Pre-baked facts the dialectic engine has saved. These survive context compaction and feed into peer representations.
claude uses pytest as test runner
claude is working on a NinjaTrader 8 reverse engineering project
claude's project has two data paths: CQG/Tradovate (live + historical bars via WebSocket JSON text frames) and NinjaTrader HDS (encrypted .ncd files + unencrypted .nrd replay files via raw TCP+SSL)
NinjaTrader's obfuscation uses Agile.NET (CliSecure)
Agile.NET obfuscation affects all strings, crypto calls, and control flow in NinjaTrader.Core.dll
Static decompilation of NinjaTrader.Core.dll yields empty method bodies due to obfuscation
The .nrd file format has 12×80-byte headers + delta-compressed tick stream
.nrd header layout has been fully confirmed
.nrd tick compression is partially understood using infoByte-driven variable-length records averaging ~5 bytes/event
.ncd encryption cipher is unknown (likely AES via BouncyCastle)
.ncd encryption key source is unknown and blocked by obfuscation
claude's main scripting language is Python 3.12
claude uses Frida 17.x for dynamic instrumentation on Windows VM
claude uses C# / .NET 8 for decompiler tool and string decryptor
The target runtime for NT8 DLLs is .NET Framework 4.8
claude's project has separate virtualenvs for Python (venv/) and Frida (venv-frida/)
claude's project directory includes scripts/ with cqg_client.py, tv_client.py, pipeline.py, parse_nrd.py, and other Python tooling
claude's project includes a ReplayLogger.cs NinjaScript indicator that logs replay events to CSV
claude's frida/ directory contains scripts for SSPI TLS interception, .NET HttpClient auth request capture, and HDS WebSocket binary traffic capture
claude's proto/ directory contains cqg.proto (700 lines, extracted from DLLs) and compiled Python protobuf module
claude's tools/ directory includes a decompiler using ICSharpCode and a string decryptor for Agile.NET
claude's decompiled/ directory contains readable source for NinjaTrader.Core/ (4.8 MB), NinjaTrader.Gui/ (6.7 MB), NinjaTrader.Client/ (23 KB), and NinjaTrader.CQG/ (131 KB)
claude's replay/ directory contains sample .nrd market replay files for ES 06-26 and NQ 06-26 (E-mini S&P 500 and E-mini Nasdaq futures)
NinjaTrader HDS servers are located at hds-us-nt-{004,008,016}.ninjatrader.com
Tradovate JSON WebSocket uses endpoints: wss://{live|demo}.tradovateapi.com/v1/websocket and wss://md-{live|demo}.tradovateapi.com/v1/websocket
The .nrd file headers are 12 × 80-byte MarketReplayHeader structs at offset 0
.nrd MarketReplayHeader fields include: close, count, high, low, open, splitFactor, tickSize, version, timeFirst, timeLast, volume
.nrd headers H0=Last trades, H1=Bid, H2=Ask, H3-H4=Settlement, H5+=Volume/session markers
.nrd padding is 2560 zero bytes after headers
.nrd tick data starts at offset 3520+
.nrd infoByte bits 0-1 determine time delta encoding
Decompression methods for .nrd files are in the BarsBytes class (obfuscated)
claude needs ground-truth CSV from ReplayLogger.cs running in NT8 to correlate tick decompression
claude needs a dnSpy breakpoint on Decrypt method or Agile.NET string decryptor to find .ncd crypto keys
The Agile.NET string decryptor needs AgileDotNetRT64.dll in the same directory as target DLLs on Windows
claude's docs/FINDINGS.md contains the most detailed technical findings
cqg_config.json contains live Tradovate credentials and is gitignored
.device_id file contains machine identifier and is gitignored
The dll/ directory contains binary DLLs (not text-readable) and is gitignored
hds_captures/ contains raw TLS record captures from HDS and is gitignored
claude's CQG WebSocket client uses protobuf with websocket-client and requests libraries
Frida requires a Windows VM with frida-server running
claude uses combined capture orchestrator (capture_all.py) in frida/
The project has il_crypto.py for IL-level crypto analysis which is blocked by obfuscation
claude uses xml_grep.py for XML doc mining
claude uses discover_endpoints.py for brute-force CQG endpoint discovery
claude's Tradovate auth uses POST https://{live|demo}.tradovateapi.com/v1/auth/accesstokenrequest
Tradovate JSON WebSocket frame format is: endpoint\nrequest_id\n\nbody (text frames)