We built an open-source IDP that stops AI-generated code from becoming tech debt
Source: Dev.to
Your team shipped 47 AI-generated components last month. How many passed a security review?
If you hesitated, you’re not alone. Teams are adopting AI code generation faster than they’re building guardrails around it. The result is what we call AI limbo engineering — beautiful code that nobody audited, nobody tested, and nobody can trace back to a decision.
We built Forge Space to fix that.
What is Forge Space?
An open-source Internal Developer Platform that adds governance to AI code generation. Think Backstage, but lightweight and focused on the generate-to-ship pipeline.
Every AI generation gets:
- An A‑F scorecard covering security, quality, accessibility, and compliance
- Policy checks that block or warn based on configurable rules
- An audit trail from prompt to production
Get started in 60 seconds
npx forge-initThis scaffolds governance files in your project:
.forge/
policies/
security.policy.json # no-secrets, dep scanning
quality.policy.json # lint, tests, function size
compliance.policy.json # license headers, audit trail
scorecard.json # threshold and weight config
features.json # feature flag seed
.github/workflows/
scorecard.yml # PR scorecard comments
policy-check.yml # blocks on violationsNow every PR gets scored:
npx forge-scorecard --threshold 70Forge Space Scorecard
━━━━━━━━━━━━━━━━━━━━
Security: 85/100 (weight: 30%)
Quality: 78/100 (weight: 30%)
Compliance: 90/100 (weight: 20%)
Operations: 72/100 (weight: 20%)
━━━━━━━━━━━━━━━━━━━━
Overall: 81/100 (B)The three built-in policy packs
Security (blocks merges)
- no-secrets – Scans for hardcoded credentials and API keys
- dep‑vulnerabilities – Flags high/critical CVEs in your dependency tree
Quality (warns)
- lint-clean – ESLint passes with zero errors
- tests-present – New modules include at least one test file
- no-large-functions – Functions stay under 50 lines
Compliance (warns)
- audit-trail – Generation logs are preserved
- feature-flagged – New features are behind feature flags
You can add custom policies too:
{
"name": "custom",
"rules": [
{
"id": "max-bundle-size",
"severity": "block",
"check": "bundle-size",
"threshold": 3072
}
]
}Beyond CLI: the full platform
Forge Space is more than CI checks. The web app (siza.forgespace.co) gives you:
- AI code generation with inline A‑F quality scoring
- Service catalog for tracking your services, APIs, and libraries
- Golden path templates for scaffolding new projects with governance built in
- BYOK support — bring your own Anthropic, OpenAI, or Google API keys
The MCP gateway routes AI tool calls through a central hub with JWT auth, RBAC, and audit logging.
Why not just use Backstage?
Backstage is excellent for large enterprises with dedicated platform teams. But if you’re a team of 5–50 developers:
| Feature | Backstage | Forge Space |
|---|---|---|
| Setup time | Days to weeks | npx forge-init |
| Platform team required | Yes | No |
| Cost | Infrastructure + maintenance | Free tier, self‑hostable |
| AI‑native | Plugin ecosystem | Built‑in generation + scoring |
| Focus | Service catalog | Generate‑to‑ship governance |
We’re not replacing Backstage. We’re filling the gap for teams that need governance now but can’t justify a platform team.
It’s open source
Everything is MIT licensed across 9 repos:
- @forgespace/core – Scorecard engine, policy evaluator, CLI tools
- @forgespace/ui-mcp – MCP server for UI generation (30+ tools)
- @forgespace/siza-gen – Context assembler for AI generation
- mcp-gateway – Central routing hub with auth and audit
- siza – Next.js web app + Electron desktop app
All on npm. All on GitHub.
What’s next
We’re focused on getting this into real teams’ hands before building more features. If you:
- Want to try it: siza.forgespace.co (free tier, no credit card)
- Want to self‑host:
npx forge-init+ check the docs - Want to contribute: We have good first issues waiting
Star us on GitHub if this resonates.