This document provides a master-class technical reference for the internal architecture of the Korg Autonomous Engineering Runtime. It is intended for security auditors, systems programmers, and core contributors.
Korg is engineered from the ground up on the principle of Zero-Trust. No component, whether an AI persona or a system utility, is implicitly trusted. Every action is sandboxed, every state transition is cryptographically signed, and all data flows through strict policy-enforcement gateways. This is achieved through a combination of Rust's language-level guarantees and a carefully designed process and filesystem isolation model.
The entire Korg backend is implemented in Rust, which provides compile-time guarantees of memory safety without the overhead of a garbage collector. This is fundamental to Korg's security posture.
- Ownership and Borrowing: Rust's ownership model ensures that there is always one and only one "owner" of any given piece of memory. Data can be immutably borrowed by multiple parties or mutably borrowed by exactly one party. This statically prevents data races at compile time. In Korg, shared state like the
Blackboardis wrapped in concurrency primitives likeArc<Mutex<T>>, which enforce these borrowing rules at runtime, ensuring that even in a highly concurrent multi-agent system, there are no data races. - Absence of Null and Undefined Behavior: Rust's type system eliminates null pointer dereferences through the
Option<T>andResult<T, E>enums. This forces developers to handle the absence of a value explicitly, preventing entire classes of bugs and security vulnerabilities common in other systems languages. - Fearless Concurrency: The combination of ownership rules and type-system constraints allows Korg to manage the 5-Persona Swarm with "fearless concurrency." The compiler guarantees that any data shared between threads (i.e., between the Leader orchestrator and its various tasks) is done so safely.
Memory safety alone is insufficient for securing an autonomous agent that can execute arbitrary code. Korg enforces strict process and filesystem isolation for all persona operations.
- Child Process Workers: As detailed in
src/leader.rs, each AI persona (Captain, Harper, Benjamin, Lucas) is spawned as a separate OS-level child process (tokio::process::Command). They run as akorg workersubcommand. This provides kernel-level memory isolation. A crash or exploit in one persona's process cannot directly access the memory of the Leader or other personas. git worktreeSandboxes: Before a persona likeBuilder Benjaminbegins code synthesis, theLeaderOrchestratorcreates a transient, isolated filesystem sandbox usinggit worktree. This command creates a linked copy of the repository in a temporary directory (e.g.,/tmp/korg/worktrees/...).- All file modifications, compilations (
cargo check), and tests are executed exclusively within this sandbox. - The main repository branch remains pristine and untouched.
- If the generated code fails to compile, fails tests, or is rejected by the
Evaluator, the entire worktree directory is simply discarded. This is a powerful, stateless, and fail-secure mechanism for experimentation.
- All file modifications, compilations (
- Zero-Trust ACP Protocol: Communication between the Leader and worker processes occurs over
stdiousing the Autonomous Control Protocol (ACP). Every message is wrapped in a signedMessageEnvelope. This ensures that even if a worker process were compromised, it could not spoof messages as another worker or the Leader without access to the campaign's private signing key.
At the heart of Korg's concurrency model is the Blackboard, a central, observable state repository. It is modeled not as a simple key-value store, but as a transactional, conflict-free data structure inspired by CRDTs (Conflict-free Replicated Data Types).
- Architecture: The primary blackboard is implemented as
Arc<Mutex<Blackboard>>, making it a thread-safe handle that can be shared among the Leader's asynchronous tasks. While the provided source shows aMutex, the underlying design pattern is CRDT-like. Personas do not perform arbitrary reads/writes; instead, they submit transactions (SubmitTransactionACP message) which represent proposed state changes. - Transactional State Changes: The
LeaderOrchestratoris the sole entity that "compacts" or applies these transactions to the canonical state. It receivesSubmitTransactionmessages from the personas, evaluates them in the Arena, and then merges the winning state change. This serialized application of transactions by a single trusted authority (the Leader) prevents the race conditions and deadlocks typical of shared-memory concurrency while allowing personas to work in parallel. - CRDT-like Merging: The
perform_semantic_mergefunction insrc/leader.rsexemplifies this principle. It takes the outputs from all competing personas and uses a "Synthesizer" persona (Lucas) to reconcile them into a single, cohesive set of mutations. This is analogous to a CRDT merge function that resolves concurrent updates into a deterministic, final state. - Observability: The Blackboard is the "Gravitational Well" around which the swarm orbits. It is the single source of truth for system telemetry. Personas emit
SwarmTelemetryPulsemessages, which the Leader ingests into the Blackboard'strace_buffer. TheEvaluatorthen reads this buffer to assess the swarm's health, creating a tight, observable feedback loop. The state is exposed via the/api/stateendpoint for the web cockpit, providing real-time observability to the human operator.
