docs: comprehensive documentation update for v2.3.6

- Enhanced README.md with detailed benchmark performance metrics
- Updated Protocol-DEV and Clients-DEV with v2.3.6 status
- Ensured all version references current at v2.3.6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: doublegate

CHANGELOG.md

@@ -44,6 +44,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - **Version**: Bumped all RedOps components and `wraith-crypto` to v2.3.6.
 - **xtask**: Added `build-runner` command to automate .NET assembly compilation.
+- **Conductor**: Full planning track (`redops_final_alignment_20260131`) with 8 tasks tracking the complete remediation workflow from Signal Double Ratchet through UI/UX polish.
 
 ---
 

README.md

@@ -195,9 +195,13 @@ WRAITH Protocol powers a comprehensive ecosystem of 12 production-ready applicat
 - BOF Loader with COFF parsing, section mapping, and relocation support
 - SOCKS4a/5 proxy for tunneling operator traffic
 - Halo's Gate SSN resolution for direct syscalls
-- MITRE ATT&CK technique coverage across 12 tactics (TA0001-TA0011, TA0040)
-- Ed25519-signed Kill Switch broadcast mechanism
+- MITRE ATT&CK technique coverage across 12 tactics (TA0001-TA0011, TA0040), including T1055.012 (Process Hollowing), T1021.002 (SMB/Admin Shares), T1090.003 (Multi-hop Proxy), T1572 (Protocol Tunneling), T1134 (Access Token Manipulation), T1140 (Deobfuscate/Decode), T1574.002 (DLL Side-Loading), T1105 (Ingress Tool Transfer)
+- Signal-style Double Ratchet (DH + Symmetric) for C2 key ratcheting with synchronization fix
+- DEFLATE compression (miniz_oxide) for efficient data exfiltration
+- Randomized nonce-based XOR obfuscation for mesh discovery packets
+- Ed25519-signed Kill Switch broadcast mechanism with graceful error propagation
 - Encryption at Rest for command payloads and results
+- Runner.dll source-build model (compiled from C# source via dotnet, integrated into implant build)
 
 ### WRAITH-RedOps Gap Analysis (v8.0.0)
 
@@ -687,7 +691,8 @@ WRAITH Protocol v2.3.6 represents 2,740+ story points across 24 development phas
 - RedOps codebase: 8,925 lines spectre-implant, 5,833 lines team-server, ~5,800 lines operator-client (21 modules, 34/34 IPC commands wired, 21 console commands, 11 spectre-implant tests)
 - Conductor project management system with code style guides for development workflow tracking
 - RedOps workspace integration: team-server and operator-client as workspace members (spectre-implant excluded for no_std compatibility)
-- Comprehensive documentation (114 files, ~62,800 lines) and testing (2,134 tests across all components)
+- v2.3.6 RedOps Advanced Tradecraft: Signal Double Ratchet C2 ratcheting, 4 new MITRE ATT&CK techniques (T1134, T1140, T1574.002, T1105), Runner source-build, operator UX polish, team server safety hardening
+- Comprehensive documentation (114 files, ~62,800 lines) and testing (2,148 tests across all components)
 - CI/CD infrastructure with multi-platform releases
 
 ### Future Development

docs/archive/README_Clients-DEV.md

@@ -239,6 +239,17 @@ For protocol development history, see [README_Protocol-DEV.md](README_Protocol-D
 - Test infrastructure: 11 spectre-implant tests passing
 - Gap analysis v8.0.0 in [GAP-ANALYSIS-v2.3.4.md](../clients/wraith-redops/GAP-ANALYSIS-v2.3.4.md)
 
+**v2.3.6 Advanced Tradecraft (2026-02-01):**
+- P1-1 resolved: Signal-style Double Ratchet (DH + Symmetric) for C2 key ratcheting with synchronization fix in `force_dh_step`
+- P1-2 resolved: PowerShell Runner transitioned to source-build model (C# compiled via dotnet, integrated into implant build via `cargo xtask build-runner`)
+- 4 new MITRE ATT&CK techniques: T1134 (Access Token Manipulation), T1140 (Deobfuscate/Decode), T1574.002 (DLL Side-Loading), T1105 (Ingress Tool Transfer)
+- Compression upgraded from RLE to DEFLATE (miniz_oxide) for efficient exfiltration
+- Mesh discovery obfuscation: randomized nonce-based XOR eliminating static signatures
+- Team Server: DeleteListener/DeleteAttackChain RPCs, graceful Kill Switch error propagation, cryptographic nonce generation
+- Operator Client: 10 new console commands, delete functionality in ListenerManager/PlaybookBrowser, Dark/Light theme toggle, bulk kill in Beacons view
+- P3-2: Dynamic Linux `.text` base address via `/proc/self/maps` for PIE compatibility
+- P3-6: BOF loader `.unwrap()` replaced with structured error handling
+
 **UI/UX Enhancement (2026-01-28):**
 - 34/34 IPC commands wired (was 19/34): added listener CRUD, implant detail/kill, campaign detail/edit, implant generator, playbook browser, attack chain list/detail, event streaming, command cancellation, token refresh
 - 17 new files: types/index.ts, lib/ipc.ts, lib/utils.ts, stores/appStore.ts, stores/toastStore.ts, ui/Toast.tsx, ui/ConfirmDialog.tsx, ui/Modal.tsx, ui/ContextMenu.tsx, ListenerManager.tsx, ImplantDetailPanel.tsx, CampaignDetail.tsx, ImplantGenerator.tsx, PlaybookBrowser.tsx, EventLog.tsx, hooks/useKeyboardShortcuts.ts
@@ -1330,6 +1341,6 @@ RedOps                                                          [=============]
 
