ForgeHelm Product Architecture

Architecture Designed for Data Sovereignty

Three layers, strict separation. Source code stays in your network. Only desensitized metrics cross the boundary.

Three-Layer Architecture

🔍

Analysis Agent

Deployed inside your network. Runs all scanning and analysis locally using a SQLite task queue. Supports GitHub Webhook and polling triggers. Never requires outbound source code transmission.

On-Premises SQLite SignalR Webhook / Poll
CUSTOMER NETWORK

Desensitized metrics only

☁️

Management Platform (SaaS)

Provides tenant management, project configuration, dashboards, report output, and collaboration workflows. Can be hosted in the cloud or your own environment.

PostgreSQL SignalR RBAC
CLOUD / SAAS
Shared Contracts

Defines data models and interface specifications shared between Agent and SaaS. Ensures semantic consistency and enables version evolution.

Data Flow

  1. 1 Agent receives trigger (Webhook or poll)
  2. 2 Agent runs analysis locally — source code never leaves
  3. 3 Agent desensitizes results (file names + line numbers + counts only)
  4. 4 Desensitized summary pushed to SaaS via SignalR
  5. 5 SaaS renders dashboards and generates compliance reports

Deployment Modes

☁️

Full Cloud

Fastest Onboarding

Management platform and analysis services hosted in the cloud. Agent runs as a managed service.

Suitable when:

  • Policy permits cloud code analysis
  • Speed of deployment is primary priority
  • Non-regulated or early-stage projects
Recommended

Hybrid

Management platform in the cloud; Analysis Agent deployed inside your network. Source code never leaves your perimeter.

Suitable when:

  • Data sovereignty is required
  • Balance of speed and security needed
  • Financial, healthcare, or government
🏢

Private Cloud / On-Premises

Enterprise

All components deployed in your data center or private cloud. Full control over all compute and storage.

Suitable when:

  • Strict data residency requirements
  • Corporate policy prohibits any cloud
  • Full infrastructure control required
🔒

Air-Gapped

Maximum Security

Completely offline — no external network connections. All updates delivered via physical media.

Suitable when:

  • Classified or military environments
  • No external connections permitted
  • Maximum data isolation required

AI Configuration

🌐

Cloud AI (Core)

SaaS-hosted models for quick onboarding. Limited FAQ and basic RAG for starter teams.

💻

Hybrid RAG (Professional)

On-premises Agent with full RAG and compliance gate. Connect cloud or VPC-hosted model endpoints.

BYOL Fully Offline (Enterprise)

Bring your own GPU and open-source LLM via AI Deployment Kit — no outbound model traffic.

All governance modules (reports, SBOM, dashboard, migration, data quality) work without AI. ChatBot and advanced RAG are AI-dependent.

BYOL + AI Deployment Kit (Enterprise)

Bring your own GPU and open-source LLM. ForgeHelm ships a pre-configured stack for fully air-gapped AI governance.

  • docker-compose.aiserver.yml — Agent.Api + Ollama + pgvector
  • Offline tarball install + model download guides for air-gapped sites
  • License registry (Keygen/Hiphops) for Docker image distribution internationally

Want to Evaluate the Architecture?

Request a PoC scoped to your environment. We configure the Agent, run a real scan, and deliver a report — source code never leaves your network.

Request PoC View Pricing