mblanke/Goose-Core
1
0
Fork 0
mirror of https://github.com/mblanke/Goose-Core.git synced 2026-03-01 06:10:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
36903994c177a0b983e6b7675ce514fff079c799
Goose-Core/ARCHITECTURE.md
mblanke 36903994c1 Expand architecture document with AI agent details 
Added sections on Analyst Assistance via AI Agents, Agent Execution Model, and Agent Boundaries.
2025-12-24 13:26:07 -05:00

2.3 KiB
Raw Blame History

Platform Architecture (Conceptual)

This document describes how GooseStrike, ThreatHunt, and goose-core relate at a high level. It is conceptual by design and avoids implementation detail.

High-Level Components

goose-core (Shared)

  • Defines shared terminology, contracts, and UX patterns
  • Owns meaning, not behavior
  • Changes infrequently

ThreatHunt (Analysis Engine)

  • Ingests exported data (CSV artifacts)
  • Normalizes and enriches data
  • Produces analytical Findings
  • Never executes actions

GooseStrike (Orchestration Engine)

  • Accepts analyst intent
  • Plans and coordinates actions
  • Executes tools and workflows
  • Consumes Findings as input

Data Flow (Primary)

  1. Data is collected externally (e.g., Velociraptor)
  2. Data is exported and uploaded into ThreatHunt
  3. ThreatHunt analyzes data and produces Findings
  4. Findings conform to shared contracts (goose-core)
  5. Findings may be consumed by GooseStrike
  6. GooseStrike plans and executes actions
  7. Execution produces additional Findings

Control Flow (Primary)

  • ThreatHunt is analyst-driven and exploratory
  • GooseStrike is intent-driven and controlled
  • goose-core enforces shared meaning across both

Key Boundaries

  • No direct database sharing between applications
  • No direct execution from ThreatHunt
  • No analysis logic inside GooseStrike
  • Shared concepts are defined once in goose-core

Design Intent

  • Loose coupling
  • Clear ownership
  • Shared analyst experience
  • Independent evolution of capabilities

Analyst Assistance via AI Agents

Both GooseStrike and ThreatHunt include analyst-assist agents.

Agents exist to:

  • Guide analysts through workflows
  • Explain data, findings, and options
  • Suggest next investigative or operational steps
  • Reduce cognitive load without replacing judgment

Agents do NOT act autonomously or bypass controls.

Agent Execution Model

Agents may use one or more of the following LLM backends:

  • Local models (on-device or on-prem)
  • Networked models (shared internal inference services)
  • Online models (external hosted APIs)

The choice of backend is configurable and context-dependent.

Agent Boundaries

  • Agents provide guidance, not authority
  • Agents do not execute actions directly
  • Agents do not modify data without approval
  • All agent output is advisory and attributable
Reference in New Issue View Git Blame Copy Permalink