Technology
Built like infrastructure.
Because it is.
This page is for the engineer doing the evaluation: how AnyForge actually works, which failure modes we designed against, and where the hard guarantees live. No metaphors — architecture.
Orchestration
One Engineer, a graph, and a single interrupt.
Crew runs on a LangGraph state machine with Firestore-persisted checkpoints. The topology is deliberately simple — the industry data on multi-agent handoff failure (41–87% in published studies) convinced us that fewer, more capable agents beat larger casts:
START → engineer_loop ─┬→ review_architect ┐
├→ review_security ├→ hil_ship ─┬→ approve → END
└→ review_qa ┘ ├→ amend → engineer_loop
└→ reject → ENDThe engineer_loop node runs a single long-horizon Engineer (up to 80 tool rounds) that reads the codebase, applies patches, runs your tests, consults read-only specialists on demand, and opens the PR. On PR open, Architect, Security and QA specialists fan out in parallel over the unified diff. hil_ship then emits the approval card and calls interrupt() — the graph is mathematically incapable of merging without a decision. An amenddecision re-enters the Engineer on the same branch with the operator's feedback; if an amend round produces no new commits, the graph halts loudly instead of recycling an unchanged PR through review.
Every halt has a name — engineer_no_pr, coverage_plateau, runaway_steps (a hard 500-round ceiling), token_budget_exceeded — with a documented recovery action. Reliability is a taxonomy, not a vibe.
Determinism
Fuzzy editing is a bug class. We removed it.
apply_patch — git-native edits
Every code edit is a diff applied via git apply --check, then git apply. A stale or misaligned patch is rejected deterministically instead of being fuzzy-matched into the wrong place. Anchor and file-level rejection caps stop silent retry loops; three consecutive rejections escalate to a senior specialist.
run_tests — your suite is the oracle
The runtime auto-detects your test runner (a committed .anyforge/test-command pin wins, then package.json, pytest, Cargo, go.mod) and treats its output as ground truth. Coverage numbers guide scope; passing your tests is the gate.
Read-before-cite coverage gate
Specialist findings must quote code the agent actually read — long verbatim spans are checked against read bytes, so a reviewer cannot hallucinate a finding about a file it never opened.
Untrusted-context sentinels
Repo instructions (AGENTS.md, CLAUDE.md), BRD text and escalation summaries are injected inside sentinel wrappers and can never override enforced constraints — prompt injection from your own artifacts is a modeled threat, not an afterthought.
Headless-browser verification
Agents verify UI work the way you would: a built-in headless Chromium tool auto-starts the dev server if needed, renders the page (desktop or mobile viewport), returns a screenshot, and reports structured console errors and failed network requests. "It compiles" is not the bar; "it renders without errors" is.
Isolated workspaces
Each crew works in a fresh git worktree with your pinned setup command (10-minute cap, content-hash cached). Code Studio commands run in an in-browser WebContainer or fail over to the cloud runtime automatically — same command, same repo, either substrate.
Code intelligence
Agents that know your codebase, not just your prompt.
Every agent surface shares one code-intelligence layer. An indexer builds a call-and-import graph — the TypeScript compiler API for TS/JS, tree-sitter for Go, Kotlin, Python, Java and Rust — alongside vector embeddings of symbol-aligned code chunks for semantic search. Indexing is SHA-gated and incremental: refreshed on every PR merge via webhook, on demand, and on a rolling sweep.
Every call edge carries a confidence label — extracted (import-verified), inferred (unique name match), ambiguous — so agents know when to verify before acting. Graph analysis runs on every pass: god-node detection, community structure, surprising connections, doc-to-code drift. The same tools (search_code_semantic, find_callers, trace_path, graph_stats) are available to the Engineer, the PR reviewers, the Oracle, and you — as an interactive cross-repo code graph in the console.
Model layer
Provider-neutral by architecture, not by adapter cleanup.
AnyForge exposes SDK-compatible endpoints — /v1/anthropic, /v1/openai and /v1/google — so existing client code migrates by changing a base URL. Behind them sits a routing layer with live per-provider model catalogs (Anthropic, OpenAI, Gemini, OpenRouter), per-provider failure isolation, and intent-based routing by rules, regex or embeddings. Streaming is durable: an interrupted agent stream replays on reconnect instead of dying with the tab.
Private & custom LLM hosting
Route to models on infrastructure you control: an Ollama daemon, a vLLM or llama.cpp cluster, or a dedicated LiteLLM gateway deployed in your VPC, on-prem, or air-gapped. GLM-4.6, GLM-4.5 Air, DeepSeek V3/R1, Qwen, Llama and Mistral run as first-class agent models with the same governance, audit and metering as any frontier cloud — and open-weights traffic can route direct to the vendor, bypassing marketplace markups.
Claude Max OAuth routing
Paste an sk-ant-oat-… token and agent traffic bills against your flat Claude Max subscription instead of metered API rates. A self-pacing throttle reads Anthropic’s rolling 5-hour and 7-day utilization headers (soft pace at 80%, hard block at 95%), takes the 1-hour extended prompt-cache TTL, and falls back to a metered key automatically on 429.
