Technical FAQ
Architecture and performance
Why LangGraph for the ReAct agent?
LangGraph lets you define the reasoning → action → observation cycle as a state graph, which facilitates flow control, mid-flight error handling, and extending the agent with new nodes.
How long does a complete investigation take?
With qwen3:14b and decent internet connection:
- Single query (1 IOC, ~6 tools): 30-90 seconds
- Complete investigation with pivot (1 IOC + 2-3 related): 2-5 minutes
- Batch of 10 IOCs: 5-15 minutes (with 2s delay between each)
Why SQLite and not PostgreSQL?
Deliberate design choice: SQLite requires no server, works in any environment, is sufficient for typical OSINT investigation volume, and data stays in a single file easy to backup or migrate.
How many investigations can SQLite handle?
In testing, SQLite with WAL mode handles tens of thousands of evidences and millions of chunks without problems. For individual or small team use, it will never be the bottleneck.
How does auto-pivot work?
When a tool returns a result containing related IOCs (for example, VirusTotal returns domains associated with an IP), pivot_investigate extracts them. The agent evaluates whether any of those IOCs are interesting enough to investigate, and if so, adds them to the queue. The MAX_PIVOTS parameter limits depth to avoid combinatorial explosion.
Can ChromaDB do cross-investigation search?
Yes. The cross_search function in src/vector/store.py allows searching across multiple investigation collections simultaneously.
Does the embeddings model support Spanish?
Yes. paraphrase-multilingual-MiniLM-L12-v2 is multilingual with native support for Spanish, English, French, German and 50+ other languages. Semantic searches work equally well with Spanish text.
Security and privacy
Are VirusTotal queries public?
On the free tier, VirusTotal may use your queries to improve their models. Review their terms of service. On paid tiers there are privacy options. For very sensitive IOCs, use Ollama + free tools.
Can I run the MCP Server without authentication on public network?
Not recommended. The MCP Server in HTTP mode includes no authentication by default. If you need to expose it, put it behind a proxy with authentication (nginx + basic auth, or a VPN).
Are API keys safe in .env?
The .env file is in .gitignore. If you use Claude Code or other agents, verify they don’t index it. For production, use system environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.).
Development and extension
How do I add a new OSINT tool?
- Create
src/tools/my_tool.pywith an async function decorated with@cached - Register it in
src/agent/__init__.py - Add the endpoint in
src/mcp_server/server.py - Write tests in
tests/tools/test_my_tool.pyusingrespx.mock - Document the key in
.env.example
See Development → Contributing for the complete tutorial.
Can I use a different LLM model than the supported ones?
With the LangChain adapter you can use any compatible model. Edit src/agent/__init__.py and change the LLM initializer. The requirement is that the model supports function/tool calling.
Do tests need real API keys?
No. All tool tests use respx.mock to simulate HTTP responses. You can run the entire test suite without any API keys configured.
How do I contribute a documentation translation?
The web documentation (this site) is in osint-ai-one-web. You can translate any page by creating the equivalent file in src/content/docs/<language>/.
Models and LLM
Why Qwen3 and not LLaMA?
Qwen3 has excellent tool calling support in Ollama and native multilingual support. LLaMA 3 also works, but tool calling is less reliable in current Ollama versions for that model.
Can I use quantized models?
Yes. Ollama supports quantized models (Q4, Q8). Qwen3 models are available in several quantizations. Q4 quantization reduces RAM usage by half with small quality loss.
Can the agent use tools in parallel?
The ReAct agent is sequential by design (reasons about each result before the next). For real parallelism, use Python import directly with asyncio.gather. In future releases parallel tool execution mode could be added.