Forge
12 / 12 services live on the substrate

A security platform with
tenancy by construction

Forge is an offensive and defensive security suite — twelve services, one substrate. The worst bug class in multi-tenant software, the cross-tenant data leak, is made structurally impossible: an un-scoped database query simply won't compile.

Explore the services Why it's built this way
12Services
~12Shared crates
0Un-scoped queries
RLS+ type-enforced
The thesis

Isolation that can't be forgotten

The previous system retrofitted tenant isolation as a per-call-site discipline and leaked across tenants for ~40 review cycles. Forge is a strangler-fig rebuild around a small substrate that encodes the hard-won lessons so the mistake can't recur.

🔒

Scoped by the type system

Tenant data is reachable only through a typed TenantScoped handle. Handler code never touches a raw connection — there is no API to write the unsafe query.

🛡️

Defended in depth

Every tenant table carries a composite (tenant_id, org_id) key and a Postgres Row-Level-Security policy applied automatically by the migration framework, enforced for non-superuser roles.

Proven in CI

Every repository is covered by an isolation property test; an unregistered repo fails the build. Any deliberately global access uses an explicit, commented, test-guarded type.

// Tenant data is only reachable through the scoped handle —
// there is no method that hands you a raw pool.
let findings = scoped.repo::<Finding>().list().await?; // ✓ tenant-bounded
let rows = pool.query("SELECT * FROM findings"); // ✗ won't compile — no `pool` in scope
The substrate

One implementation of each shared concern

The old system carried 54 shared libraries, most doubled across languages. Forge consolidates them into roughly a dozen Rust crates — one implementation each, no language doubles — with forge-core (auth · tenancy · db · audit) as the load-bearing centre.

forge-core · auth + tenancy + db + audit forge-events · signed event envelopes forge-saga · compensating workflows forge-outbound · retrying HTTP egress forge-ratelimit · token-bucket limits forge-obs · OpenTelemetry observability forge-i18n · localized content + negotiation forge-ui · embedded React frontend forge-test · isolation + property harness forge-cli · forge new service generator

Hash-chained audit

Every mutation is recorded on a SHA-256 hash-chained, anchor-signed audit log with a tamper-evident verify path. Mutations are audited atomically in the same transaction.

Fail-closed by default

Misconfiguration returns a loud 503, never a silent fallback. Encryption failure deletes partial output and plaintext. Field-level AES-256-GCM keeps secrets encrypted at rest.

Correct-by-default generator

forge new scaffolds a service that already ships with health, auth, scoped resources, RLS, and isolation tests — CI-green from the first commit.

The services

Twelve forges, one substrate

Each service is rebuilt greenfield on forge-core — tenancy by construction, atomically audited, isolation-tested. Below is what each one does.

Each card links to that service's live /health/ready probe on its own subdomain. The data APIs at <name>forge.genialarchitect.cloud/api/v1/… are auth-protected and answer 401 without a token (fail-closed by design).

HeroForge

live ↗

Vulnerability scanner and red / blue / purple team operations — scan targets, saga-orchestrated runs, and findings with remediation.

SentinelForge

live ↗

SIEM and detection engineering — detection rules, threat-intel indicators, and an alert triage state machine.

ForensicForge

live ↗

Digital forensics and malware analysis — cases, custody-anchored evidence, and analyst findings with a tamper-evident chain.

TrafficForge

live ↗

Network traffic and DNS analytics — validated flow-record ingest with totals, bytes-by-protocol, and top destinations.

ReconForge

live ↗

Offensive recon and credential testing — authorization-by-construction engagements that scope-gate every finding and test.

TwinForge

live ↗

Infrastructure cloning across AWS, vSphere, Proxmox and libvirt — blueprints materialized by saga with compensation walk-back.

CommandForge

live ↗

GRC, SOAR and asset inventory — asset register and posture summaries that aggregate across the other services.

VaultForge

live ↗

Secret management and SSO gateway — SAML / OIDC federation with live JWKS and an auth-code redirect flow (state · nonce · PKCE).

ProvenanceForge

live ↗

DevSecOps and supply-chain security — encrypted SBOMs, component extraction, and content-digest-verified build attestations.

PortalForge

live ↗

Client delivery portal — two-tier auth where client-scoped tokens read only their own deliverables; cross-client is a 404.

FlowForge

live ↗

Pipeline orchestrator — a DAG engine with cycle detection and saga execution: forward run plus compensation walk-back.

TrainingForge

live ↗

Security-awareness LMS — localized courses, enrollment and progress, server-scored quizzes, and tenant leaderboards.
Status

Where the rebuild stands

The fan-out is complete — all twelve services are domain-built on the substrate, CI-green, tenancy-by-construction, and audited atomically. Remaining work is per-service feature depth (deletes, pagination, lifecycle) and the deferred live integrations: real scanning, provisioning, ingestion, and correlation.

✓ Substrate complete

forge-core and the shared crates are built, tested, and proven on the canary services.

✓ 12 / 12 fanned out

Every service rebuilt greenfield on the substrate, from VaultForge (canary) to HeroForge (the biggest, last).

↻ Hardening underway

Recurring adversarial review by lens, zero-trust service-to-service work, and live external integrations.