ArchGuard

An AI-powered architecture compliance orchestrator. Upload an architecture diagram and ArchGuard will extract the topology, audit it against major security frameworks (NIST, CIS, PCI-DSS, etc.), and generate validated Terraform code — all in one automated pipeline.

Screenshots

Upload your architecture diagram

Live progress as the multi-agent pipeline runs

Topology graph, compliance findings, and generated Terraform

How It Works

┌─────────────┐     POST /api/analyze      ┌──────────────────────────────┐
│   Browser   │ ─── diagram image ───────► │  FastAPI Backend (port 8000) │
│  React/Vite │ ◄── SSE progress stream ── │                              │
│ (port 5173) │                            │  LangGraph Workflow:         │
└─────────────┘                            │  1. Vision Agent             │
                                           │     (topology extraction)    │
                                           │  2. RAG Security Agent       │
                                           │     (compliance audit)       │
                                           │  3. IaC Generator            │
                                           │     (Terraform code)         │
                                           │  4. Sandbox Validator        │
                                           │     (checkov)                │
                                           └──────────┬───────────────────┘
                                                      │
                              ┌───────────────────────┼───────────────────┐
                              │                       │                   │
                    ┌─────────▼──────┐     ┌──────────▼──────┐   ┌──────▼──────┐
                    │  PostgreSQL    │     │    Langfuse      │   │  NVIDIA NIM │
                    │  + pgvector    │     │  (observability) │   │  (LLM APIs) │
                    │  (port 5433)   │     │  (port 3000)     │   │  (external) │
                    └────────────────┘     └─────────────────-┘   └─────────────┘

Prerequisites

• Docker and Docker Compose v2
• An NVIDIA NIM API key (free tier available)
• Compliance PDF documents in docs/compliance/ (see Compliance Documents below)

Quickstart (Docker)

# 1. Clone and enter the project
git clone <repo-url>
cd Archgaurd

# 2. Configure environment
cp .env.example .env
# Edit .env — at minimum set NVIDIA_API_KEY

# 3. Add compliance documents (see section below)

# 4. Start all services
docker compose up --build

# 5. Open the app
open http://localhost:5173

Services started by docker compose up:

Service	URL	Purpose
Frontend	http://localhost:5173	React UI
Backend API	http://localhost:8000	FastAPI
Langfuse	http://localhost:3000	LLM observability
PostgreSQL	localhost:5433	Vector store + DB

Local Development Setup

Run services independently for faster iteration:

1. Start infrastructure (PostgreSQL + Langfuse):

docker compose up postgres langfuse-server

2. Backend:

cd backend
python -m venv .venv
source .venv/bin/activate        # Windows: .venv\Scripts\activate
pip install -r requirements.txt
pip install checkov               # Terraform validator
cd ..
uvicorn backend.api.main:app --reload --port 8000

3. Frontend:

cd frontend
npm install
npm run dev                        # Vite dev server on http://localhost:5173

Environment Variables

Copy .env.example to .env and fill in the values:

Variable	Description	Default
NVIDIA_API_KEY	NVIDIA NIM API key	(required)
NIM_BASE_URL	NIM API endpoint	https://integrate.api.nvidia.com/v1
NIM_VISION_MODEL	Vision model ID	meta/llama-3.2-11b-vision-instruct
NIM_TEXT_MODEL	Text/code model ID	qwen/qwen3-coder-480b-a35b-instruct
POSTGRES_HOST	PostgreSQL host	localhost
POSTGRES_PORT	PostgreSQL port	5433
POSTGRES_USER	PostgreSQL user	archguard
POSTGRES_PASSWORD	PostgreSQL password	archguard
POSTGRES_DB	PostgreSQL database	archguard
LANGFUSE_PUBLIC_KEY	Langfuse public key	(optional)
LANGFUSE_SECRET_KEY	Langfuse secret key	(optional)
LANGFUSE_HOST	Langfuse server URL	http://localhost:3000
TF_PLUGIN_CACHE_DIR	Terraform provider cache	./terraform_cache

Compliance Documents

The RAG pipeline ingests PDF compliance standards from docs/compliance/. These files are excluded from version control. Populate the directory before first use:

docs/compliance/
├── aws/          — AWS Well-Architected Security Pillar, etc.
├── database/     — PostgreSQL STIG, etc.
├── docker/       — CIS Docker Benchmark, NIST SP 800-190, OWASP Docker, etc.
├── general/      — NIST SP 800-53, PCI-DSS, NIST CSF, etc.
└── kubernetes/   — Kubernetes Hardening Guidance, etc.

After placing PDFs, trigger ingestion by calling the backend RAG ingestor:

python -m backend.rag.ingestor

API Reference

Method	Endpoint	Description
POST	/api/analyze	Upload diagram image (multipart/form-data, field image). Returns {"job_id": "..."}
GET	/api/status/{job_id}	SSE stream of workflow progress events
GET	/api/result/{job_id}	Full analysis result (topology, compliance findings, Terraform code)
GET	/api/health	Health check — returns {"status": "ok"}

Project Structure

Archgaurd/
├── backend/                  — Python FastAPI application
│   ├── api/main.py           — FastAPI app, endpoints, SSE streaming
│   ├── agents/               — Vision, RAG security, IaC generator agents
│   ├── graph/                — LangGraph workflow orchestration
│   ├── rag/                  — PDF ingestor and vector retriever
│   ├── tools/sandbox.py      — Terraform + checkov validator
│   ├── config.py             — Pydantic settings
│   └── requirements.txt
├── frontend/                 — React + Vite application
│   ├── src/
│   │   ├── App.jsx
│   │   └── components/       — UploadZone, TopologyViewer, ComplianceReport, TerraformViewer
│   ├── Dockerfile
│   └── nginx.conf
├── docs/compliance/          — Compliance PDFs (git-ignored)
├── terraform_cache/          — Terraform provider cache (git-ignored)
├── docker-compose.yml        — Full stack: frontend, backend, postgres, langfuse
├── .env.example              — Environment variable template
└── README.md