Korg employs a fixed 5-persona swarm, where each agent has a specialized, adversarial role. This division of labor creates a system of checks and balances that promotes robust, high-quality output.
-
Orchestrator Captain (The Planner):
- Role: High-level strategist and planner.
- Function: Receives the initial root task from the operator. Decomposes the task into smaller, actionable work packages (
decompose_into_persona_packagesinsrc/leader.rs). Initiates theContractNegotiationphase, proposing acceptance criteria for the task. The Captain sets the direction for the entire swarm.
-
Auditor Harper (The Researcher/Critic):
- Role: Context-gatherer, researcher, and adversarial critic.
- Function: During
ContractNegotiation, Harper critiques the Captain's proposed criteria for ambiguity and relevance, forcing a more robust contract. During execution, Harper is assigned "Research" tasks, gathering information from the codebase or external sources to inform the Builder. Harper's primary function is to prevent the swarm from "hallucinating" or working with incorrect assumptions.
-
Builder Benjamin (The Coder):
- Role: Primary code generator and implementer.
- Function: Receives a specific work package and the negotiated
Contract. Benjamin's role is to write the code to fulfill the contract. This persona is responsible for generating themutations(code changes) within its isolatedgit worktreesandbox. As seen inrun_self_healing_loop, Benjamin's output is subject to the most scrutiny, including automated compilation checks and repair loops.
-
Synthesizer Lucas (The Reconciler):
- Role: Merger and finalizer.
- Function: After all personas have submitted their work, the
LeaderOrchestratorinvokes Lucas. As shown inperform_semantic_merge, Lucas's job is to take the winning proposal from the Arena and intelligently merge it with complementary ideas from the other personas. This produces a final, cohesive patch that is more robust than any single persona's output.
-
Evaluator (The Harsh Adversarial Critic):
- Role: Independent scoring authority and Generator/Evaluator loop.
- Function: Spawned separately by the Leader (
Spawning Evaluator to score persona ...), the Evaluator receives a generator persona's output and scores it against the negotiated contract rubrics in the Arena, following the Anthropic-style Generator/Evaluator loop. It is a distinct persona (Persona::Evaluator), not a role played by any of the four workers above, and it is what turns the swarm's output into a measured, adversarially-checked verdict.
This adversarial collaboration ensures that a plan is critiqued before it's executed, code is generated based on a solid plan, and multiple proposed solutions are synthesized into a superior final product.
The Korg campaign loop follows a deterministic state transition sequence, managed by the LeaderOrchestrator. This ensures a predictable and auditable flow of execution.
stateDiagram-v2
direction LR
[*] --> PlanDecomposition: Operator initiates campaign
state PlanDecomposition {
direction LR
[*] --> Captain: Decompose Task
}
PlanDecomposition --> ContractNegotiation: Plan Formulated
state ContractNegotiation {
direction LR
[*] --> ProposeCriteria: Captain
ProposeCriteria --> Critique: Evaluator (Harper)
Critique --> ProposeCriteria: Revise
Critique --> [*]: Contract Signed
}
ContractNegotiation --> DispatchWork: Contract Approved
state DispatchWork {
direction LR
[*] --> SpawnWorkers: Leader
SpawnWorkers --> WorkspaceSynthesis: Workers Active
}
state WorkspaceSynthesis <<fork>>
DispatchWork --> WorkspaceSynthesis
state "Benjamin (Build)" as Benjamin
state "Harper (Research)" as Harper
state "Lucas (Synthesize)" as Lucas
WorkspaceSynthesis --> Benjamin
WorkspaceSynthesis --> Harper
WorkspaceSynthesis --> Lucas
Benjamin --> SubmitTransaction
Harper --> SubmitTransaction
Lucas --> SubmitTransaction
SubmitTransaction --> ArenaEvaluation: All workers complete
state ArenaEvaluation {
direction LR
[*] --> ScoreCandidates: Leader
ScoreCandidates --> SelectWinner: Highest Confidence
SelectWinner --> [*]
}
ArenaEvaluation --> VerdictHandling: Winner Selected
state VerdictHandling {
direction LR
[*] --> IngestTelemetry: Leader
IngestTelemetry --> EvaluateRubrics: Evaluator
EvaluateRubrics --> RecommendAction: Verdict
RecommendAction --> [*]
}
VerdictHandling --> StateCompaction: Action Determined
state StateCompaction {
direction LR
[*] --> MergeWinner: Leader
MergeWinner --> PersistKtrans: Sign Transaction
PersistKtrans --> [*]
}
StateCompaction --> CampaignComplete: Final Round
StateCompaction --> DispatchWork: Loop (Revise/Continue)
CampaignComplete --> [*]
Korg maintains a tamper-proof audit trail of every significant action using a cryptographic provenance chain, stored as .ktrans (Korg Transaction) artifacts. This system provides non-repudiation for the AI's reasoning process.
