mblanke/Goose-Core
1
0
Fork 0
mirror of https://github.com/mblanke/Goose-Core.git synced 2026-03-01 14:10:22 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
f7e08d9ffb164c77d820c3991d18c33c74199006
Goose-Core/ARCHITECTURE.md
mblanke ee9b59d450 Create ARCHITECTURE.md
2025-12-24 13:17:42 -05:00

1.5 KiB
Raw Blame History

Platform Architecture (Conceptual)

This document describes how GooseStrike, ThreatHunt, and goose-core relate at a high level. It is conceptual by design and avoids implementation detail.

High-Level Components

goose-core (Shared)

  • Defines shared terminology, contracts, and UX patterns
  • Owns meaning, not behavior
  • Changes infrequently

ThreatHunt (Analysis Engine)

  • Ingests exported data (CSV artifacts)
  • Normalizes and enriches data
  • Produces analytical Findings
  • Never executes actions

GooseStrike (Orchestration Engine)

  • Accepts analyst intent
  • Plans and coordinates actions
  • Executes tools and workflows
  • Consumes Findings as input

Data Flow (Primary)

  1. Data is collected externally (e.g., Velociraptor)
  2. Data is exported and uploaded into ThreatHunt
  3. ThreatHunt analyzes data and produces Findings
  4. Findings conform to shared contracts (goose-core)
  5. Findings may be consumed by GooseStrike
  6. GooseStrike plans and executes actions
  7. Execution produces additional Findings

Control Flow (Primary)

  • ThreatHunt is analyst-driven and exploratory
  • GooseStrike is intent-driven and controlled
  • goose-core enforces shared meaning across both

Key Boundaries

  • No direct database sharing between applications
  • No direct execution from ThreatHunt
  • No analysis logic inside GooseStrike
  • Shared concepts are defined once in goose-core

Design Intent

  • Loose coupling
  • Clear ownership
  • Shared analyst experience
  • Independent evolution of capabilities
Reference in New Issue View Git Blame Copy Permalink