diff --git a/README.md b/README.md
index dd17342..723ba44 100644
--- a/README.md
+++ b/README.md
@@ -17,12 +17,6 @@
 
 ---
 
-<p align="center">
-  <img src="./assets/diagram.png" alt="CVE Lite CLI workflow" width="700"/>
-</p>
-
----
-
 ## What is CVE Lite CLI
 
 **CVE Lite CLI** helps developers scan their projects for known package vulnerabilities without signing up for an expensive platform. It is built for the moment right before release, when you want a clear answer, a practical fix plan, and a tool you can actually afford to use.
@@ -162,16 +156,19 @@ This section is here to make the scope clear. CVE Lite CLI aims to complement th
 
 ## How it works
 
-CVE Lite CLI follows a simple workflow:
+### Architectural Philosophy
+CVE Lite CLI is designed as a **local-first, metadata-only** scanner. Unlike traditional SaaS security platforms that require code uploads or heavy agent installations, this tool operates directly within the developer's environment. It focuses on the "moment of release"—providing a high-speed, low-noise assessment of the dependency tree by analyzing resolved versions in project lockfiles.
 
-1. Read a supported lockfile from your project.
-2. Resolve package names and versions locally.
-3. Match those packages against OSV advisory data.
-4. Classify findings as direct or transitive where possible.
-5. Highlight the most important fixes first.
-6. Produce terminal, JSON, or SARIF output.
+<p align="center">
+  <img src="./assets/diagram.png" alt="CVE Lite CLI Workflow" width="800"/>
+</p>
 
-The goal is to keep vulnerability scanning practical, understandable, and easy to act on.
+### Workflow Specifications
+* **Trust Boundary & Privacy:** The scan is non-intrusive. Only package names and exact versions are extracted. No source code, environment variables, or proprietary logic is ever transmitted to the external OSV (Open Source Vulnerability) API.
+* **Lockfile-Driven Accuracy:** By parsing `package-lock.json`, `pnpm-lock.yaml`, or `yarn.lock`, the tool avoids the "it works on my machine" discrepancy. It scans the *exact* dependency tree that will be deployed.
+* **Intelligent Triage:** The Analysis engine utilizes the lockfile's graph structure to distinguish between dependencies you manage directly and those brought in by third-party packages (transitive). This allows for a "Fix the Root" strategy rather than chasing individual nested vulnerabilities.
+* **Performance Optimization:** A local TTL (Time-To-Live) cache stores advisory results. This ensures that subsequent scans—common in iterative development or CI/CD retry loops—are near-instant and respect external API rate limits.
+* **Standards-Based Output:** Results are available in **SARIF (Static Analysis Results Interchange Format)**, ensuring compatibility with modern DevSecOps dashboards and IDE integrations.
 
 ## What makes it stand out
 
diff --git a/assets/diagram.png b/assets/diagram.png
index b230096..dd77833 100644
Binary files a/assets/diagram.png and b/assets/diagram.png differ