diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index 0d949d2..5bc51e4 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -27,13 +27,14 @@ parties that delegate authentication decisions to it.
 │              │   SQLite Database   │               │
 │              └────────────────────┘               │
 └────────────────────────────────────────────────────┘
-         ▲                         ▲
-         │ HTTPS/REST              │ HTTPS/REST
-         │                         │
-  ┌──────┴──────┐          ┌───────┴──────┐
-  │  Personal   │          │   mciasctl   │
-  │    Apps     │          │  (admin CLI) │
-  └─────────────┘          └──────────────┘
+         ▲              ▲                ▲
+         │ HTTPS/REST   │ HTTPS/REST     │ direct file I/O
+         │              │                │
+  ┌──────┴──────┐  ┌────┴─────┐  ┌──────┴──────┐
+  │  Personal   │  │ mciasctl │  │   mciasdb   │
+  │    Apps     │  │  (admin  │  │  (DB tool)  │
+  └─────────────┘  │   CLI)   │  └─────────────┘
+                   └──────────┘
 ```
 
 **mciassrv** — The authentication server. Exposes a REST API over HTTPS/TLS.
@@ -44,6 +45,12 @@ revocation.
 using an admin JWT. Creates/manages human accounts, system accounts, roles,
 and Postgres credential records.
 
+**mciasdb** — The database maintenance tool. Operates directly on the SQLite
+file, bypassing the server API. Intended for break-glass recovery, offline
+inspection, schema verification, and maintenance tasks that cannot be
+performed through the live server. Requires the same master key material as
+mciassrv (passphrase or keyfile) to decrypt secrets at rest.
+
 ---
 
 ## 2. Security Model