Skip to content

VERDICT v0.1.4

Choose a tag to compare

View all tags
@github-actions github-actions released this 15 Jun 03:32
· 17 commits to master since this release
v0.1.4
16f0761
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

VERDICT is a DFIR agent that runs inside Claude Code: point it at supported evidence and it opens a Case, drives a typed read-only MCP tool surface, verifies every Finding, and writes a signed Verdict plus analyst report. This release adds large-/multi-host investigation guidance and a documentation accuracy pass, on top of the v0.1.x release-hygiene line.

Highlights

Large- and multi-host investigations

  • Fleet mode + scale guidancescripts/verdict <case-root> --fleet runs each host as its own audit-chained Case, then cross-host correlation and a fleet report. New operating guidance in CLAUDE.md ("Large And Multi-Host Cases") and agent-config/PLAYBOOK.md ("Multi-host fleet — the scale path"): SIFT mount-in-place for large disk images (no multi-GB copy), VM space management, and disk+memory fusion for ≥2-artifact-class corroboration.
  • DFIR interpretation traps added to agent-config/MEMORY.md (auto-read before any Finding): EID 1102 build-residue vs. incident log-clear, vol_malfind RWX false positives, and truncated-capture pslist=0/malfind=0 ("not analyzable", not clean).
  • feat(verdict): case-local run artifacts consolidated under the case directory.

Accuracy honesty

A read-only audit of the public docs, with fixes applied (4 HIGH + 12 MEDIUM/LOW + framing):

  • Repointed broken accuracy-report.md §3 references; removed three non-existent commit-hash citations; scoped the unpopulated "DFIR-Metric + leaderboard" benchmark claim.
  • Corrected compute_verdict line count, the CONFIRMED-filter jq command, the contradiction_resolved audit-record name, rs_merkle/DuckDB labeling (hand-rolled / path-reserved), Ed25519-as-default signer, conditional REPORT.html/.pdf, and attribution of showcase numbers to the pictured run.

Tests & CI

  • test(fixtures): Windows golden contracts.
  • ci: a single aggregate required check.

Install

Prebuilt, checksum-verified findevil-mcp binaries are attached for Linux x86_64/aarch64 and macOS x86_64/aarch64. scripts/install.sh fetches them with FINDEVIL_MCP_PREBUILT=1 FINDEVIL_MCP_VERSION=v0.1.4 (verified against SHA256SUMS); otherwise it builds from source. See INSTALL.md / QUICKSTART.md.

Verification

All CI gates passed on the release commit: L0 Static, L1 Unit+Build, L2 SIFT-lite, L3 Nightly Goldens, Docs (cross-references intact), tool-count, Amendment A2 invariants, and the aggregate CI Required gate. Rust: cargo clippy -D warnings clean; cargo test --workspace 320 passed / 0 failed (1 intentional ignore).

Known limitations / roadmap

  • A few README/QUICKSTART marketing captions are intentionally kept as image alt-text or with linked accuracy context rather than rewritten.
  • Prebuilt binaries cover Linux + macOS (no Windows binary in this set).
  • In-chain self-correction — emitting auditable records when the agent revises a Finding — is tracked as #54.

Changelog (since v0.1.3)

  • docs: large/multi-host case guidance, DFIR interpretation traps, #54 cross-link
  • docs: clarify calibration and benchmark claims (HIGH overclaim fixes)
  • docs: fix MEDIUM/LOW accuracy overclaims (factual + reference corrections)
  • docs: attribute showcase numbers + fix quickstart clone-path example
  • feat(verdict): consolidate case-local run artifacts
  • test(fixtures): add Windows golden contracts
  • ci: add aggregate required check
  • chore(release): ignore local video artifacts

Full diff: v0.1.3...v0.1.4

Assets 8
Loading