We built an open-source IDP that stops AI-generated code from becoming tech debt

Your team shipped 47 AI-generated components last month. How many passed a security review?

If you hesitated, you're not alone. Teams are adopting AI code generation faster than they're building guardrails around it. The result is what we call AI limbo engineering — beautiful code that nobody audited, nobody tested, and nobody can trace back to a decision.

We built Forge Space to fix that.

What is Forge Space?

An open-source Internal Developer Platform that adds governance to AI code generation. Think Backstage, but lightweight and focused on the generate-to-ship pipeline.

Every AI generation gets:

• An A-F scorecard covering security, quality, accessibility, and compliance
• Policy checks that block or warn based on configurable rules
• An audit trail from prompt to production

Get started in 60 seconds

npx forge-init

This scaffolds governance files in your project:

.forge/
  policies/
    security.policy.json    # no-secrets, dep scanning
    quality.policy.json     # lint, tests, function size
    compliance.policy.json  # license headers, audit trail
  scorecard.json            # threshold and weight config
  features.json             # feature flag seed
.github/workflows/
  scorecard.yml             # PR scorecard comments
  policy-check.yml          # blocks on violations

Now every PR gets scored:

npx forge-scorecard --threshold 70

Forge Space Scorecard
━━━━━━━━━━━━━━━━━━━━
Security:    85/100 (weight: 30%)
Quality:     78/100 (weight: 30%)
Compliance:  90/100 (weight: 20%)
Operations:  72/100 (weight: 20%)
━━━━━━━━━━━━━━━━━━━━
Overall: 81/100 (B)

The three built-in policy packs

Security (blocks merges)

• no-secrets: Scans for hardcoded credentials and API keys
• dep-vulnerabilities: Flags high/critical CVEs in your dependency tree

Quality (warns)

• lint-clean: ESLint passes with zero errors
• tests-present: New modules include at least one test file
• no-large-functions: Functions stay under 50 lines

Compliance (warns)

• audit-trail: Generation logs are preserved
• feature-flagged: New features are behind feature flags

You can add custom policies too:

{
  "name": "custom",
  "rules": [{
    "id": "max-bundle-size",
    "severity": "block",
    "check": "bundle-size",
    "threshold": 3072
  }]
}

Beyond CLI: the full platform

Forge Space is more than CI checks. The web app (siza.forgespace.co) gives you:

• AI code generation with inline A-F quality scoring
• Service catalog for tracking your services, APIs, and libraries
• Golden path templates for scaffolding new projects with governance built in
• BYOK support — bring your own Anthropic, OpenAI, or Google API keys

The MCP gateway routes AI tool calls through a central hub with JWT auth, RBAC, and audit logging.

Why not just use Backstage?

Backstage is excellent for large enterprises with dedicated platform teams. But if you're a team of 5-50 developers:

	Backstage	Forge Space
Setup time	Days to weeks	npx forge-init
Platform team required	Yes	No
Cost	Infrastructure + maintenance	Free tier, self-hostable
AI-native	Plugin ecosystem	Built-in generation + scoring
Focus	Service catalog	Generate-to-ship governance

We're not replacing Backstage. We're filling the gap for teams that need governance now but can't justify a platform team.

It's open source

Everything is MIT licensed across 9 repos:

• @forgespace/core — Scorecard engine, policy evaluator, CLI tools
• @forgespace/ui-mcp — MCP server for UI generation (30+ tools)
• @forgespace/siza-gen — Context assembler for AI generation
• mcp-gateway — Central routing hub with auth and audit
• siza — Next.js web app + Electron desktop app

All on npm. All on GitHub.

What's next

We're focused on getting this into real teams' hands before building more features. If you:

• Want to try it: siza.forgespace.co (free tier, no credit card)
• Want to self-host: npx forge-init + check the docs
• Want to contribute: We have good first issues waiting

Star us on GitHub if this resonates: github.com/Forge-Space

---

Forge Space is built by a small team that got tired of AI-generated code bypassing every quality check we spent years building. If you've felt the same frustration, we'd love to hear from you.