Investigation Management

import { Aside } from ‘@astrojs/starlight/components’;

What is an investigation

An investigation is a persistent container that groups:

• Evidence: documents, files, OSINT results ingested with SHA-256 checksums
• Entities: people, companies, domains, IPs… extracted from evidence
• Claims: verifiable assertions with complete traceability back to source evidence
• Reports: 9-section documents generated at the end

Everything persists in SQLite + ChromaDB and survives between sessions.

Directory structure

investigations/<slug>/
├── evidencias/      # Original files (with SHA-256 hash in filename)
├── hallazgos/       # Intermediate outputs (OSINT results in JSON)
├── informes/        # Generated reports (Markdown)
└── metadata.json    # Investigation metadata

Lifecycle

1. Create the investigation

# From the interactive CLI
osint-agent investigation create "Acme Corp Case" --goal "Due diligence"

# Or with the Claude Code skill
/investigation-init "Acme Corp Case" --goal "Due diligence"

Creates the directory structure, registers the investigation in SQLite, and initializes the ChromaDB collection.

2. Ingest evidence

/evidence-ingest corporate-report.pdf
/evidence-ingest contract-2024.docx
/evidence-ingest https://example.com/press-release

The complete pipeline:

File/URL
    ↓ SHA-256 hash (dedup: if exists, skip)
    ↓ Text extraction (PDF/TXT/HTML/MD)
    ↓ Chunking (overlapping fragments)
    ↓ Embeddings (multilingual sentence-transformers)
    ↓ Storage in ChromaDB
    ↓ Registration in SQLite with metadata

3. Investigate IOCs (and save as evidence)

/osint-investigate "acme-corp.com"
/osint-investigate "185.220.101.34"

The OSINT agent result is automatically saved as evidence in the active investigation.

4. Extract entities

/entity-extract

Extracts and normalizes entities from all ingested evidence according to FTM ontology:

• People (with name normalization)
• Companies (with business registry normalization)
• Domains, IPs, emails, phones, bank accounts (IBAN)
• Events, locations, documents

5. Register and verify claims

/claim-track "Acme Corp is registered in Madrid according to corporate report"
/verify-claims

Each claim is stored with:

• evidence_id: the supporting evidence
• chunk_id: the specific fragment
• snippet: the exact text where it was extracted from
• status: VERIFIED / DISPUTED / UNVERIFIED

6. Semantic search

/memory-query "contracts with Chinese suppliers"

Searches ChromaDB using embeddings — finds relevant information even when exact words don’t match.

7. Generate report

/report-generate

Generates a 9-section report in investigations/<slug>/informes/:

1. Executive summary
2. Objective and scope
3. Methodology
4. Verified findings
5. Identified entities
6. Evidence
7. Risk analysis
8. Limitations and warnings
9. Recommended next steps

Active investigation

Only one investigation can be “active” at a time. It’s saved in data/.active:

osint-agent investigation use acme-case
# → writes "acme-case" to data/.active

Claude Code skills read data/.active automatically.

Managing multiple investigations

osint-agent investigation list          # List all investigations
osint-agent investigation use <slug>    # Activate an investigation
osint-agent status                      # Status of active investigation
osint-agent limits                      # Monthly operation quotas

Variable	Default	Description
ACTIVE_INVESTIGATIONS_LIMIT	5	Max simultaneous active investigations
MONTHLY_OPERATIONS_LIMIT	100	Monthly operations quota

You can archive investigations to free up space in the active limit. Data is preserved and you can reactivate an archived investigation anytime.