From 36903994c177a0b983e6b7675ce514fff079c799 Mon Sep 17 00:00:00 2001
From: mblanke <mblanke@gmail.com>
Date: Wed, 24 Dec 2025 13:26:07 -0500
Subject: [PATCH] Expand architecture document with AI agent details

Added sections on Analyst Assistance via AI Agents, Agent Execution Model, and Agent Boundaries.
---
 ARCHITECTURE.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index 6e4005a..7a5b934 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -61,3 +61,40 @@ It is conceptual by design and avoids implementation detail.
 - Clear ownership
 - Shared analyst experience
 - Independent evolution of capabilities
+
+
+
+---
+
+## Analyst Assistance via AI Agents
+
+Both GooseStrike and ThreatHunt include analyst-assist agents.
+
+Agents exist to:
+- Guide analysts through workflows
+- Explain data, findings, and options
+- Suggest next investigative or operational steps
+- Reduce cognitive load without replacing judgment
+
+Agents do NOT act autonomously or bypass controls.
+
+---
+
+## Agent Execution Model
+
+Agents may use one or more of the following LLM backends:
+
+- Local models (on-device or on-prem)
+- Networked models (shared internal inference services)
+- Online models (external hosted APIs)
+
+The choice of backend is configurable and context-dependent.
+
+---
+
+## Agent Boundaries
+
+- Agents provide guidance, not authority
+- Agents do not execute actions directly
+- Agents do not modify data without approval
+- All agent output is advisory and attributable