Forge Documentation
Deploy a security-hardened AI coding agent on your own server in under 10 minutes.
Last updated: March 18, 2026
New to servers? Let AI walk you through it.
Download the Forge Setup Agent template and paste it into Claude, ChatGPT, or any AI chatbot. It becomes your personal deployment assistant — step by step, no experience required.
Download Forge Setup Agent Markdown file · Works with any AI chatbot · FreeRequirements
| Requirement | Details |
|---|---|
| VPS Server | Ubuntu 22.04 or 24.04, minimum 2GB RAM, root access |
| Cloudflare Account | Free account with at least one domain added |
| GitHub Account | To access the private Forge repository after purchase |
| LLM API Key | At least one: OpenAI, Anthropic, Google, or any OpenCode-supported provider |
| Time | ~10 minutes from first command to live agent |
Step 1 — Get a VPS
A VPS (Virtual Private Server) is a remote computer you rent. Your AI agent runs here — not on your laptop. This means it's available 24/7 from any device, and your local machine stays clean.
Fast setup, reliable, ~$7/month
- Go to hetzner.com/cloud and create an account
- Click Add Server
- Location: choose the closest region to you
- Image: select Ubuntu 24.04
- Type: select CX22 (2 vCPU, 4 GB RAM)
- Authentication: choose Password and set a strong root password
- Click Create & Buy Now
- Your server is ready in ~20 seconds. Copy the IP address from the dashboard.
Lower cost, slower provisioning, ~$4/month
- Go to contabo.com/en/vps
- Select Cloud VPS S
- Choose your region, select Ubuntu 24.04
- Set a root password and complete purchase
- Wait for the provisioning email (3–15 minutes). It contains your IP address and credentials.
Step 2 — Connect to Your Server
SSH (Secure Shell) lets you type commands on your remote server from your own computer. Think of it as a remote control for your VPS.
Using PowerShell
Open PowerShell (search "PowerShell" in your Start menu), then type:
ssh root@YOUR_SERVER_IPReplace YOUR_SERVER_IP with the actual IP from Step 1. If it asks "Are you sure you want to continue connecting?" type yes and press Enter. Then enter your root password. Characters won't appear as you type — that's a security feature, not a bug.
Using Terminal
Open Terminal (search "Terminal" in Spotlight), then type the same command:
ssh root@YOUR_SERVER_IPUsing Termius
Download Termius from the App Store or Google Play. Add a new host with your server IP, username root, and your password. Tap Connect.
You're connected when you see a prompt like:
root@ubuntu:~#Step 3 — Deploy Forge
Three commands. The script handles everything else.
apt update && apt install -y git
git clone https://github.com/HodgeLuke/forge-dev.git
cd forge-dev && bash deploy.shThe script will ask for:
| Prompt | What to enter |
|---|---|
| Cloudflare API Token | The token from Cloudflare API Token setup |
| Domain | Your domain on Cloudflare (e.g., yourdomain.com) |
| Subdomain | What goes before the domain (e.g., agent for agent.yourdomain.com) |
| Your email — becomes the Zero Trust identity gate | |
| Proceed? | Type Y |
The script runs 11 automated steps. Each shows a green ✓ on success. On completion, you'll see:
✓ FORGE DEPLOYMENT COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Your Agent
URL: https://agent.yourdomain.com
Password: [auto-generated]
Security Layers Active
✓ Cloudflare Tunnel
✓ Zero Trust Access
✓ OpenCode server password
✓ UFW firewall
✓ fail2ban + kernel hardeningcat /root/.forge-credentials
Step 4 — Access Your Agent
- Open the URL from the deployment output in any browser
- Cloudflare Zero Trust asks for your email — enter the email you configured
- Check your inbox for a verification code and enter it
- The OpenCode interface asks for a password — enter the generated password
- You're in. Your AI coding agent is live.
List all files in the current directory and explain what each one does. — This confirms the agent is working and can read the filesystem.
