I keep the forge on a completely separate LAN that never touches the public internet. A solid firewall blocks everything but the control stack, and every device runs only signed firmware so no one can push rogue code. I use MFA for any SSH or web interface access, and I limit those keys to a handful of trusted engineers. All traffic is logged and monitored for odd patterns—any deviation from the normal “heat and hammer” rhythm raises an alert. And on the physical side, the forge door is locked, motion sensors are on, and I keep the power supply isolated from any network that could be compromised. That way the sword stays in the smithy, not on a hacker’s console.