tools_for_inspiration' category added with 2 entries: Hayabusa and EnableWindowsLogSettings, both Yamato Security Tokyo - Footnote added below the standards section with explicit external-attribution disclaimer: 'Yamato Security is an independent Tokyo-based DFIR group; Agentic-DART has no affiliation or partnership with them.' == Why == Tokyo-based DFIR community recognition is a credibility signal, and Yamato Security has shipped some of the best open-source EVTX tooling. Crediting them as external prior art (without conflating ownership) is the correct posture for SANS judges who know the Japanese security ecosystem. == Verified == - 0 broken wiki links maintained - All Yamato citations explicitly marked as external/third-party

Juwon1405 committed May 1, 2026

wiki: feature Playbook v3 (industrialization release) on dart-playbook page == dart-playbook.md == - Bundled playbook table updated: v3 (1135 lines) is now default, v2 (845 lines) demoted to 'methodology baseline', v1 kept for demos - Added new section 'senior-analyst-v3 — industrialization release' before the existing v2 section, covering: * Palantir ADS Framework (9-section detection contract) * MaGMa Use Case Framework (L1/L2/L3 + CMMI 5-level maturity) * TaHiTI threat hunt cycle (H1/H2/H3) * Bianco Hunting Maturity Model (HMM 0-4) operationalized - Reference corpus expanded to 39 with hyperlinks to awesome-soc, awesome-incident-response, awesome-threat-detection, ThreatHunter- Playbook, Atomic Red Team, Sigma schema == Roadmap.md == - Added 'Playbook v3 (2026-05-01)' entry to the Done section immediately after the v2 entry, summarizing the 14 new references and four framework additions Wiki broken links: 0 maintained.

Juwon1405 committed May 1, 2026

wiki(dart-playbook): rewrite for v2 senior-analyst methodology 228-line update reflecting senior-analyst-v2.yaml as default. Documents: - 10-phase methodology (P0 volatility through P9 finding emission) - 10 case classes (was 3 in v1) - posture block with M-Trends 2026 priors - 25 next_call_decisions, 7 contradiction_triggers, 5 stop_conditions - 25 references grouped by category - 6 senior-analyst principles from operator_notes Cites Mandiant M-Trends 2026, Bianco's Pyramid of Pain & Hunting Maturity Model, Diamond Model, Lockheed Kill Chain, MITRE ATT&CK v16, F3EAD, NIST 800-61/86/150, The DFIR Report case studies, CISA #StopRansomware advisories, and field practitioners (Metcalf, Edwards, Wardle, Pomeranz, Zimmerman, Case, Roth, JPCERT).

Juwon1405 committed May 1, 2026

wiki: dart-playbook page rewritten around v2 (Mandiant + Bianco + DFIR Report) dart-playbook page now reflects senior-analyst-v2.yaml — the comprehensive senior-analyst methodology shipped in repo commit 463afe0. New content: - Methodology lineage table (9 frameworks, all linked) - Field-practice section (8 named senior analysts, attribution links) - Case-study grounding (DFIR Report 2024-2026, CISA, DBIR) - 10-phase sequence table with senior-analyst principles - 10 case classes with M-Trends 2026 prior justification - 7 named contradiction triggers with MITRE pivots - v2 phase anatomy example (P2 Timeline Reconstruction) Home.md and _Sidebar.md tagline updated to mention v2 scope.

Juwon1405 committed May 1, 2026

wiki: add 12 missing pages, fix all 32 broken links The wiki sidebar and Home page referenced 13 pages that didn't exist, producing the GitHub 'create new page' UI when clicked. Adds: Concepts: Glossary — DFIR / agent / MCP terms The 5 packages: dart-agent — senior-analyst wrapper loop dart-corr — cross-artifact correlation engine dart-audit — SHA-256 chained audit log dart-playbook — YAML sequencing rules (dart-mcp already existed) Reference: Comparison — vs Velociraptor / Plaso / EZ tools / SOAR / vanilla LLMs Running it: Running-on-SIFT — SANS SIFT VM 5-minute setup Running-on-macOS — macOS-specific mount conventions Live-mode — real Claude API + MCP stdio integration Case studies: Case-PtH-Timestomp — Pass-the-Hash + timestomp pre-existence Case-IP-KVM — IP-KVM remote-hands insider scenario Writing-case-studies — guide for contributing new case studies Project: Accuracy — reproducible accuracy methodology + numbers The Roadmap-Phase-2/3/4 links in Home.md were repointed to the existing Roadmap page's anchors (those were never separate pages). The Contributing link in dart-mcp.md now points to CONTRIBUTING.md in the main repo. _Sidebar.md restructured into 6 named sections so the 25-page wiki is navigable. Final broken-link count: 0.

Juwon1405 committed Apr 30, 2026