Overview
Chronos-DFIR employs a multi-agent development protocol where three AI agents collaborate with distinct roles:- Claude (Architect): Design decisions, code implementation, rule authoring
- Gemini CLI (Engineer): QA audits, performance profiling, dependency review
- Antigravity (Auditor): Counter-audits, reality checks, empirical verification
This is a production workflow used to develop Chronos-DFIR from v162 to v185 (23 major versions, 361 commits).
Agent Roles & Responsibilities
Claude (Architect)
Primary Tool: Claude Code CLI / Claude Sonnet 4.0 Responsibilities:- Design architectural decisions (module structure, API contracts)
- Implement new features (Python backend, JavaScript frontend)
- Write detection rules (Sigma YAML, YARA)
- Refactor and decompose monolithic code (
app.py2,160 → 1,528 lines) - Update documentation (
CLAUDE.md,README.md,.agents/STATUS.md)
CLAUDE.md:165-168 (v179 MFT fix)
Gemini CLI (Engineer)
Primary Tool: Gemini CLI / Gemini 2.5 Responsibilities:- QA audits after major releases
- Performance profiling (memory usage, query plans)
- Dependency review (
requirements.txtsecurity scan) - Test coverage analysis
- Strategic recommendations (“consider extracting X to Y”)
CLAUDE.md:119-124 (Gemini v168 evaluation)
Antigravity (Auditor)
Primary Tool: Antigravity Agent / Custom Audit Framework Responsibilities:- Counter-audits: Verify Gemini’s claims against actual source code
- Empirical checks: Grep for
datetime.now(), count pandas imports, measureapp.pylines - Reality grounding: Flag false “COMPLETE” statuses
- Critical findings: Prioritize forensic integrity violations
CLAUDE.md:126-133 (Antigravity V3 assessment)
Conflict Resolution Protocol
Procedure:- Gemini audit → Strategic recommendations
- Antigravity counter-audit → Empirical verification
- Claude review → Prioritize findings, implement fixes
- Scorecard update →
.agents/SCORECARD.mdtracks scores by area
CLAUDE.md:58-60 (Conflict resolution)
Skill Registry System
Chronos-DFIR maintains a central skill registry tracking 76 skills across 5 categories.Skill Categories
active (10 skills)
active (10 skills)
Status: Production code in Reference:
engine/ or app.pyExamples:chronos_sigma_engine→engine/sigma_engine.pychronos_chain_of_custody→ SHA256 hash in upload endpointchronos_forensic_analyzer→engine/forensic.pychronos_ingestor→engine/ingestor.pychronos_histogram_builder→engine/analyzer.py
engine/skill_router.py:1-300frontend (5 skills)
frontend (5 skills)
Status: Implemented in
static/js/Examples:chronos_grid_virtualization→static/js/grid.js(Tabulator remote pagination)chronos_filter_composition→static/js/filters.js(query + col_filters + time)chronos_persistent_selection→static/js/grid.js(_persistentSelectedIdsSet)chronos_chart_sync→static/js/charts.js(listens toFILTERS_CHANGED)chronos_state_events→static/js/state.js(event-driven architecture)
static/js/ directoryrules (5 skills)
rules (5 skills)
Status: Implemented via Sigma YAML or YARA filesExamples:
chronos_sigma_mitre_mapping→ 86 rules inrules/sigma/chronos_yara_ransomware→rules/yara/ransomware/lockbit.yarchronos_yara_lolbins→rules/yara/lolbins.yarchronos_yara_c2→rules/yara/c2_frameworks.yarchronos_yara_infostealers→rules/yara/infostealers.yar
- Sigma: TA0001-TA0011 + TA0040 (MITRE Kill Chain)
- YARA: Ransomware (LockBit, QILIN), LOLBins, C2 (Cobalt Strike, Sliver), webshells
rules/sigma/, rules/yara/wired (4 skills)
wired (4 skills)
Status: Code exists but not connected to endpointsExamples:
chronos_case_db→engine/case_db.py(DuckDB CRUD, no endpoint)chronos_case_router→engine/case_router.py(FastAPI router, not mounted)chronos_universal_ingestor→universal_ingestor.py(orphaned, zero imports)chronos_enrichment_cache→engine/enrichment_cache.py(not called)
.agents/STATUS.md:15-20prompt_only (52 skills)
prompt_only (52 skills)
Status: System prompts for AI agents, not yet implementedExamples:
chronos_correlation_architect→ Cross-source entity correlationchronos_mitre_strategist→ Kill chain sequence reconstructionchronos_execution_forensics→ Process tree analysischronos_session_grouper→ Temporal session clusteringchronos_auto_narrative→ Natural language report generation
.agents/skills/*/SKILL.mdPriority List: engine/skill_router.py:get_high_priority_prompts() returns top 5.Reference: engine/skill_router.py:250-280Registry CLI
View Summary:CLAUDE.md:242-244 (Skill registry protocol)
Communication Documents
The.agents/ directory contains coordination files for session continuity.