MCP Server Configuration
MCP (Model Context Protocol) connects your agent to external tools and services. Forge ships with 7 pre-configured servers:
| Server | What it does | Auth type |
|---|---|---|
| Cloudflare API | Manage Workers, DNS, Tunnels | OAuth (browser) |
| Cloudflare Bindings | D1 databases, KV, R2 storage | OAuth (browser) |
| Cloudflare Docs | Search Cloudflare documentation | None (ready) |
| Cloudflare Observability | Logs, analytics, monitoring | OAuth (browser) |
| GitHub | Repos, issues, PRs, code review | API token |
| Supabase | Database access, auth, storage | API token |
| Brave Search | Web search from the agent | API key |
Cloudflare servers use OAuth — the agent will prompt you to authorize in your browser on first use. GitHub, Supabase, and Brave Search use API tokens configured during setup.
Agent Templates
Four pre-built agent templates ship in the agents/ folder:
| Template | Role | Permissions |
|---|---|---|
wcag-auditor.md | WCAG 2.2 AA accessibility checker | Read-only |
security-reviewer.md | Vulnerability scanner with CWE refs | Read-only |
deployer.md | Cloudflare deployment specialist | Write (scoped to CF) |
docs-writer.md | Technical documentation generator | Write |
Use them by referencing @agent-name in your OpenCode session. Each template contains standing instructions, scope boundaries, and output format rules.
Creating a Cloudflare API Token
- Go to dash.cloudflare.com/profile/api-tokens
- Click Create Token
- Click "Get started with a custom token" (bottom option)
- Add these permissions:
- Account → D1 → Edit
- Account → Cloudflare Workers Scripts → Edit
- Account → Cloudflare Tunnel → Edit
- Account → Access: Apps and Policies → Edit
- Zone → DNS → Edit
- Account Resources: Include → your account
- Zone Resources: Include → your domain (or All zones)
- Click Continue → Create Token
- Copy immediately — Cloudflare only shows it once
Useful Commands
# Check agent status
systemctl status opencode
# Check tunnel status
systemctl status cloudflared
# View agent logs (live stream)
journalctl -u opencode -f
# Restart the agent
systemctl restart opencode
# Restart the tunnel
systemctl restart cloudflared
# View your credentials
cat /root/.forge-credentials
# Terminal access (bypasses browser)
OPENCODE_SERVER_PASSWORD='YOUR_PASS' opencode attach http://127.0.0.1:4096Troubleshooting
Error 1033 — Cloudflare Tunnel error
The tunnel isn't connected. Check its status:
systemctl status cloudflared
journalctl -u cloudflared -n 20If you see "Unauthorized" — the API token may have been rotated since deployment. Re-run bash deploy.sh with a fresh token.
Permission denied when cloning the repo
Either you haven't accepted the GitHub invitation (check email from HodgeLuke), or you're using your GitHub password instead of a Personal Access Token. GitHub requires tokens for command-line access — create one at github.com → Settings → Developer settings → Personal access tokens.
Zero Trust keeps asking for email
The WebSocket/Zero Trust cookie conflict. In your Cloudflare dashboard → Zero Trust → Settings → enable "Binding Cookie" and set "SameSite Attribute" to "None."
Agent is slow or unresponsive
systemctl restart opencode
journalctl -u opencode -fMost common cause: no LLM API key configured. OpenCode needs at least one provider key (OpenAI, Anthropic, Google, etc.) to function. Configure it in the OpenCode settings once you're logged in.
Security Model
Forge implements 5 layers of defense-in-depth, addressing CVE-2026-22812 (CVSS 8.8, unauthenticated RCE) and CVE-2026-22813 (CVSS 9.6, XSS-to-RCE). Every layer is automated by the deployment script.
| Layer | What it does | Addresses |
|---|---|---|
| 1. Cloudflare Tunnel | Outbound-only encrypted connection. No open ports. No public IP. | Network exposure |
| 2. Zero Trust Access | Identity gate. Only your email reaches the agent. | Unauthorized access |
| 3. Server Auth | 192-bit password on the OpenCode server. | Direct server access |
| 4. Host Hardening | UFW firewall, fail2ban, kernel hardening, SSH key-only. | OS-level attacks |
| 5. Scoped Permissions | Per-agent MCP restrictions. Read-only auditors. | Agent blast radius |