TorkTORK
Docs/Phase 5 Features

Supply Chain Visibility

New in v0.9

Track dependencies and vulnerabilities in your AI agent stack. Monitor models, packages, tools, and APIs for security issues.

Overview

AI agents depend on a complex stack of models, packages, tools, and services. Supply Chain Visibility helps you track these dependencies, verify their integrity, and monitor for security vulnerabilities.

Dependency Tracking

Register and track all agent dependencies

Vulnerability Scanning

Match dependencies against known CVEs

Verification

Mark dependencies as verified/trusted

Health Scoring

Calculate overall supply chain security

Dependency Types

TypeExamplesTracked Properties
modelgpt-4, claude-3, llama-2Version, provider, capabilities
packagelangchain, crewai, numpyVersion, source, license
toolweb_search, calculatorPermissions, provider
servicedatabase, cache, queueEndpoint, authentication
apiweather_api, maps_apiVersion, rate limits
mcp_serverCustom MCP serversTools provided, security config

Register Dependencies

Register dependencies as your agent is configured:

python
from tork import TorkClient, SupplyChain

client = TorkClient(api_key="your_key")
supply = SupplyChain(client)

# Register a model dependency
supply.register_dependency(
    agent_id="agent-1",
    dependency_type="model",
    name="gpt-4",
    version="0613",
    source="openai",
    metadata={
        "capabilities": ["chat", "function_calling"],
        "context_window": 8192
    }
)

# Register a package dependency
supply.register_dependency(
    agent_id="agent-1",
    dependency_type="package",
    name="langchain",
    version="0.1.0",
    source="pypi",
    metadata={
        "license": "MIT",
        "repository": "https://github.com/langchain-ai/langchain"
    }
)

# Register a tool dependency
supply.register_dependency(
    agent_id="agent-1",
    dependency_type="tool",
    name="web_search",
    version="1.0.0",
    source="internal",
    metadata={
        "permissions": ["network_access"],
        "rate_limit": 100
    }
)

Check for Vulnerabilities

Scan registered dependencies against known vulnerability databases:

python
# Check all dependencies for an agent
vulns = supply.check_vulnerabilities("agent-1")

print(f"Total dependencies: {vulns['totalDependencies']}")
print(f"Vulnerabilities found: {vulns['vulnerabilityCount']}")

for match in vulns['matches']:
    vuln = match['vulnerability']
    dep = match['dependency']

    print(f"\n{vuln['severity'].upper()}: {vuln['title']}")
    print(f"  CVE: {vuln['cveId']}")
    print(f"  Package: {dep['name']}@{dep['version']}")
    print(f"  Description: {vuln['description'][:100]}...")

    if vuln['fixedVersion']:
        print(f"  Fix: Upgrade to version {vuln['fixedVersion']}")

    if vuln['references']:
        print(f"  More info: {vuln['references'][0]}")

# Get vulnerability summary
if vulns['vulnerabilityCount'] > 0:
    print(f"\nSummary by severity:")
    for severity, count in vulns['bySeverity'].items():
        print(f"  {severity}: {count}")
Vulnerability Database
Tork maintains an updated vulnerability database that includes CVEs, security advisories, and AI-specific vulnerabilities like model jailbreaks and prompt injection weaknesses.

Get Health Score

Calculate an overall supply chain health score:

python
# Get supply chain health score
health = supply.get_health_score("agent-1")

print(f"Health Score: {health['healthScore']}/100")
print(f"Grade: {health['grade']}")  # A, B, C, D, F

print(f"\nDependencies:")
print(f"  Total: {health['totalDependencies']}")
print(f"  Verified: {health['verifiedDependencies']}")
print(f"  Unverified: {health['unverifiedDependencies']}")

print(f"\nVulnerabilities:")
print(f"  Open: {health['openVulnerabilities']}")
print(f"  Critical: {health['criticalVulnerabilities']}")
print(f"  High: {health['highVulnerabilities']}")

print(f"\nFactors:")
for factor in health['factors']:
    print(f"  {factor['name']}: {factor['score']}/100 ({factor['weight']}% weight)")

# Recommendations
if health['recommendations']:
    print(f"\nRecommendations:")
    for rec in health['recommendations']:
        print(f"  - {rec}")

Verify Dependencies

Mark dependencies as verified after security review:

python
# Verify a dependency after security review
supply.verify_dependency(
    agent_id="agent-1",
    dependency_id="dep_123",
    verified_by="security@company.com",
    notes="Reviewed v0.1.0, no security issues found",
    expiry_days=90  # Verification expires in 90 days
)

# Get verification status
deps = supply.list_dependencies("agent-1")
for dep in deps:
    status = "Verified" if dep['verified'] else "Unverified"
    print(f"{dep['name']}@{dep['version']}: {status}")
    if dep['verified']:
        print(f"  Verified by: {dep['verifiedBy']}")
        print(f"  Expires: {dep['verificationExpiry']}")

MCP Tools

ToolDescription
tork_supply_chain_registerRegister a new dependency
tork_supply_chain_check_vulnerabilitiesScan for vulnerabilities
tork_supply_chain_health_scoreGet supply chain health score
tork_supply_chain_verifyMark dependency as verified
tork_supply_chain_listList all dependencies

Related Documentation

TORKING-X Metrics

Supply Chain contributes to the S metric

Learn more

Security

Security best practices for AI agents

Learn more