We built an open-source IDP that stops AI-generated code from becoming tech debt

Lucas Santana — Sat, 07 Mar 2026 20:21:51 +0000

Your team shipped 47 AI-generated components last month. How many passed a security review?

If you hesitated, you're not alone. Teams are adopting AI code generation faster than they're building guardrails around it. The result is what we call AI limbo engineering — beautiful code that nobody audited, nobody tested, and nobody can trace back to a decision.

We built Forge Space to fix that.

What is Forge Space?

An open-source Internal Developer Platform that adds governance to AI code generation. Think Backstage, but lightweight and focused on the generate-to-ship pipeline.

Every AI generation gets:

An A-F scorecard covering security, quality, accessibility, and compliance
Policy checks that block or warn based on configurable rules
An audit trail from prompt to production

Get started in 60 seconds

npx forge-init

This scaffolds governance files in your project:

.forge/
  policies/
    security.policy.json    # no-secrets, dep scanning
    quality.policy.json     # lint, tests, function size
    compliance.policy.json  # license headers, audit trail
  scorecard.json            # threshold and weight config
  features.json             # feature flag seed
.github/workflows/
  scorecard.yml             # PR scorecard comments
  policy-check.yml          # blocks on violations

Now every PR gets scored:

npx forge-scorecard --threshold 70

Forge Space Scorecard
━━━━━━━━━━━━━━━━━━━━
Security:    85/100 (weight: 30%)
Quality:     78/100 (weight: 30%)
Compliance:  90/100 (weight: 20%)
Operations:  72/100 (weight: 20%)
━━━━━━━━━━━━━━━━━━━━
Overall: 81/100 (B)

The three built-in policy packs

Security (blocks merges)

no-secrets: Scans for hardcoded credentials and API keys
dep-vulnerabilities: Flags high/critical CVEs in your dependency tree

Quality (warns)

lint-clean: ESLint passes with zero errors
tests-present: New modules include at least one test file
no-large-functions: Functions stay under 50 lines

Compliance (warns)

audit-trail: Generation logs are preserved
feature-flagged: New features are behind feature flags

You can add custom policies too:

{
  "name": "custom",
  "rules": [{
    "id": "max-bundle-size",
    "severity": "block",
    "check": "bundle-size",
    "threshold": 3072
  }]
}

Beyond CLI: the full platform

Forge Space is more than CI checks. The web app (siza.forgespace.co) gives you:

AI code generation with inline A-F quality scoring
Service catalog for tracking your services, APIs, and libraries
Golden path templates for scaffolding new projects with governance built in
BYOK support — bring your own Anthropic, OpenAI, or Google API keys

The MCP gateway routes AI tool calls through a central hub with JWT auth, RBAC, and audit logging.

Why not just use Backstage?

Backstage is excellent for large enterprises with dedicated platform teams. But if you're a team of 5-50 developers:

	Backstage	Forge Space
Setup time	Days to weeks	`npx forge-init`
Platform team required	Yes	No
Cost	Infrastructure + maintenance	Free tier, self-hostable
AI-native	Plugin ecosystem	Built-in generation + scoring
Focus	Service catalog	Generate-to-ship governance

We're not replacing Backstage. We're filling the gap for teams that need governance now but can't justify a platform team.

It's open source

Everything is MIT licensed across 9 repos:

@forgespace/core — Scorecard engine, policy evaluator, CLI tools
@forgespace/ui-mcp — MCP server for UI generation (30+ tools)
@forgespace/siza-gen — Context assembler for AI generation
mcp-gateway — Central routing hub with auth and audit
siza — Next.js web app + Electron desktop app

All on npm. All on GitHub.

What's next

We're focused on getting this into real teams' hands before building more features. If you:

Want to try it: siza.forgespace.co (free tier, no credit card)
Want to self-host: npx forge-init + check the docs
Want to contribute: We have good first issues waiting

Star us on GitHub if this resonates: github.com/Forge-Space

Forge Space is built by a small team that got tired of AI-generated code bypassing every quality check we spent years building. If you've felt the same frustration, we'd love to hear from you.

DEV Community: Lucas Santana