Features · Nodge

Develop

From idea to live app without leaving the platform.

Shipped today

Push-to-deploy. Commit, push, and your app is live in seconds with automatic HTTPS.
Multi-environment projects. Test, staging, and production environments per project, each with its own subdomain.
Nodge Studio. A browser-based code editor that spins up on click and goes to sleep when idle. EU-hosted, no install needed.
VS Code extension. Connect your local VS Code to Nodge over OAuth. Your AI assistant gets full project context.
Built-in Git hosting. Forgejo, scoped per organisation, with repository UI, access control, and HTTPS push.
Built-in container registry. Per-organisation image storage with garbage collection. No external registry to wire up.
Build pipelines included. Every project gets a CI runner. Builds, tests, and deploys are wired by default.
Ready-to-deploy project templates. Start from a template with observability and deploy wiring already in place.
Branded project provisioning. Twelve curated colour palettes, light/dark toggle, CSS variables injected into your new repo.
Template auth scaffold. Every template ships with a login page and admin credential wiring you replace when ready.

Coming next

Multi-engine database support. First-class schema introspection and backup for MySQL, MariaDB, MS SQL Server, and Azure SQL alongside PostgreSQL.
Cross-environment restore. Restore production into staging as a single click for safe data testing.
AI test generation. Detect changes in code reviews and propose unit plus Robot Framework tests automatically.
Expanded template library. An LLMOps starter (Langfuse + LiteLLM), a lean ERP starter, a planning portal, and a kanban app.

Operate

Run your apps without becoming a platform engineer.

Shipped today

EU cloud. Hosted in the Netherlands by default. European infrastructure, end to end.
Bring your own compute. Keep the Nodge experience while project workloads run on bare-metal compute we provision for your organisation.
Air-gapped deployment. Fully offline installation for defence, government, banking, and other regulated environments.
Per-project monitoring. Logs, performance metrics, and dashboards pre-configured for every project. No setup.
Automatic HTTPS. TLS certificates issued and renewed automatically via ACME, on every domain.
Custom domains. Point your own domains at any environment. The platform handles routing and certificates.
Nightly backups. Platform and per-project backups every night, encrypted before they leave the host, pushed to an off-site target the platform cannot read from or delete from.
Quarterly restore drills. Backups that are not tested are not backups. We run restore drills every quarter and log the date.
Clean project removal. Delete a project and the platform reclaims every resource. No orphan containers, no dangling DNS, no leftover Secrets.
Per-organisation observability. Logs and metrics scoped per organisation. Tenants cannot read each other's telemetry, even by accident.

Coming next

Atomic disaster recovery. Filesystem snapshots paired with database dumps, app-offline-during-restore orchestration, and per-step timeouts so a 50 GB restore behaves like an atomic point-in-time recovery.
Off-cluster backup storage. EU-hosted S3-compatible target with lifecycle policy, replacing today's on-host storage.
Cross-environment restore. Restore production data into staging as a first-class flow.
Soft-delete window for backups. Accidentally deleted a project? A recovery window keeps backups alive long enough to restore.
Pod health alerting. Email alerts when a workload stays unhealthy, with thresholds tuned to avoid noise on normal rolling restarts.
Multi-node clusters. Operational playbook for joining nodes, scheduling across them, and recovering from a node going down.
Dependency drift tracking. Renovate or Dependabot watching Kubernetes manifests and workflow images so version drift is visible continuously.
Auto-restart on config change. Workloads automatically roll when their ConfigMaps or Secrets change. No manual rollouts.

Govern

Control and accountability, built into the platform from day one.

