Documentation

SORK Cloud — System Architecture

A full-stack security pipeline that scans, patches, and verifies vulnerabilities in your codebase — from a single CLI command to a verified, deploy-ready fix.

Overview

SORK Cloud is a multi-agent AI security system. One sork scan command triggers a four-stage pipeline: content safety screening → triage → patch generation → verification. The entire flow runs against your codebase in under 10 seconds for most files.

SORK has three surfaces:

→sork-cli — npm global package. Runs in your terminal, CI, or VS Code tasks.
→sork-client — Next.js web dashboard at sorkcloud.space. Browse scans, apply fixes, manage keys, view reports.
→sork-back — Hono TypeScript API on Render. Handles all pipeline logic, DB, BYOK, and analytics.

System Architecture

sork-cli
npm · your terminal
sork-client
Next.js · Vercel
VS Code Send
sork send ./file.ts
↓
sork-back — Hono API · Render
Safety Gate
→
Triage Agent
→
Fix Agent
→
Verify Agent
↓
Neon PostgreSQL
Drizzle ORM
Embed Tier
Hybrid semantic memory
Fast Tier
SORK Engine inference

Every request flows through the same pipeline regardless of whether it originates from the CLI, the web dashboard, or a VS Code send.

Stack

Layer	Technology
Inference	SORK Engine — multi-tier AI routing (fast / deep / embed)
Safety gate	SORK Engine safety layer (content screening)
Memory	Hybrid semantic + recency (embedding-based)
API	Hono TypeScript on Render (Node 20)
Database	Neon PostgreSQL + Drizzle ORM
Auth	Clerk — JWT-signed requests
Frontend	Next.js 15 App Router on Vercel
CLI	Node.js npm package (sork-cli)

The Four-Stage Pipeline

Every scan request follows this exact sequence. No stage is skipped. Each stage can fail independently and returns structured JSON.

STAGE 01Safety Gate

The request is first screened by the SORK Engine safety layer. If the content is flagged as unsafe (prompt injection, jailbreak attempts, harmful payloads), the pipeline halts immediately. No API key is consumed. A safety score 0-100 is logged.

POST /api/scan
{ "code": "...", "licenseKey": "..." }

→ Safety check: score 0–100
→ threshold < 30 → BLOCKED

STAGE 02Triage Agent

Static analysis + LLM-powered triage runs over the submitted code. 40+ language-specific patterns detect CWE-classified vulnerabilities (SQL injection, null dereference, secrets, torn code, race conditions). Each finding gets a confidence score and a severity level (CRITICAL / HIGH / MEDIUM / LOW).

→ 40+ patterns across TS, JS, Py, Rust, Go, Java
→ CWE ID, confidence %, severity, fix hint
→ Returns: { issues: [...] }

STAGE 03Fix Agent

For each issue found in Stage 2, the Fix Agent generates a minimal unified diff via the SORK Engine deep tier. Only the specific vulnerable lines change — no refactoring, no unrelated edits. Hybrid memory provides codebase context so repeated patterns stay consistent.

→ SORK Engine generates patch (deep tier)
→ Minimal diff: only vulnerable lines
→ Hybrid memory: past fixes for this repo
→ Returns: { patch, originalLines, fixedLines }

STAGE 04Verify Agent

The patched code is re-scanned. The Verify Agent checks that (a) the original vulnerability is gone, (b) no new vulnerabilities were introduced, and (c) the logic is semantically equivalent. Returns a score 0–100. Anything below 80 is flagged for human review.

→ Re-scan patched code
→ Original issue resolved? ✓/✗
→ New issues introduced? ✓/✗
→ Score 0–100 → threshold 80 = approved

Agent System

Each pipeline stage is an independent agent. Agents are stateless functions that receive structured input and return structured JSON. They communicate through the sork-back API, not peer-to-peer.

Agent Interface

interface AgentInput {
  code: string;           // source code to analyse
  language: string;       // detected language
  issues?: Issue[];       // from previous stage (Fix + Verify)
  memoryContext?: string; // from embed tier (Fix stage only)
}

interface AgentOutput {
  stage: "triage" | "fix" | "verify";
  issues?: Issue[];
  patches?: Patch[];
  verifyScore?: number;
  safetyScore?: number;
  blocked?: boolean;
}

Default Inference Engine

All agents use the SORK Engine multi-tier router by default. Response times average 1.8s at p95. Users can override to any BYOK endpoint — the agent system routes through the same interface regardless of provider.

