ResourcesArchitecture

Architecture

Technical architecture of the Drok platform — Rust backend, TypeScript frontend, and the infrastructure between.

Drok is a ground-up implementation of a code hosting platform. This page describes the technical architecture for engineers evaluating the platform, integrating with it, or simply curious about what lies beneath the interface.

Backend

Language and Runtime

The backend is written exclusively in Rust. There is no Python glue code. No Node.js middleware. No Java services. Every HTTP handler, every Git operation, every database query, every cryptographic operation executes within a single Rust binary.

MetricValue
Lines of Rust38,470
Source files96
Passing tests359
Test failures0
Benchmark suites3 (Criterion)

Git Implementation

Git protocol support is implemented through native libgit2 Rust bindings — not by shelling out to the git CLI. This eliminates:

  • Process forking — No fork() + exec() for every Git operation
  • IPC overhead — No stdin/stdout piping between processes
  • Shell injection risk — No shell commands to inject into

The result is Git operations that execute within the server process boundary with the performance characteristics of a library call, not a subprocess.

Database

PostgreSQL with connection pooling via deadpool-postgres. Migrations are managed with refinery and tested against every schema version in CI.

Full-text search is powered by Tantivy — a Rust implementation of the Lucene search architecture. Tantivy provides:

  • Sub-50ms query latency for repositories with millions of lines
  • Incremental indexing on every push
  • Regex support, language filtering, and path scoping

Cryptography

Post-quantum cryptographic primitives (ML-KEM-1024, ML-DSA-87, SLH-DSA-SHA2-256s) are implemented in Rust with constant-time arithmetic. The implementation includes 87 unit tests and 7 documentation tests. See Post-Quantum Cryptography for details.

File Storage

  • Repository data — Stored on local NVMe with replication
  • LFS objects — Cloudflare R2 (S3-compatible, zero egress fees)
  • Package artifacts — Cloudflare R2
  • Pipeline logs — Compressed and stored on R2 with hot cache on NVMe

Frontend

Framework

The frontend is a TypeScript SPA (single-page application) with server-side rendering for initial page loads:

MetricValue
TypeScript files210
Route endpoints47
UI components115

Performance Target

Every page transition completes within 200 milliseconds. This is enforced by:

  • Route-level code splitting — each route loads only its own code
  • Prefetching — links prefetch their target on hover
  • Optimistic UI — actions update the interface immediately, syncing with the server asynchronously
  • No layout shift — page dimensions are known before content loads

Syntax Highlighting

Code rendering uses Tree-sitter for parse-tree-based syntax highlighting across 200+ languages. Tree-sitter grammars are compiled to WebAssembly for browser execution, providing the same highlighting quality in the web interface as in editors like Neovim and Zed.

Editor

The web editor is built on Monaco (the VS Code editor core) with LSP integration for supported languages. See Web Editor.

Infrastructure

Deployment

Drok runs on dedicated infrastructure in US-East (Virginia). The deployment target is bare metal — not containerized, not serverless, not abstracted behind three layers of orchestration. The Rust binary runs directly on the host operating system.

TLS

TLS 1.3 exclusively. No TLS 1.2 fallback. Certificates are issued via Let's Encrypt with automated renewal and Certificate Transparency logging.

CDN

Static assets (JavaScript bundles, CSS, fonts, images) are served through Cloudflare's CDN. Dynamic content is served directly from origin.

Monitoring

  • Metrics — Prometheus-compatible metrics exported from the Rust binary
  • Tracing — Distributed tracing with OpenTelemetry
  • Logging — Structured JSON logging with request correlation IDs
  • Alerting — PagerDuty integration for operational alerts

Security Architecture

See Security Overview for the complete security architecture including:

  • Memory safety guarantees from Rust
  • Post-quantum cryptography
  • Zero-trust networking
  • Comprehensive audit logging

Diagram

┌──────────────────────────────────────────────┐
│                  Cloudflare                    │
│              (CDN, DDoS, WAF)                 │
└──────────────────┬───────────────────────────┘

┌──────────────────▼───────────────────────────┐
│              Drok Application                 │
│         (Single Rust Binary)                  │
│                                               │
│  ┌─────────┐ ┌──────────┐ ┌──────────────┐  │
│  │  HTTP    │ │  Git     │ │  Pipeline    │  │
│  │  Server  │ │  Server  │ │  Runner      │  │
│  └────┬────┘ └────┬─────┘ └──────┬───────┘  │
│       │           │               │           │
│  ┌────▼───────────▼───────────────▼────────┐ │
│  │           Core Services                  │ │
│  │  Auth │ Search │ Crypto │ Notifications  │ │
│  └────┬───────────┬───────────────┬────────┘ │
└───────┼───────────┼───────────────┼──────────┘
        │           │               │
┌───────▼──┐  ┌────▼─────┐  ┌─────▼──────┐
│PostgreSQL │  │  Tantivy │  │Cloudflare  │
│           │  │  (Search)│  │R2 (Storage)│
└──────────┘  └──────────┘  └────────────┘
Previous
Git Integration
Next
Changelog