License and Privacy

import { Aside } from ‘@astrojs/starlight/components’;

Forge is commercial software built to respect your privacy and your code. Here’s exactly what Forge does with your data — nothing more, nothing less.

Your code stays local

Your code, queries, analysis, and usage patterns never leave your machine.

Forge indexes your repo into ~/.forge/<repo-id>/. The SQLite database, Tantivy full-text index, and all AST parsing happen entirely on your hardware. MCP tool calls from your AI agent are answered locally with zero network hops.

To be explicit about what is never transmitted:

• Source code or file contents
• File paths or directory structure
• Query text (search queries, symbol lookups, pattern queries)
• Tool call inputs or outputs
• Index contents or symbol tables
• Codebase metadata (language distribution, file counts, repo names)
• Usage statistics or feature analytics

The one network call: weekly license heartbeat

Forge makes one outbound network call: a weekly HTTP POST to validate your license is still active.

What is sent

{
  "license_hash": "<sha256-of-your-license-key>",
  "client_version": "1.4.0",
  "platform": "linux-x86_64"
}

Three fields. That’s the complete payload. The license_hash is a SHA-256 hash of your license key string — it is not reversible to your key, and it conveys nothing about what you’re building. The client_version and platform are equivalent to a browser User-Agent header.

What is received

{
  "status": "active",
  "cached_until": "2026-05-01T14:32:11Z"
}

Status is one of: active, revoked, expired, or unknown. The cached_until timestamp tells Forge when to attempt the next check (typically 14 days from the last successful check).

When it runs

Once every 7 days (±12 hours of random jitter to spread load). The check fires on forge serve startup. It runs as a non-blocking background task — it does not delay the server starting or block tool calls.

Cache semantics

Forge does not require a live network connection for normal operation:

Condition	Behavior
status = active	Cache result for 14 days
Network unreachable	Use cached result for up to 30 days
Cache older than 30 days, license nearing expiry	Warn in forge status, continue for 7 more days
Cache older than 60 days	Degrade to Community Mode
status = revoked	Lock gated features at next forge serve startup

The 30-day network failure tolerance means Forge keeps working normally through extended offline periods, travel, and intermittent connectivity.

Why a heartbeat exists

Without revocation, a paid license becomes a permanent license for anyone who requests a refund on day 30. The heartbeat enables Ironpine Labs to revoke licenses when a customer cancels, disputes a charge, or requests a refund.

Revocation takes effect within one heartbeat cycle — up to 7 days. As a side effect of this window, customers who legitimately cancel get continued access for up to 7 days post-cancellation.

Verify it yourself

forge config heartbeat --show

Output:

Heartbeat endpoint: https://forge-license-webhook.ironpinelabs.workers.dev/heartbeat
Last check:        2026-04-17 14:32:11 UTC
Last status:       active
Cached until:      2026-05-01 14:32:11 UTC
Next attempt:      2026-04-24 (jittered)

Payload format:
  {
    "license_hash": "<sha256-of-your-license-key>",
    "client_version": "1.4.0",
    "platform": "linux-x86_64"
  }

No code, queries, file paths, or analysis data is transmitted.
Full privacy policy: https://ironpinelabs.com/privacy#forge

The output shows the exact endpoint, the exact payload format, and the last check time. Nothing is hidden.

To force an immediate check:

forge config heartbeat --now

Local stats: what stays on your machine

Forge writes a local stats file at ~/.forge/stats.json that tracks tool call counts, average latency, and index sizes. This file is:

• Written locally only — never transmitted in the heartbeat or anywhere else
• Read by forge stats — you can inspect it anytime
• Shareable if you choose — if you contact support, Patrick may ask for forge stats --json output. This is opt-in. Forge never collects it automatically.

Air-Gapped tier

If you absolutely cannot allow any outbound network call — defense work, air-gapped clusters, classified environments — we offer the Air-Gapped tier.

The air_gapped build flag compiles the heartbeat client out of the binary entirely at the Rust compiler level. No network code exists in the binary. The forge config heartbeat --show command displays an air-gapped mode notice instead of connection details.

What’s different in an air-gapped binary:

• forge serve does not spawn a heartbeat task
• forge update prints renewal contact instructions instead of checking the CDN
• License validation is offline-only: Ed25519 signature + embedded expiration year
• An annual binary reissue is required at renewal — there is no self-service key rotation

Pricing: Starts at $499/user/year (minimum 3 seats, annual only, invoice billing available).

Contact: air-gapped@forge.ironpinelabs.com

Air-gapped binaries are customer-specific builds. They cannot be downloaded from the releases page. Contact us before purchase to confirm your deployment requirements — we'll confirm compatibility before taking payment.

What Ironpine Labs stores about you

When you purchase or start a trial, the Cloudflare Worker stores:

Data	Where stored	Why
Email address	Cloudflare D1	License delivery and support
Tier (Solo/Pro/Team)	Cloudflare D1	Feature gating
Seat count	Cloudflare D1	Machine binding enforcement
License hash (SHA-256 of key)	Cloudflare D1	Heartbeat matching without storing the key
Subscription status	Cloudflare D1	Revocation propagation
Stripe customer + subscription IDs	Cloudflare D1	Self-service portal, billing support

What Ironpine Labs does not store:

• Your source code (never transmitted)
• Card numbers, CVVs, or banking details (Stripe handles all payment data)
• Query history or tool call logs
• File paths or codebase structure

Payment data and Stripe

All payment processing is handled by Stripe. Customers enter card details on Stripe’s hosted checkout page (checkout.stripe.com). Ironpine Labs never receives or stores raw card data.

Stripe holds PCI DSS Level 1 compliance, which covers customers’ card data in full. The Stripe webhook that fires after purchase contains only subscription metadata — not card numbers.

Full privacy policy

The complete privacy policy is at ironpinelabs.com/privacy#forge. It covers the same ground as this page in more formal language, plus data retention, deletion requests, and contact information.

Questions about privacy? Email privacy@forge.ironpinelabs.com.