STATUS.md (~30 lines)
STATUS.md (~30 lines)
Purpose: Current project state snapshotStructure:Update Frequency: After each major version increment.Reference:
.agents/STATUS.mdMANDATES.md (Prioritized Checklist)
MANDATES.md (Prioritized Checklist)
Purpose: Pending work items ranked by priorityExample:Reference:
.agents/MANDATES.mdSCORECARD.md (Historical Tracking)
SCORECARD.md (Historical Tracking)
Purpose: Track progress across versionsExample:Visualization: Plot total score over time to track velocity.Reference:
.agents/SCORECARD.mdDECISION_LOG.md (ADRs)
DECISION_LOG.md (ADRs)
Purpose: Architecture Decision RecordsExample Entry:Reference:
.agents/DECISION_LOG.mdRUNBOOK_TEMPLATE.md
RUNBOOK_TEMPLATE.md
Purpose: Session checklist for multi-agent coordinationSteps:
- Read
STATUS.md+MANDATES.md(~60 lines) - Run
python engine/skill_router.pyfor skill status - Check
SCORECARD.mdfor trend analysis - Implement mandates (highest priority first)
- Update
STATUS.mdwith new scores - Commit with detailed message (reference scorecard delta)
.agents/RUNBOOK_TEMPLATE.mdCI/CD & Quality Gates
Chronos-DFIR enforces automated quality checks at commit and push time.Pre-Commit Hook
Location:.git/hooks/pre-commit (also .pre-commit-config.yaml for framework)
Checks:
app.pyline count < 2000 lines- Pandas imports = 0 occurrences
- Pytest passing (all tests except 2 known async failures)
- Trailing whitespace removal
- YAML validation (Sigma rules)
- Large file detection (block files > 10MB)
CLAUDE.md:245-247 (Pre-commit framework)
GitHub Actions Workflow
Location:.github/workflows/ci.yml
Triggers: Push to main, pull requests
Jobs:
1. Test Suite
1. Test Suite
2. Code Constraints
2. Code Constraints
3. Sigma Rules Validation
3. Sigma Rules Validation
4. Skill Registry Integrity
4. Skill Registry Integrity
CLAUDE.md:246 (GitHub Actions)
Session Continuity Protocol
When starting a new development session, follow this checklist:Implement & Test
- Write code
- Run
pytest - Test manually (if frontend)
- Update
CLAUDE.mdwith engineering notes
CLAUDE.md:61-64 (Session continuity)
Multi-Agent Workflow Example
Real Case Study: MFT Timestamp Fix (v179)
Timeline: 2026-03-08, ~4 hoursPhase 1: Antigravity Audit
Finding:CLAUDE.md:126 (Antigravity V3)
Phase 2: Claude Investigation
Actions:- Read
mft_engine.py→ Confirmeddatetime.now()on line 145 - Check for existing FILETIME parser → Found
win64_to_datetime()utility (unused) - Research MFT structure →
$STANDARD_INFORMATIONattribute (type 0x10) - Design fix: Parse FILETIME struct from binary MFT record
Phase 3: Implementation
Code Changes:CLAUDE.md:165-168 (v179 fix)
Phase 4: Verification
Gemini Re-Audit:Phase 5: Scorecard Update
CLAUDE.md:165-191 (v179 full resolution)
Best Practices
1. Verify Before Claiming
1. Verify Before Claiming
Anti-Pattern: “Feature X is complete” without checking code.Best Practice:Consequence of Violation: Antigravity flags false claims → trust erosion.
2. Update Status Documents
2. Update Status Documents
Anti-Pattern: Commit code without updating
.agents/STATUS.md.Best Practice: After each version increment, update:STATUS.md(area scores)SCORECARD.md(historical row)MANDATES.md(mark completed items)
3. Prioritize Critical Findings
3. Prioritize Critical Findings
Priority Hierarchy:
- CRITICAL: Forensic integrity violations (fabricated timestamps, hash corruption)
- HIGH: Performance blockers (6GB file OOM crashes)
- MEDIUM: Feature gaps (Sigma temporal conditions)
- LOW: Code style (app.py line count, CSS consolidation)
4. Increment JS Module Versions
4. Increment JS Module Versions
Problem: v181 cache-bust lesson (all v180.7 fixes invisible).Solution:Automation: Add pre-commit hook to auto-increment (pending).Reference:
CLAUDE.md:330-3325. Test Real-World Datasets
5. Test Real-World Datasets
Anti-Pattern: Unit tests only (synthetic data).Best Practice: Test with actual DFIR artifacts:
- 38K EVTX events (Sysmon)
- 2GB MFT export
- 500K CSV from Plaso
- Mixed ZIP bundle (Plist + EVTX)
- Hex corruption in Excel
- Row selection not persisting
- Dashboard not updating with filters
CLAUDE.md:281-299 (v180.7 stabilization)Development Phases
| Phase | Status | Multi-Agent Involvement |
|---|---|---|
| Etapa 0 | ✅ COMPLETED | Claude: 5 bug fixes; Antigravity: Verified export integrity |
| Etapa 1 | ✅ COMPLETED | Claude: Sigma evidence enrichment; Gemini: YARA integration audit |
| Etapa 1.5 | ✅ COMPLETED | All 3 agents: 8 bugs (hex, selection, dashboard, PDF) |
| Etapa 2 | 🟡 PENDING | Claude: DuckDB integration; Gemini: Schema design review |
| Etapa 3 | 🟡 PENDING | Claude: Sidebar UI; Gemini: React/Vue feasibility study |
| Etapa 4 | 🟡 PENDING | Claude: Cross-file correlation; Gemini: Performance profiling |
| Etapa 5 | 🟡 PENDING | Claude: MCP server; Gemini: LLM integration patterns |
| Etapa 6 | 🟡 PENDING | Claude: Auto-narrative; Gemini: Natural language validation |
README.md:306-318 (Roadmap)
Related Documentation
System Architecture
Learn about engine modules and data flow
Performance Tuning
Deep dive into Polars vectorization and streaming I/O