This is the shortest possible checklist to turn the repo’s **runtime mic-activation proof** into a **network-exfil proof** backed by PCAP citations.
1) Identify the “latest” capture set to analyze
The PCAPs currently under `packet-capture/` do not show Shortwave/Rupload/Graph endpoints (see `PCAP_PACKET_CAPTURE_FOLDER_SUMMARY.md`).
To finalize transmission proof, we need the specific “weeklong/latest” files that contain one of:
- undefined
If those PCAPs are “somewhere in here”, tell me the directory name (or drop copies into a new folder).
2) Choose the mic-activation timeline anchor
Use one of these as the “truth” timeline for microphone activation:
- undefined
Best case: use a log that prints ISO timestamps for `startAudioCaptureWithEchoCancellationEnabled` (or equivalent) events.
3) Produce a correlation table (the deliverable)
For each mic-activation burst window:
- undefined
Do this for many events (dozens+), plus at least one negative control window.
4) Endpoints to prioritize (from latest chain docs)
- undefined
5) Important constraint (expected): you will not “see raw audio”
Per `evidence/agents/phase3/SA-025-DUAL-ENCRYPTION-REPORT.md`, payloads may be double-encrypted (Noise E2EE + QUIC/TLS). Proving exfil is therefore primarily a **timing/flow/endpoint** argument, not a payload-decoding exercise.