Skip to content

Releases: suzuke/agentic-git

v0.2.2 — Windows build fix

Choose a tag to compare

@suzuke suzuke released this 05 Jul 15:23
2b4ab26

agentic-git 0.2.2

A patch release for the shim: the workspace now builds on Windows (#15). agentic-git-core stays at 0.1.0.

The Windows arm of parent_process_name() referenced an undeclared sysinfo crate, so cargo build had always failed on Windows. It now returns None — a fail-safe that leaves the cross-branch deny path intact and only skips the gh-post-merge noise-suppression optimization. The test-windows-advisory CI job (build + cross-platform contract tests) is green for the first time.

Windows runtime is still unverified — this makes the product compile on Windows; the cfg(windows) code paths have not been exercised on a real Windows host.

Install / upgrade

cargo install agentic-git      # or --force to upgrade

v0.2.1 — concurrent-provisioning fix

Choose a tag to compare

@suzuke suzuke released this 05 Jul 14:27
45fc314

agentic-git 0.2.1

A patch release for the shim: concurrent session provisioning is now race-free (#13). agentic-git-core stays at 0.1.0.

Two agents starting a session on the same repo at once could previously fail to provision — git's worktree add and the git config --worktree hooks wiring both scan the shared worktree list and could read a sibling's half-written admin metadata (failed to read .git/worktrees/<other>/commondir). A per-source-repo advisory flock now serializes the whole metadata-touching provisioning section (released before the agent spawns, so sessions don't serialize).

Verified at 2560 concurrent-launch stress plus an independent 24-way probe — 0 failures.

Install / upgrade

cargo install agentic-git      # or: cargo install agentic-git --force

v0.2.0 — one-command recovery + run-first onboarding

Choose a tag to compare

@suzuke suzuke released this 05 Jul 11:14
90c7b57

agentic-git 0.2.0

The shim gains one-command recovery and a run-first onboarding story. agentic-git-core stays at 0.1.0 (unchanged contract crate).

agentic-git snapshots restore (#10)

Recover work a reset --hard / clean -fd erased, in one command — no snapshot ref, no git internals:

agentic-git snapshots restore --repo <worktree>
  • Non-destructive — writes the snapshot's paths back; never deletes files created after it.
  • Unstaged by default — recovery lands in the working tree, not your next commit (--staged for the classic behavior).
  • Fail-closed safety net — snapshots your current state first (undo target) and aborts if that fails.
  • Refuses to guess — no ref + one snapshot → uses it; several → lists candidates unless --yes.
  • Robust to huge trees (pathspecs via stdin, no ARG_MAX), non-UTF-8 and pathspec-magic filenames (:(glob)…).

Run-first onboarding (#11)

  • README quickstart now leads with agentic-git run (it shipped; it was wrongly listed as roadmap).
  • A runnable demo/recovery-demo.sh: an agent erases work → one command brings it back. It asserts every step, so it doubles as a cold-start acceptance check.

Install

cargo install agentic-git

Every finding in this release was caught by adversarial review before merge (three real bugs: ARG_MAX/E2BIG, pathspec-magic filenames, and a demo that misreported git status).

v0.1.0 — a guarded git for AI coding agents

Choose a tag to compare

@suzuke suzuke released this 04 Jul 17:22
50d376f

A guarded, transparent git for AI coding agents. A small Rust binary that masquerades as git on an agent's PATH — invisible until the moment it matters.

Extracted from agend-terminal (where it ran a production fleet of coding agents sharing real repos on one machine), with full shim history preserved. Apache-2.0.

What's in it

  • Per-agent worktree routing — every mutating git command is routed into the agent's bound worktree (HMAC-signed binding).
  • Deny guardrail matrix — blocks the operations that wreck multi-agent setups (git worktree lifecycle, cross-branch/protected-branch checkout, unbound mutations, canonical-HEAD detaching, pushing trust-root files) with actionable, LLM-readable remedies.
  • Commit provenance — a prepare-commit-msg hook attributes every commit to the agent that made it; a reference-transaction hook journals ref moves.
  • Audited bypassAGENTIC_GIT_BYPASS=1 (+ per-agent / time-boxed forms), logged.
  • agentic-git run --branch <b> -- <cmd> — standalone session mode that provisions a worktree, key, signed binding, and hooks, then launches your agent inside the guarded session.
  • Recovery layer — before a destructive op (reset --hard, clean -f*, worktree-overwriting checkout/restore, switch --discard-changes, stash drop|clear, merge/rebase/…) the shim snapshots the working tree into a private refs/agentic-git/snapshots/… ref first (fail-open, never blocks). Restore via git checkout <snap> -- .; manage with agentic-git snapshots list|prune.

Honest positioning

A seatbelt, not a cage: a same-uid userspace shim aimed at semi-trusted, accident-prone agents. It stops a prompt-injected or buggy agent from trashing your checkout by habit or mistake; it is not a hard boundary against a determined adversary calling /usr/bin/git directly. For that, run kernel-level isolation underneath it.

Install (from source)

git clone https://github.com/suzuke/agentic-git && cd agentic-git
cargo build --release

crates.io publish is pending (cargo install agentic-git not yet available).

Compatibility

Every AGENTIC_GIT_* env var falls back to its legacy AGEND_* name, so an existing agend-terminal fleet can adopt this binary with zero orchestrator changes.

Platforms

macOS (Apple Silicon) and Linux x86_64 are tested. Windows cfg paths exist but are unverified (CI runs them as a non-blocking advisory job).


This is an alpha: battle-tested logic, fresh packaging. See the README for the full mechanism, environment contract, and roadmap.