-
Parent-Hash Linking & Merkle-DAG: Each
.ktransartifact, represented by theCampaignKtransstruct, contains aparent_hashesfield. This field stores thetx_hashof the preceding transaction(s). This explicit linking forms a Merkle Directed Acyclic Graph (DAG), identical in principle to a blockchain. Any modification to a past transaction would invalidate its hash, breaking the entire chain and making tampering immediately detectable. Thereplay_campaignfunction inleader.rsvalidates this chain integrity. -
JCS Canonicalization (RFC 8785): The
tx_hashof a transaction is not a hash of a simple string. It is a SHA-256 hash of the canonicalized JSON representation of the transaction payload. Korg uses a JSON Canonicalization Scheme (JCS) compatible implementation (canonical_jsoncrate). This process involves sorting keys, removing insignificant whitespace, and standardizing number/string formats. This ensures that two logically identical transactions will always produce the same hash, regardless of how they are formatted in memory. This is critical for deterministic, verifiable distributed systems. Thecompute_sha256function insrc/provenance.rsis the heart of this mechanism. -
Playhead Timeline Scrubbing & Steering Forks: The provenance chain is not just a passive audit log; it is an interactive time machine. The
CampaignKtransstruct cryptographically links the logical state (state_merkle_root) with the physical codebase state (codebase_merkle_root, a git tree hash).- When an operator initiates a "Playhead Steering Fork" (as described in
DOCS.mdand handled inleader.rs), Korg uses the selected transaction'scodebase_merkle_rootto physically reset the workspace usinggit read-tree --reset -u <tree-hash>. - Simultaneously, it uses the
state_merkle_rootto find the corresponding state blob and rehydrate the logicalBlackboard. - This powerful feature allows an operator to rewind the AI's "thought process" and codebase to any valid, signed point in history and "fork" its execution in a new direction, all with cryptographic guarantees of integrity.
- When an operator initiates a "Playhead Steering Fork" (as described in
Beyond the in-process provenance chain above, Korg ships a set of independently-verifiable, "flight-recorder" capabilities that let third parties check an agent's work without trusting Korg itself:
korg-ledger@v1: A frozen, hash-chained, HLC-ordered, tamper-evident event ledger with cross-language conformance (Rust/Python/JS). Each event carries an Ed25519 per-event signature, and the ledger supports git-tip structural anchoring for offline structural verification.- Certificate (
korgcert@v1): A public, independently-verifiable certificate of agent work, produced by thekorg-sealCLI (mint/anchor/resolve/verify) and checkable by three conformant verifiers (korg-verifyin Rust, plus Python and JS) as well as zero-install in-browser verifiers hosted on GitHub Pages. - Honest
korg run-oncepipeline: Runs a real patch through a realcargo checkand attests a mutation count that equals the realgit diff(file count + changed paths). When it cannot produce a real result, it reports an honest null rather than fabricating one. - Provider model: The default is a hermetic
DeterministicProvider(fixture-only);--provider ollamaruns a live local model on arbitrary tasks.
Planned (not yet shipped): live network time-witness anchoring (the anchor structure and offline verification are shipped; only the trusted-time witness fetch remains an honest limit), crates.io/npm publishing of the CLIs and verifiers, and a korg fork / execution-checkpoint-restore CLI (the primitives exist; the shipped reversibility today is korg rewind).
Since Korg personas can interact with GUIs and web browsers, a critical security vector is the accidental exposure of sensitive data in screenshots. The Visual Policy Engine in src/vision_policy.rs acts as a fail-secure firewall for all visual data.
