Forge · The foundation

The part that is identical between projects is already coded.

Forge is the engine that produces every Canarlo build. Auth, data model, payments, search, security posture — already built, already audited, already correct. Your money funds the part that is yours.

Start a project What you get

Why we built Forge

Three failures of agency-grade SaaS.

Failure
01
Discovery is not work.
A six-week discovery phase is a six-week tax on the prospect's hope that the project might still be on time. It produces decks. Decks do not authenticate users. Decks do not survive a customer trying to upload a 200MB PDF.
→ Forge starts with the foundation already built — so the first conversation is the only one that needs to be exploratory.
Failure
02
The foundation gets rebuilt every project, badly.
Auth. Authorisation. Per-row security. Payments. Webhooks. Audit trails. Search. File uploads. CSP. CSRF. Rate limiting. Migrations. These are solved problems. Every agency that solves them again from scratch is charging you for their team's learning curve.
→ Forge ships eighteen security patterns enforced structurally, by default, in every project — not aspirationally, in writing, on a slide.
Failure
03
The senior engineer pitches; the junior writes the code.
The discovery call is with the principal. The Slack messages, three weeks in, are with someone who joined six months ago. The architecture, the schema, the security choices — made by the people with the least context. The cost of correcting course is paid by you.
→ At Canarlo, the people on the discovery call are the people writing the code. Always.

Side by side

Where the money goes, line by line.

✕ Traditional agency

Canarlo

Foundation work

Rebuilt from scratch every engagement

Already built. Already audited. Already correct.

Discovery

Four to eight weeks of decks

A call. Maybe two.

Senior involvement

Pitches the work, reviews late

Writes the code. Owns the decisions.

PM overhead

PM, producer, stand-ups, status decks

Direct line to the engineer doing the work

Subcontracting

Common. Often invisible to you.

None.

Codebase ownership

Transferred at end of engagement

Yours from day one. Your repo. Your keys.

Bringing it in-house

A six-figure handover dance

Any competent engineer can read it.

Security posture

"We follow OWASP" (sometimes)

Eighteen patterns, enforced everywhere, in writing.

Where the budget goes

Mostly to rebuilding what already exists

To the part that is actually yours

Security baseline

Eighteen patterns, enforced.

Not aspirational. Not on a slide. Every Forge-shipped project carries them by default — caught at the generator, audited at every regen, present in code with a name on it.

Holds up in a security review

01Auth on every server action
02Per-row authorisation at the database
03Input validation on every form
04Rate limiting on every mutation
05Strict CSP with per-request nonces
06CSRF protection on route handlers
07SSRF guards with DNS-rebinding protection
08Webhook signature verification (timing-safe)
09Mass-assignment protection on every form
10Generic error messages — no DB error leakage
11File upload validation by magic-byte
12Pagination clamping on every list
13CSV-formula-injection prevention on exports
14Open-redirect prevention on every redirect
15Forced RLS on every table
16UUID validation on all ID parameters
17Tel field length limits
18Label escaping on every JSX text node

Studio principle

You can prompt your way to a demo. You cannot prompt your way to a business.

Engagement model

Studio engagements from £25,000.

Most projects fall between £25,000 and £75,000. Twelve-week build, two-week discovery, two-week architecture, eight to ten weeks of production. The codebase is yours. The keys are yours.

Start a project About the studio

Three failures of agency-grade SaaS.

Failure

Discovery is not work.

A six-week discovery phase is a six-week tax on the prospect's hope that the project might still be on time. It produces decks. Decks do not authenticate users. Decks do not survive a customer trying to upload a 200MB PDF.

→ Forge starts with the foundation already built — so the first conversation is the only one that needs to be exploratory.

Failure

The foundation gets rebuilt every project, badly.

Auth. Authorisation. Per-row security. Payments. Webhooks. Audit trails. Search. File uploads. CSP. CSRF. Rate limiting. Migrations. These are solved problems. Every agency that solves them again from scratch is charging you for their team's learning curve.

→ Forge ships eighteen security patterns enforced structurally, by default, in every project — not aspirationally, in writing, on a slide.

Failure

The senior engineer pitches; the junior writes the code.

The discovery call is with the principal. The Slack messages, three weeks in, are with someone who joined six months ago. The architecture, the schema, the security choices — made by the people with the least context. The cost of correcting course is paid by you.

→ At Canarlo, the people on the discovery call are the people writing the code. Always.

Where the money goes, line by line.

✕ Traditional agency

Canarlo

Foundation work

Rebuilt from scratch every engagement

Already built. Already audited. Already correct.

Discovery

Four to eight weeks of decks

A call. Maybe two.

Senior involvement

Pitches the work, reviews late

Writes the code. Owns the decisions.

PM overhead

PM, producer, stand-ups, status decks

Direct line to the engineer doing the work

Subcontracting

Common. Often invisible to you.

None.

Codebase ownership

Transferred at end of engagement

Yours from day one. Your repo. Your keys.

Bringing it in-house

A six-figure handover dance

Any competent engineer can read it.

Security posture

"We follow OWASP" (sometimes)

Eighteen patterns, enforced everywhere, in writing.

Where the budget goes

Mostly to rebuilding what already exists

To the part that is actually yours