Product
EU-sovereign CI/CD with Git included.
A flat-priced platform with Forgejo, hosted runners, SSO enforcement, and the full
supply chain security stack — built on upstream Forgejo
and operated by fremverk on T Cloud, the Deutsche Telekom EU-sovereign cloud, in Germany
(Biere/Magdeburg, eu-de). Forgejo runs unmodified, so the forge layer stays
compatible with the wider ecosystem. The differentiator is what we wrap around it.
What you get
Everything in one €30/seat plan. No "Advanced Security" add-on, no Actions metering surprise, no Marketplace trap.
Full Forgejo surface
Repositories, issues, pull requests, package registry — unmodified upstream Forgejo, no soft-forks.
Hosted CI runners
1,000 minutes/seat/month pooled at org level, 2 concurrent jobs per seat (max 100/org). Ephemeral per-job pods on T Cloud — hardened posture, EU-resident. Runtime isolation →
Supply chain security
Pre-receive secret scanning, dependency scanning on PRs, signed commits, SLSA provenance — included, not an add-on SKU.
SSO enforcement
OIDC or SAML to your IdP (Authentik, Entra ID, Keycloak, Okta). Per-org session binding; SSH keys honour the IdP session.
OIDC token federation
Runners federate into your T Cloud agencies (or any OIDC-trusting cloud) with short-lived credentials. No long-lived deploy keys in repo secrets.
SSH-over-443
Clone via ssh://git@ssh.frem.sh:443. Skips the corporate-firewall pain that blocks outbound port 22.
Supply chain security, in detail
GitHub charges $49/seat/month for the Advanced Security equivalent. We include the meaningful part.
- Pre-receive secret scanning. High-confidence patterns rejected before the commit enters immutable history.
- Dependency scanning on PRs. Trivy/osv-scanner on the manifest diff; findings as PR comments; optional merge-block on CRITICAL CVEs.
- Signed commits. SSH-key signing as default (Forgejo verifies natively); GPG also supported. No third-party log fan-out.
- SLSA provenance. Hosted runners emit signed provenance; verify with
slsa-verifier. - Three-level RBAC. Platform-floor controls, org-default policy set by Owner/Admin, per-repo override that can tighten freely.
- Package registry. Containers, npm, Maven, Go modules, generic.
Keyless commit signing is available via fremverk's self-hosted Sigstore stack on T Cloud
eu-de (Fulcio + TSA; no Rekor transparency-log fan-out). Endpoints:
sign.frem.sh and tsa.frem.sh. No request transits the public
Linux Foundation Sigstore instance. Customers opt in per-tenant at
Authentication policy → Require OIDC-signed commits. See
docs.frem.sh/get-started/keyless-commit-signing.
First-class public API — ready for AI agents
Every admin action is a documented REST endpoint. AI coding agents operate against the same surface as the humans.
OpenAPI 3.1 spec
Personal access tokens and OAuth 2.0 client credentials supported. No admin-only endpoints, no surprise gaps. Spec on docs.frem.sh/api.
AI-agnostic by design
Whatever AI your team uses (Claude Code, Cursor, Windsurf, Codex CLI, Aider) operates against the same Git, REST, and MCP surface. No forge-level AI lock-in.
Agent-native delegation
On-behalf-of semantics with scoped, time-boxed delegated mandates is on the near-term roadmap. The goal: the first EU Git host your AI can buy for you.
Where it runs
Every automated processing surface is operated by entities with no US parent.
| Surface | Host | Location |
|---|---|---|
| Forgejo UI, Git, API, package registry | T Cloud CCE (Kubernetes) | eu-de (Biere/Magdeburg, DE) |
| Hosted CI runners | T Cloud CCI (per-job pods) | eu-de (Biere/Magdeburg, DE) |
| Control plane (billing, metering, SSO middleware, audit chain) | TypeScript monolith on T Cloud CCE | eu-de (Biere/Magdeburg, DE) |
| Marketing site, docs, status | OBS origin + Bunny CDN | Origin eu-de, edge at EU PoPs only |
| Outbound transactional email | Lettermint B.V. | Zwolle, Netherlands |
| Self-hosted PoW captcha | Altcha (in-monolith; MIT-licensed, HMAC-signed PoW) on T Cloud CCE | eu-de (Biere/Magdeburg, DE) |
| Payments | Mollie | Netherlands |
| Accounting / invoice rendering | Visma Dinero | Copenhagen, Denmark |
See trust for the full sub-processor list, inherited certifications (T Cloud: ISO 27001, 27017, 27018, BSI C5 Type 2, TISAX), the own-certification roadmap (ISO 27001 Stage 1 audit within 18 months, certification within 24 months, per DPA §12.1), and the DPA for the contractual posture.
What it isn't
frem- prefix signals lineage (distinctive prefix + descriptive morpheme), not a 2000s-era project host.