-
Fail-Secure Intercept Loop: The
check_attachmentfunction is the core of the visual firewall. It intercepts everyVisionAttachmentbefore it is added to theBlackboardor broadcast to the UI. It operates on a default-deny principle: if any configuredblock_patterns(e.g., "password", "api_key", "secret") are found, the attachment is immediately flagged for redaction or blocking. -
Multi-Layer Pattern Matching: The engine doesn't just scan filenames. It performs a deep inspection:
- Metadata Scan: Checks the attachment's
nameanddescription. - OCR Scan: Decodes the
data_base64payload and performs a case-insensitive string search on the raw byte content. This effectively scans the content of text-based images (like SVGs) or the output of a real OCR engine. - High-Entropy String Detection: The
get_high_entropy_wordsfunction calculates the Shannon entropy of words in the OCR text. This allows it to detect randomized, password-like strings (e.g., API keys, tokens) even if they don't match a specific keyword pattern.
- Metadata Scan: Checks the attachment's
-
Temporal Analysis for Transient & Split Leaks: The most advanced feature is its temporal analysis, which uses a
VISUAL_HISTORYbuffer to compare the current frame (N) with the previous one (N-1).- Transient Leak: If a secret appears in frame N-1 but disappears in frame N, the engine retrospectively redacts frame N-1. This catches secrets that are only visible for a fraction of a second.
-
Pixel Redaction: Upon detecting an infraction, the engine does not simply discard the image. It replaces the
data_base64payload with a constant, opaque placeholder (e.g.,BLACKOUT_PNG_BASE64, a 1x1 black pixel). This maintains the integrity of the event stream (an attachment was still captured) while ensuring no sensitive data is persisted or broadcast. This redaction is enforced again at the web-server level insrc/web.rsbefore being sent over SSE, providing a second layer of defense.
Korg features a premium native desktop client powered by Tauri v2. This integration shifts the swarm cockpit from a standard browser tab to a zero-trust, glassmorphic native desktop shell, drawing architectural inspiration from cc-switch for immediate control of running agents.
The Tauri desktop window is designed with modern premium aesthetics:
- Transparent Backdrop Filtering: Utilizing custom platform-level blurred backdrops (
transparent: true,decorations: false, and hidden title bars). This produces a sleek, floatable glassmorphic dashboard that sits cleanly on the operator's workspace. - Micro-Animations & Telemetry Updates: Dynamic performance telemetry (Active Workers, Transaction Count, Latency) is piped over a highly responsive IPC layer (
invoke_handlerinsrc-tauri/src/main.rs).
Following the cc-switch pattern, the application runs a background loop connected to a macOS/Windows system tray icon. This provides real-time ambient monitoring and hot-swappable settings:
- Swarm Preset Switching: An operator can right-click the Korg tray icon to instantly toggle active persona configurations (e.g., switching the swarm from using Groq to Cerebras, Gemini, or a local Ollama instance) without interrupting active execution.
- Campaign Execution State: Start, pause, and exit controls are wired directly into the operating system's menu bar for low-latency operational oversight.
To optimize cognitive cost and operational resilience, Korg integrates a native free-tier API rotator inside the model-agnostic provider layer.
The RotatorProvider holds a vector of configured candidates (RotatorCandidateState), representing custom API keys and endpoints (e.g., Groq, Cerebras, SambaNova, Google Gemini) which are queried as standard OpenAI-compatible endpoints.
- Round-Robin & Quick Failover: When a request is dispatched, Korg selects the most active candidate. If a candidate returns a transient error (e.g. HTTP 429 Rate Limit, 503 Service Unavailable), the rotator immediately catches the error, marks the candidate, and fails over to the next candidate in less than 50 milliseconds.
- Persistent Global Cooldowns: Because persona processes are ephemeral and rebuilt by the
LeaderOrchestratoron each task execution, local candidate state would be lost. Korg resolves this by persisting cooldown states in a thread-safe, global registry:Any failed candidate is placed on a strict 60-second cooldown, preventing subsequent runs from retrying depleted endpoints and guaranteeing ultra-low-latency execution.static ROTATOR_COOLDOWNS: std::sync::OnceLock<Mutex<std::collections::HashMap<String, Instant>>> = std::sync::OnceLock::new();