2 min
architecture
February 8, 2026

Forge SDLC Orchestrator — Full Architecture & Code Review

Forge SDLC Orchestrator — Full Architecture & Code Review

Reviewer: Claude Opus 4.6 | Date: 2026-02-08 | Branch: feat/external-integrations

Executive Summary

Forge is an ambitious agentic SDLC orchestrator written in TypeScript/Bun that coordinates 5 AI agents (Planner, Implementer, Reviewer, Tester, Deployer) through a sequential pipeline: Plan → Implement → Review → Test → Deploy. The codebase spans ~52 source files with a well-designed type system, comprehensive safety infrastructure, and a recently-added pi-agent-core integration layer.

Overall Assessment

DimensionRatingNotes
Architecture DesignAExcellent system design docs, clean separation of concerns
Type SafetyB+Strong types, 5 active TS errors in breakers.ts
Test CoverageB104 tests passing, good unit coverage for core modules
Code QualityBSome duplication, placeholder code in CLI, any usage in pi-adapter
SecurityB-Command injection vectors in agent tools, no input sanitization
Production ReadinessC+CLI still uses simulatePhase(), many TODOs, default LLM is a no-op
DocumentationA-Excellent SYSTEM-DESIGN.md and ARCHITECTURE.md with Mermaid diagrams

Key Findings Summary

Critical (3)

  1. Command injection in git tools — branch names and commit messages are interpolated directly into shell commands without sanitization
  2. SQL injection in SQLiteCheckpointStorage — string interpolation used instead of parameterized queries
  3. CLI run command is non-functional — still uses simulatePhase() instead of actual pipeline execution

High (6)

  1. Duplicate type definitions across src/types/index.ts and src/core/errors.ts
  2. Two competing EventBus implementations (src/core/bus.ts vs src/events/bus.ts)
  3. better-sqlite3 used instead of Bun's built-in bun:sqlite (per CLAUDE.md rules)
  4. Five TypeScript errors in src/safety/breakers.ts
  5. any type usage in pi-agent-core bridges
  6. Memory leak — InMemoryEventBus never prunes its events array

Medium (8)

  1. Agent tools define their own inline implementations rather than using the tool registry
  2. PlannerAgent.createSimplePlan() uses naive keyword matching
  3. ImplementerAgent.applyFailureFixes() has a fragile regex-based file path parser
  4. DefaultLLMClient returns dummy data silently — no clear error when unconfigured
  5. Config merge function ignores user-provided breaker overrides
  6. Missing embedding field in MemoryStore interface — similarity search is keyword-only
  7. Beads tools registered asynchronously with fire-and-forget .then()
  8. getLatestCheckpoint in src/events/bus.ts uses ascending sort but returns first result (should be descending)

Low (5)

  1. Inconsistent import styles (.ts vs .js extensions)
  2. node:child_process used instead of Bun.$ or Bun.spawn (per CLAUDE.md)
  3. crypto.randomUUID() mixed with ulid() for ID generation
  4. Math.random().toString(36).substr(2, 9)substr is deprecated, should be substring
  5. Unused readline import patterns could be simplified with Bun APIs