How Forge works
Forge is a sovereign, self-service platform: a developer logs in, describes an app, and gets it back born secure — in dev and prod — without ever touching the server. The operator stops being the middleman.
The flow — login to deploy
Every rung does the real thing. This is the ladder in the walkthrough, and the shape of the whole product.
1 · who
Log in
You, as yourself — a token, not the keys.
2 · what
Declare
You tell forge the app's shape.
3 · check
Gate
Forge checks the live schema vs your declaration.
4 · make
Provision
The broker builds dev + prod, born secure.
5 · ship
Deploy
Live HTTPS; one audit row.
6 · use
Users
The app's own people, from the directory.
The airlock — why you never touch the box
Forge's broker holds the only privileged database connection. Your role cannot CREATE SCHEMA; the broker provisions on your behalf, born-secure by construction — so an authorized developer cannot create an insecure app, even by accident. That is what lets self-service be safe.
The two walls (they defend against different attackers)
RLS · horizontal
Row-level security walls users and tenants off from each other. Even with the app's WHERE removed, the database still hides another's rows.
Encryption · vertical
Encryption blinds the platform operator itself — a superuser SELECT returns ciphertext. Sovereignty is not where the server sits; it is who holds the key.
Controller · above
The controller wall (SE / NO / DK) sits above both — derived from the login, non-self-assertable. You see only your jurisdiction's estate; the others are sealed off. This is what makes the audit trail survive an inspection from any authority.
A new kind of review
The gate is neither a linter (source text, generic, advisory) nor a human review (the bottleneck). It's a third thing: it reads the live schema, judges it against the developer's declaration, gates admission, and is dual-addressed — the mechanical findings carry a fix an AI applies; the intent findings carry a plain "confirm or lock down" only a human answers. That is how the review scales past the operator.
The pieces
- lib/
- The framework — gate · gen · render · bootstrap · registry · lifecycle · directory · authz · membership. What ships.
- forge-api
- The flow — login · declare · gate · provision · deploy · apps. Composes lib/.
- UI
- Learn · Console · drill-down — the three screens forge owns.
- underneath
- Native tools, deep-linked — GitHub/Forgejo (code) · Studio (data) · Authentik (identity) · Coolify (deploy). Forge never rebuilds them.
Born-secure guarantees
✓ RLS enabled + forced
✓ controller-walled
✓ owner + controller in every policy
✓ append-only audit
✓ PII born ciphertext
✓ gate-passed on deploy
Where it stands
Phase A — built
Mac · isolated
- framework factored (lib/ + tests/)
- forge-api: the whole flow, runnable
- Learn · Console · drill-down, live
- mock-auth, born-secure provision
Phase B — the real substrate
lab · side-by-side
- isolated Postgres on the lab
- Coolify for real deploy
- real Authentik (Azure federation)
- swap mock-auth → nothing else moves