Shipped today

ISO 27001:2022 certified. Organisation certified by an RvA-accredited body. Information-security management system audited annually.
Full audit trail. Every material action logged across platform, organisation, and project scope. Queryable by actor, target, and time.
Bring your own identity provider. OIDC integration with Azure AD, Okta, Keycloak, or any OIDC-compliant provider. Your MFA, conditional access, and offboarding apply unchanged.
Domain verification. An organisation must prove ownership of an email domain via DNS TXT before users from that domain are routed to its IdP.
Granular permissions. Individual permission flags per project and per environment, not role bundles. Grant production access without granting repository access.
Two-person deploy sign-off. Configure how many approvers must sign off on production deploys. Each approval requires fresh IdP authentication.
Cryptographic deploy attestation. Each approval is a verified IdP-signed token bound to the build. Retained for the lifetime of the project as audit-grade evidence.
Initiator block. The person who triggered a deploy cannot approve their own request. Two-person rule, server-enforced.
Human-in-the-loop for AI. Destructive actions (deleting projects, members, variables, domains) require a human. Agents can create and read; they cannot delete.
AI spending limits. Hard budgets in euros per project, enforced at the platform proxy layer. Agents cannot exceed them.
Separation of duties. Build, deploy, and AI agent identities are cryptographically distinct. A CI runner cannot spend an agent's LLM budget; an agent cannot trigger a deploy.
Multi-tier sign-in. Magic link, Google OAuth, your IdP, or personal access tokens. Pick the one that matches the user.

Coming next

Append-only audit log export. Ship the audit log to write-once storage so the export survives even a compromised platform admin.
Scoped admin roles. Read-only admin, billing admin, and support admin roles for organisations that want separation of duties at the platform-admin level too.
External KMS option. Documented path to an external key management service (HashiCorp Vault, EU KMS) so the master key never sits next to the database.

Integrate

Apps, agents, your tools, your AI. All wired together.

Shipped today

Platform is the MCP server. Your coding agent connects directly. Adding or changing tools only takes a platform deploy. No extension rebuild.
50+ built-in MCP tools. Projects, members, logs, metrics, dashboards, domains, pipelines, backups, routing, variables, agent actions, function graphs, context library, and more.
Action Gateway. Drop a nodge-actions.yml in your repo and your app's endpoints become AI-callable tools. The platform proxies the call with a scoped platform token.
Multi-LLM proxy. Anthropic, OpenAI, Google, and Mistral all supported. Switch providers without rewriting your code. Agents never see real API keys.
Per-call cost tracking. Every LLM call records model, tokens, cost, project, and agent identity. Reconcile spend with one query.
Event bus. Apps and agents publish and subscribe to events through a shared bus. Cross-project subscriptions require explicit approval.
Subscription approval workflow. One agent wants to listen to another's events? Admin approves, audit trail records who, when, and why.
OAuth2 for external clients. Built-in OAuth2 server for VS Code, Theia, and other editor integrations. Refresh tokens rotated on use.
Personal access tokens. Issue per-user PATs for scripts and integrations. Plaintext shown once at issuance, hashed at rest.
External MCP connections. Connect Nodge to other MCP servers your organisation runs. OAuth flow handled by the platform.

Coming next

Per-project pipeline hardening. The same supply-chain gates we run on our own builds, available as opt-in toggles on your project pipelines.
Per-project vulnerability scanning. Trivy injected into your project pipeline. Critical findings fail the run; results surface in the project's pipeline tab.
Per-project software bill of materials. CycloneDX SBOM generated on every release, downloadable from the pipeline UI.
Per-project image signing. Cosign keyless signatures tied to your organisation's build identity. Downstream consumers can verify provenance.
Per-project build attestation. SLSA-conformant attestation per build, recording commit, workflow, and runner identity.
Per-project secret and static scanning. Gitleaks blocks credential leaks before they enter the repository. Semgrep flags common vulnerability patterns before they reach production.
Per-project licence compliance. Reusing the SBOM, every build is checked against an organisation-level licence policy.
Customer-side runtime hardening defaults. Privilege escalation off, capabilities dropped, read-only root filesystem, default-deny network policies applied to your deployments out of the box.
Airgap-first pipeline delivery. Every gate ships with two delivery modes: configs hosted by Nodge, or pointed at your own scanning services on an internal network.

Secure

The full security posture, summarised. Read the detailed security page.