Hybrid Memory

SORK maintains a persistent memory of your codebase using the embed tier. This means fix quality improves over time — SORK knows your coding patterns, your existing mitigations, and the history of past issues.

How it works

Operation	Embed input_type	What's stored/retrieved
Store fix	search_document	Fixed code snippet + metadata
Retrieve context	search_query	Top-3 semantically similar past fixes
Recency weight	—	Recent fixes score higher than old ones
Scope	—	Per user · per repository path

Memory fields

{
  userId: string,
  filePath: string,
  cweId: string,
  originalCode: string,
  fixedCode: string,
  embedding: number[],   // 1024-dim vector
  createdAt: Date,
  score: number          // verify score at time of storage
}

BYOK — Bring Your Own Key

Pro and Pro Plus users can add their own API keys from any supported provider. SORK uses your key when your BYOK entry is active, bypassing the shared quota.

Supported providers

→Fast tier — default inference provider
→Custom models — connect any compatible endpoint
→Embed provider — override the embedding tier for memory
→OpenAI-compatible — any OpenAI-spec endpoint (local or hosted)

Security

Keys are encrypted at rest using AES-256-GCM before being written to the database. The encryption key is never logged or exposed in API responses. Only the last 6 characters are shown in the dashboard.

Live status

The dashboard shows real-time key health by issuing a minimal 1-token probe request when you open the API Keys view. Status values: ok / limited / error / inactive.

CLI Reference

Install once globally. All commands communicate with sork-back via your license key.

npm install -g sork-cli

Commands

Command	Description
sork config set-key <key>	Store your SORK Cloud license key locally
sork scan [--path ./src]	Scan all files in path. Defaults to current dir
sork scan --file ./auth.ts	Scan a single file
sork fix [--issue <id>]	Apply all pending fixes, or one specific issue
sork verify [--issue <id>]	Re-run verify stage on a fix
sork guard [--path ./src]	Watch mode — re-scans on every file save
sork doctor	Project health report 0–100 with language breakdown
sork review ./auth.ts	Inline AI review with sork.ai commentary
sork send ./auth.ts	Send file to dashboard for full pipeline run
sork config show	Show current config (key masked)

sork-ignore

To suppress a false positive on a specific line, add an inline annotation:

const query = "SELECT * FROM " + table; // sork-ignore: CWE-89

Or suppress an entire file via .sorkignore (same format as .gitignore).

Security Model

Request authentication

CLI requests use a license key (SORK-prefixed JWT signed with JWT_SECRET). Dashboard requests use Clerk JWTs. Both are validated on every API route in sork-back.

Data handling

→Code submitted for scanning is never persisted beyond the pipeline run. Only metadata (file path, CWE IDs, severity, scores) is stored.
→BYOK keys are stored encrypted (AES-256-GCM). The plaintext key is decrypted only during the pipeline call and never logged.
→Memory embeddings store code snippets of patched lines for context retrieval, not full files.

Rate limiting

Plan	Scan requests	Concurrent pipelines
Free	14 lifetime	1
Pro	Unlimited	3
Pro Plus	Unlimited	10

Glossary

Agent

A stateless LLM function. Takes structured input, returns structured JSON. Four agents: Safety, Triage, Fix, Verify.

BYOK

Bring Your Own Key. User-supplied API credentials for any supported AI provider. Stored AES-256-GCM encrypted.

CWE

Common Weakness Enumeration. A community-developed list of software security weaknesses. SORK reports CWE IDs for every finding (e.g. CWE-89 = SQL Injection).

Hybrid memory

Combination of semantic vector search (embed tier) and recency weighting. Gives recent fixes higher retrieval priority.

License key

A JWT signed by sork-back that authenticates CLI requests. Issued from the dashboard → API Keys tab.

Safety gate

SORK Engine content safety layer. Screens every incoming scan request for harmful content before any pipeline stage runs.

Pipeline

The four-stage sequence: Safety → Triage → Fix → Verify. Every scan runs the full pipeline.

sork-ignore

Inline annotation (// sork-ignore: CWE-ID) that suppresses a specific finding on that line.

Torn code

AI-generated code fragments that were cut off or malformed mid-generation. SORK's stability scanner detects these.

Verify score

A 0–100 score returned by the Verify Agent. Measures fix completeness and absence of new vulnerabilities. Threshold for auto-approval: 80.

Ready to scan your codebase?

14 free scans. No credit card. Start in 30 seconds.

Get started free View pricing