Last updated: 13 June 2026
These terms are provided in good faith for an early-access developer tool. They are not a substitute for legal advice. Bracketed placeholders (
[…]) must be completed before publication.
1. Who we are
Forge ("Forge", "we", "us") is a trust registry and command-line tool for MCP servers, A2A agents, and AI skills, operated by [YOUR NAME OR LEGAL ENTITY], based in Spain. You can reach us at legal@forgeregistry.com.
By accessing the Forge website, registry, API, or CLI (together, the "Service"), you agree to these Terms. If you do not agree, do not use the Service.
2. What Forge is — and is not
Forge indexes third-party software and publishes automated trust signals about it: publisher-identity verification, security scan results, dependency audits, provenance checks, and revocation status.
These signals are automated, best-effort assessments. They are opinions generated by software, not statements of fact, certifications, warranties, or professional advice. In particular:
- "Verified" means identity, not safety. It indicates that a publisher demonstrated control of a source repository — not that their code is safe, correct, or free of malicious behaviour.
- A clean scan means "no known issues found", not "no issues exist". Scans cover known vulnerabilities and recognisable patterns; they cannot prove the absence of malicious or harmful code.
- Forge does not execute, host, endorse, or vouch for indexed packages. They are produced by independent third parties over whom we have no control.
You remain solely responsible for deciding whether to install, run, or rely on any package. Do your own due diligence before granting any tool access to your systems or data.
3. Acceptable use
You agree not to:
- use the Service to attack, overload, or circumvent the rate limits or security controls of Forge or any third party;
- scrape, resell, or redistribute the registry data except as permitted by a documented API;
- submit, publish, or claim packages you do not own or maintain;
- misrepresent your identity or impersonate another publisher;
- use the Service to distribute malware or to facilitate unlawful activity.
We may rate-limit, suspend, or remove access to protect the Service or its users.
4. Publishing and claiming packages
If you claim or publish a listing, you represent that you own or maintain the linked repository and have the right to do so. We verify ownership via GitHub but rely on the accuracy of what you and GitHub provide.
We may revoke verification or remove a listing at any time — for example on evidence of compromise, malicious updates, or a valid complaint. Revocation is an operational safety measure and a statement of Forge's automated or reasoned assessment; it is not a factual declaration about any person's conduct or character.
5. The CLI and MCP server
The @forge-registry/cli package, including the forge inspect, forge sandbox, and forge mcp features, runs on your own machine. Features that
execute or install third-party code (e.g. forge inspect --run, forge sandbox) do so at your direction and risk, with the isolation level described
in their documentation. The CLI is released under the MIT licence; that licence
governs your use of the code itself.
6. Third-party services
The Service relies on and links to third parties (npm, the OSV database, GitHub, Sigstore, hosting and infrastructure providers, and — if you use AI search — large-language-model providers). We are not responsible for their content, availability, or practices. Your use of an AI provider with your own API key is governed by that provider's terms.
7. No warranty
The Service is provided "as is" and "as available", without warranties of any kind, whether express or implied, including merchantability, fitness for a particular purpose, accuracy, and non-infringement, to the fullest extent permitted by law. We do not warrant that trust signals are accurate, complete, or current, or that the Service will be uninterrupted or error-free.
8. Limitation of liability
To the fullest extent permitted by applicable law, Forge and its operator will not be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss arising from (a) your reliance on any trust signal or registry data, (b) your use of any third-party package, or (c) any interruption or error in the Service. Nothing in these Terms excludes liability that cannot be excluded under Spanish or EU law (including liability for fraud, gross negligence, death, or personal injury caused by negligence).
9. Indemnity
You agree to indemnify Forge and its operator against claims arising from your misuse of the Service or your breach of these Terms, to the extent permitted by law.
10. Changes
We may update these Terms. Material changes will be reflected by the "Last updated" date above and, where appropriate, announced on the Service. Continued use after a change constitutes acceptance.
11. Governing law
These Terms are governed by the laws of Spain. Mandatory consumer-protection rights you may have under the law of your country of residence are unaffected. Disputes are subject to the competent courts of [YOUR PROVINCE/CITY], Spain, without prejudice to any mandatory jurisdiction available to consumers.
12. Contact
Questions about these Terms: legal@forgeregistry.com. Security issues: see our Security Policy — security@forgeregistry.com.