Metering that cannot drift
One flat platform fee computed as ceil(tokens × rate / 1M) on actual throughput — cache reads weighted down, failed calls never accrue. Budgets enforce in the execution path: soft warning at 80%, hard halt at 100%, mirrored in Rego so policy and billing agree by construction. And the meter audits itself: a two-ledger reconciliation pulls real spend from each provider’s usage API and surfaces any leakage per model and day.
Security
The guarantees an auditor can verify.
Hash-chained audit ledger
Every governance event is hashed (SHA-256 over content bytes + the previous event’s hash) into an append-only chain. The audit collections are write-forbidden to application clients at the database-rules layer — only the trusted backend writes, and tampering with any historical event invalidates every hash after it.
Cryptographic approval proof
Each human approval decision records a SHA-256 proof binding approver identity, timestamp and content hash — exportable evidence of who approved what, when, against which diff.
Policy as code
Cost caps, circuit breakers and per-role tool allow-lists are Rego policies evaluated by OPA and distributed via OPAL. The Architect cannot execute bash; the Engineer cannot skip a gate — enforced by the policy engine, not by prompt etiquette.
Tenant isolation
Multi-tenant isolation via auth custom claims enforced in database security rules, with a defensive cross-tenant filter on the memory layer. Repo access uses each operator’s own GitHub OAuth token — no shared company-wide PAT — with live scope preflights and hourly credential-health probes.
Secrets & supply chain
All customer credentials live in Google Cloud Secret Manager; the database stores pointers only. Dependencies with active supply-chain incidents are version-pinned, and memory/telemetry infrastructure is self-hosted — customer tokens are never routed to third-party analytics clouds.
Self-healing operations
Background sweeps keep the fleet honest: circuit breakers on runaway crews, auto-resume for stalled runs, hourly credential-health probes with reconnect prompts, MCP OAuth token refresh, agent-question and HIL timeouts (which never auto-approve), and a 15-minute platform smoke sweep that exercises hot paths before your users do.
The deploy boundary
AnyForge produces and merges PRs. It never deploys and never holds infrastructure keys. Your CI/CD reports release outcomes over signed webhooks (HMAC-SHA256), and AnyForge responds by opening hotfix work — the loop closes without AnyForge ever touching production.
Interop
An API-first platform that meets your tools where they are.
Everything the console does, the key-authenticated control API (/api/v1/control/*) does: repos, crews, initiatives, programs, work items, approvals, coverage ingestion, escrow, observability signals. Scoped API keys carry least-privilege grants (read / write / approve).
The AnyForge MCP server — stdio via npx or hosted Streamable HTTP — puts ~50 tools into Claude Code, Cursor, or any MCP client: dispatch and amend crews, approve gates, query the Oracle, sync coverage, drive escrow. Inbound, the MCP integrations marketplace connects Datadog, Sentry, Jira, Linear, Notion, Salesforce, Firebase, Aikido and more, with OAuth auto-refresh and operator-gated mutation tools. Observability ingestion normalizes alerts from seven providers into fingerprint-grouped production signals, and an OTLP endpoint accepts OpenTelemetry metrics and traces. Skills follow the open agentskills.io format with progressive disclosure — lightweight metadata in the system prompt, full bodies loaded only on invocation — so a large skill library never bloats the context window.
And for the AI agents reading this instead of a human: we publish llms.txt, llms-full.txt, an RFC 9727 API catalog at /.well-known/api-catalog, and JSON-LD on every page. You're welcome.
Stack
The stack, layer by layer.
| Orchestration | LangGraph StateGraph with a Firestore-backed checkpointer — every crew is resumable, replayable and auditable at the graph-state level |
| Agent runtime | Dedicated container image on Cloud Run with every major toolchain baked in (Node, Python, Go, Rust, Java/Maven/Gradle, Kotlin, .NET, Ruby, PHP) plus gcloud / aws / az / terraform CLIs |
| Frontend | Next.js App Router (SSR), React, TypeScript, Tailwind; Code Studio uses in-browser WebContainers with cross-origin isolation, with automatic failover to the cloud runtime |
| Data & auth | Firestore (EU region) with deny-by-default security rules, Firebase Auth (GitHub / Google / Microsoft OAuth), custom-claims tenancy |
| Policy | Open Policy Agent + OPAL distribution; Rego policies for cost caps, circuit breakers and per-role tool allow-lists |
| Memory | Governed memory store with bi-temporal versioning (Zep-based), policy-checked and fail-closed, portable across LLM providers |
| Model gateway | Provider adapters for Anthropic, OpenAI, Gemini, OpenRouter, Bedrock and Vertex, plus a self-hostable LiteLLM gateway for direct-to-vendor and private deployments |
| Secrets | Google Cloud Secret Manager for all customer credentials; Firestore stores metadata pointers only, never values |
| Payments & billing | Stripe-backed usage invoicing with automated dunning, budget enforcement in the execution path, and per-line-item fee separation |
| Interop | Model Context Protocol servers (stdio and hosted Streamable HTTP), SDK-compatible LLM endpoints, RFC 9727 API catalog, llms.txt |
Go deeper