 **WRAITH Protocol Client Applications Development History** - *From Planning to v2.3.6*
 
-**Status:** Phases 15-24 Complete (All 12 Clients) | **Total Scope:** 12 clients, 1,292 SP | **Delivered:** 1,292 SP (100%) | **Protocol:** v2.3.6 Complete | **Tests:** 2,148 total (2,123 workspace + 11 spectre-implant + 14 doc, 663+ client tests) | **Workspace:** 22 members + 3 excluded | **TDR:** ~2.5% (Grade A) | **CI/CD:** Optimized workflows with reusable setup, path filters, and cross-compilation via Cross.toml | **v2.3.5:** CI/CD stability fixes, 58 CodeQL security alerts resolved, ROE Signer tool, benchmark analysis documentation | **RedOps:** Gap analysis v8.0.0 (~97% complete, 87% MITRE ATT&CK (35/40), 0 P0 critical, 21 modules, 33 IPC wired with typed wrappers, Operator Client 3,608 lines/27 files with zustand/toast/modal/context menus) | **Conductor:** Project management system with code style guides
+**Status:** Phases 15-24 Complete (All 12 Clients) | **Total Scope:** 12 clients, 1,292 SP | **Delivered:** 1,292 SP (100%) | **Protocol:** v2.3.6 Complete | **Tests:** 2,148 total (2,123 workspace + 11 spectre-implant + 14 doc, 663+ client tests) | **Workspace:** 22 members + 3 excluded | **TDR:** ~2.5% (Grade A) | **CI/CD:** Optimized workflows with reusable setup, path filters, and cross-compilation via Cross.toml | **v2.3.6:** RedOps Advanced Tradecraft -- Signal Double Ratchet, 4 MITRE ATT&CK techniques (T1134, T1140, T1574.002, T1105), DEFLATE compression, Runner source-build, operator UX polish, team server safety | **v2.3.5:** CI/CD stability fixes, 58 CodeQL security alerts resolved, ROE Signer tool, benchmark analysis documentation | **RedOps:** Gap analysis v8.0.0 (~97% complete, 87% MITRE ATT&CK (35/40), 0 P0 critical, 21 modules, 33 IPC wired with typed wrappers, Operator Client 3,608 lines/27 files with zustand/toast/modal/context menus) | **Conductor:** Project management system with code style guides
 
-*Last Updated: 2026-01-31*
+*Last Updated: 2026-02-01*

docs/archive/README_Protocol-DEV.md

@@ -1472,6 +1472,6 @@ See [../../to-dos/ROADMAP.md](../../to-dos/ROADMAP.md) for detailed future plann
 
 **WRAITH Protocol Development History** - *From Foundation to v2.3.6 (Phases 1-24 + Infrastructure Sprints + Benchmark Optimizations + Security Hardening + RedOps Advanced Tradecraft)*
 
-**Development Period:** 2024 - 2026-01-31 | **Total Effort:** 2,740+ story points delivered across 24 phases + infrastructure sprints | **Quality:** Production-ready (98/100), 2,148 tests (2,123 workspace + 11 spectre-implant + 14 doc, 100% pass rate), 0 vulnerabilities, Grade A+ security | **Clients:** 12 applications (9 desktop + 2 mobile + 1 server) | **Workspace:** 22 members + 3 excluded (wraith-xdp, spectre-implant, roe-signer) | **TDR:** ~2.5% (Grade A - Excellent) | **CI/CD:** Optimized workflows with reusable setup, path filters, and cross-compilation via Cross.toml | **v2.3.5:** CI/CD stability fixes, 58 CodeQL security alerts resolved, ROE Signer tool, benchmark analysis documentation | **v2.3.4:** 18 performance optimizations (WebSocket mimicry 55-85% faster, DoH tunnel 70-86% faster, frame pipeline 11-30% faster, message header 53% faster), WRAITH-RedOps gap analysis v8.0.0 (~97% complete, 87% MITRE ATT&CK, Operator Client 3,608 lines/27 files with typed IPC) | **Conductor:** Project management system with code style guides
+**Development Period:** 2024 - 2026-02-01 | **Total Effort:** 2,740+ story points delivered across 24 phases + infrastructure sprints | **Quality:** Production-ready (98/100), 2,148 tests (2,123 workspace + 11 spectre-implant + 14 doc, 100% pass rate), 0 vulnerabilities, Grade A+ security | **Clients:** 12 applications (9 desktop + 2 mobile + 1 server) | **Workspace:** 22 members + 3 excluded (wraith-xdp, spectre-implant, roe-signer) | **TDR:** ~2.5% (Grade A - Excellent) | **CI/CD:** Optimized workflows with reusable setup, path filters, and cross-compilation via Cross.toml | **v2.3.6:** RedOps Advanced Tradecraft -- Signal Double Ratchet C2 ratcheting, 4 MITRE ATT&CK techniques (T1134, T1140, T1574.002, T1105), DEFLATE compression, Runner source-build, operator UX polish, team server safety | **v2.3.5:** CI/CD stability fixes, 58 CodeQL security alerts resolved, ROE Signer tool, benchmark analysis documentation | **v2.3.4:** 18 performance optimizations (WebSocket mimicry 55-85% faster, DoH tunnel 70-86% faster, frame pipeline 11-30% faster, message header 53% faster), WRAITH-RedOps gap analysis v8.0.0 (~97% complete, 87% MITRE ATT&CK, Operator Client 3,608 lines/27 files with typed IPC) | **Conductor:** Project management system with code style guides
 
-*Last Updated: 2026-01-31*
+*Last Updated: 2026-02-01*