Shipped today

AES-256-GCM at rest. Sensitive data encrypted at the application layer, with the master key held outside the database.
Cluster-layer encryption. Kubernetes Secrets and cluster storage encrypted, on top of application-layer encryption. Defence in depth.
TLS 1.2+ in transit. Automatic certificate provisioning, HSTS preload, strict security headers. A-graded out of the box.
Per-project isolation. Each project environment runs in its own container with its own network, variables, and filesystem.
Default-deny networking. Cross-project pod-to-pod traffic is denied by default. Connections are only opened when you explicitly link projects.
Per-organisation network separation. On shared compute, organisations are separated at the underlying network layer in addition to access policies.
Per-organisation CI runners. Each organisation gets isolated build runners. One organisation's CI cannot read another's source code, secrets, or artefacts.
Active threat detection. Live engine watching platform logs and host events for brute-force, scanning, and abuse. Enforced at the host firewall in real time.
Default-deny session gating. Admin routes, Git UI, dashboards, and the browser IDE all sit behind a session gate. No internal surface reachable without a valid session.
Built-in supply chain controls. Every platform image is signed (Cosign), inventoried (CycloneDX SBOM), attested (SLSA), scanned (Trivy + npm audit), and analysed (Semgrep + Gitleaks). Critical findings block the build.
Licence compliance gate. Every build is checked against the licence policy. Copyleft-incompatible dependencies fail the build automatically.
Runtime hardening. Platform containers run with privilege escalation off, all capabilities dropped, and a read-only root filesystem.
Backup tamper resistance. Backups are encrypted client-side and pushed to a target the platform cannot read back or delete from. Even a compromised platform cannot wipe historical backups.
Restore is human-initiated. The decryption key never sits on the platform host. Restore happens deliberately, outside the platform, so a compromised platform cannot silently restore attacker-chosen data.
Incident response runbook. Documented escalation paths, 72-hour GDPR notification clock, customer-notification templates, and structured post-mortems.

Coming next

Distroless base image. Switch every platform service to a distroless runtime built reproducibly, with a daily CVE patch chain. Smaller surface, cleaner CVE reports, fewer living-off-the-land options after a hypothetical incident.
Nightly DAST. Automated dynamic scans against staging, catching missing headers, CORS misconfigurations, and cookie-flag issues before they reach production.
Operations VPN mesh. SSH and internal admin UIs sit behind a WireGuard mesh. Public web traffic stays public; everything else requires the mesh.
Health probe CLI. A diagnostic CLI that checks firewall configuration, SSH hardening, certificate expiry, disk and swap, and container health on every server.

Sovereign

Built for organisations where data residency and exit options are non-negotiable.

Shipped today

EU-only stack. Every layer of the platform is open-source software running on European infrastructure. No American services in the runtime path.
No phone-home telemetry. The platform does not send analytics, usage data, or diagnostic traffic to us or anyone else.
No vendor control plane. Self-hosted deployments have zero external dependency after install.
Air-gapped deployment. Install on your own servers, fully offline, with no internet egress requirement.
Your code, your formats. Standard Git repositories, standard container images, standard databases. Export and leave at any time. No proprietary format, no exit barrier.
Compliance posture. Aligned with GDPR Articles 32 and 33, ISO 27001:2022, NIS2, Schrems II, and OWASP Kubernetes Top 10.
Documented evidence pack. ISO certificate, statement of applicability, external pentest report, SBOM per release, incident-response runbook, key-rotation runbook, and recovery-drill log shared under NDA.

Coming next

Self-service airgap installer. A single-file installer that runs on a fresh server, installs k3s, applies the manifests, and bootstraps your first organisation. Today's air-gapped installations are white-glove.
Move our own builds to Forgejo Actions. Drop the last US dependency in our own build chain so Nodge's own pipeline runs the same way customer pipelines do.

The full feature index.

Develop

Shipped today

Coming next

Operate

Shipped today

Coming next

Govern

Shipped today

Coming next

Integrate

Shipped today

Coming next

Secure

Shipped today

Coming next

Sovereign

Shipped today

Coming next

Take Nodge for a spin.