From ee9b59d450ae2ca0905c6c91fd577d4ff9e7d517 Mon Sep 17 00:00:00 2001 From: mblanke Date: Wed, 24 Dec 2025 13:17:42 -0500 Subject: [PATCH] Create ARCHITECTURE.md --- ARCHITECTURE.md | 63 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 ARCHITECTURE.md diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md new file mode 100644 index 0000000..6e4005a --- /dev/null +++ b/ARCHITECTURE.md @@ -0,0 +1,63 @@ +# Platform Architecture (Conceptual) + +This document describes how GooseStrike, ThreatHunt, and goose-core relate at a high level. +It is conceptual by design and avoids implementation detail. + +--- + +## High-Level Components + +### goose-core (Shared) +- Defines shared terminology, contracts, and UX patterns +- Owns meaning, not behavior +- Changes infrequently + +### ThreatHunt (Analysis Engine) +- Ingests exported data (CSV artifacts) +- Normalizes and enriches data +- Produces analytical Findings +- Never executes actions + +### GooseStrike (Orchestration Engine) +- Accepts analyst intent +- Plans and coordinates actions +- Executes tools and workflows +- Consumes Findings as input + +--- + +## Data Flow (Primary) + +1. Data is collected externally (e.g., Velociraptor) +2. Data is exported and uploaded into ThreatHunt +3. ThreatHunt analyzes data and produces Findings +4. Findings conform to shared contracts (goose-core) +5. Findings may be consumed by GooseStrike +6. GooseStrike plans and executes actions +7. Execution produces additional Findings + +--- + +## Control Flow (Primary) + +- ThreatHunt is analyst-driven and exploratory +- GooseStrike is intent-driven and controlled +- goose-core enforces shared meaning across both + +--- + +## Key Boundaries + +- No direct database sharing between applications +- No direct execution from ThreatHunt +- No analysis logic inside GooseStrike +- Shared concepts are defined once in goose-core + +--- + +## Design Intent + +- Loose coupling +- Clear ownership +- Shared analyst experience +- Independent evolution of capabilities