Aleris Forge  how it works
To the console →

How Forge works

Forge is a sovereign, self-service platform: a developer logs in, describes an app, and gets it back born secure — in dev and prod — without ever touching the server. The operator stops being the middleman.

The flow — login to deploy

Every rung does the real thing. This is the ladder in the walkthrough, and the shape of the whole product.

1 · who
Log in
You, as yourself — a token, not the keys.
2 · what
Declare
You tell forge the app's shape.
3 · check
Gate
Forge checks the live schema vs your declaration.
4 · make
Provision
The broker builds dev + prod, born secure.
5 · ship
Deploy
Live HTTPS; one audit row.
6 · use
Users
The app's own people, from the directory.

The airlock — why you never touch the box

Forge's broker holds the only privileged database connection. Your role cannot CREATE SCHEMA; the broker provisions on your behalf, born-secure by construction — so an authorized developer cannot create an insecure app, even by accident. That is what lets self-service be safe.

The two walls (they defend against different attackers)

RLS · horizontal
Row-level security walls users and tenants off from each other. Even with the app's WHERE removed, the database still hides another's rows.
Encryption · vertical
Encryption blinds the platform operator itself — a superuser SELECT returns ciphertext. Sovereignty is not where the server sits; it is who holds the key.
Controller · above
The controller wall (SE / NO / DK) sits above both — derived from the login, non-self-assertable. You see only your jurisdiction's estate; the others are sealed off. This is what makes the audit trail survive an inspection from any authority.

A new kind of review

The gate is neither a linter (source text, generic, advisory) nor a human review (the bottleneck). It's a third thing: it reads the live schema, judges it against the developer's declaration, gates admission, and is dual-addressed — the mechanical findings carry a fix an AI applies; the intent findings carry a plain "confirm or lock down" only a human answers. That is how the review scales past the operator.

The pieces

lib/
The framework — gate · gen · render · bootstrap · registry · lifecycle · directory · authz · membership. What ships.
forge-api
The flow — login · declare · gate · provision · deploy · apps. Composes lib/.
UI
Learn · Console · drill-down — the three screens forge owns.
underneath
Native tools, deep-linked — GitHub/Forgejo (code) · Studio (data) · Authentik (identity) · Coolify (deploy). Forge never rebuilds them.

Born-secure guarantees

RLS enabled + forced controller-walled owner + controller in every policy append-only audit PII born ciphertext gate-passed on deploy

Where it stands

Phase A — built

Mac · isolated
  • framework factored (lib/ + tests/)
  • forge-api: the whole flow, runnable
  • Learn · Console · drill-down, live
  • mock-auth, born-secure provision

Phase B — the real substrate

lab · side-by-side
  • isolated Postgres on the lab
  • Coolify for real deploy
  • real Authentik (Azure federation)
  • swap mock-auth → nothing else moves
Start the walkthrough Open the console