TILLFORGE · OVERVIEW

A code host where a mistake is not fatal.

GA

TillForge is sovereign, security-first git hosting. Your editor’s native git works with zero plugin — over HTTPS or SSH — but a secret can’t leak past the push boundary, the default branch is protected and recoverable, and every repo is natively correlated with the crashes it causes in production. It reuses the rest of TillDev: identity from TillAuth, keys from TillSecrets, and observability from TillPulse.

Dogfood first
TillForge hosts our own code before anyone else’s. The git node, control plane, CLI, dashboard, MCP server, and the whole security spine are built and verified end to end. Where a capability is a later phase — an in-house CI runner, SCIM provisioning, a merge queue — this documentation says so in a callout rather than implying it’s wired.
01The wedge

Default-safe, not opt-in-safe

Every host stores git. Almost none make the unsafe path the one you have to choose. TillForge inverts that: the protections a beginner would forget to enable are on from the first push, and an expert can tune them.

  • Secrets can’t leak. The push boundary scans every introduced blob and rejects the push — with file and line — so a credential never enters history or the reflog. It fails closed: if the scanner can’t run, the push is refused, not waved through. See Branch protection.
  • No mistake is fatal. The default branch is protected against force-push and delete, and a server-side reflog keeps recently-orphaned commits — so a deleted branch or a force-pushed-over ref is a one-click restore, not a lost afternoon.
  • Sovereign by construction. Code never leaves your infrastructure except where you explicitly send it — a mirror you configure, or an AI call you authorize through the egress boundary. Air-gapped operation is a supported mode.

The promise isn’t “we host your code” — it’s “a master coder is fully covered and a beginner’s mistake is not fatal.”

02At a glance

One boundary, both transports

TillForge owns the push boundary. Whether a push arrives over HTTPS or SSH, it passes the same pre-receive policy — secret-reject, branch policy, author-identity check — before a single ref moves. Only a clean, authorized push lands.

text
   your editor · CI · terminal agent
        │  git over HTTPS (tfp_ token)  or  SSH (registered key)
        ▼
 ┌──────────────────────────────────────────────────┐
 │  push boundary   (pre-receive · fails closed)      │
 │  secret-reject · branch policy · author identity   │ ◀─ every push,
 └───────────────────────┬────────────────────────────┘    both transports
                         │  only a clean, authorized push lands
                         ▼
   your repositories   (org-isolated · encrypted at rest)
        │                              │
        ▼                              ▼
   history & recovery            AI egress boundary
   reflog · one-click restore    default-deny · redact · audit

Two front doors reach the same repos: git (clone / fetch / push, authenticated by a tfp_ token or an SSH key) and the dashboard & CLI (session or token auth) for policy, PRs, findings, and recovery. A control-plane outage never blocks a git push or clone. More in Repositories.

03The model

What's on by default

These defaults ship active on every repo — you don’t configure them to be safe, you configure them to be less strict when you have a reason:

DefaultWhat it doesHow you tune it
Protected default branchForce-push and delete of the default branch are rejected.Branch policy
Secret-reject at pushA credential in any pushed blob rejects the push; fails closed.Audited per-repo allowlist
Reflog retentionRecently-orphaned commits are kept; deleted / force-pushed refs recover.Recovery window
Author verificationA commit author must map to the authenticated identity — no impersonation.Verified secondary emails
Org isolationOne org can never read, clone, or influence another org’s repos.
AI egress default-denyCode never leaves to a model unless you allow it — redacted and audited.Per-repo egress policy
04Security

Security is the spine, not a section

A code host is the place a supply-chain attack lives — the source is the asset and the signing keys are a harvest-now, decrypt-later target. TillForge is designed accordingly: whole weakness classes are made absent by construction rather than patched instance by instance.

  • No shell string is ever built from input — command injection is structurally unreachable; the git node executes argv arrays only.
  • Every outbound URL is SSRF-validated and IP-pinned — mirror sources, webhook targets, and AI endpoints alike.
  • The on-disk repo path is derived from opaque ids, never a user string, and one org’s objects are unreachable from another’s.

The full posture — sovereignty, the push boundary, AI egress governance, recoverability, and the CWE coverage map — is one screen: Security.

05Explore

What's in the box

  • Quickstart — create a repo, mint a token, clone and push over HTTPS from any editor, watch a secret get rejected.
  • Repositories — create, clone, and push over HTTPS + SSH; the clone URL and tfp_ token flow; browse code, history, and blame.
  • Access & tokens tfp_ tokens, SSH keys, and the owner / admin / developer / viewer roles that govern git and the API.
  • Branch protection — protected branches, secret-reject-at-push, and one-click reflog recovery — the security wedge.
  • Pull requests — reviews, the merge gate, the checks / status API, and CODEOWNERS.
  • Code search — literal, line-numbered search across a repo at any revision, from the CLI or the Code tab.
  • Releases & builds — tagged releases with a generated changelog and a checksummed build per platform.
  • Deployments — preview before production, with an approval gate and commit-pinned crash correlation.
  • Events & webhooks — signed webhooks for your pipeline and personal notifications for your work.
  • Security — the posture: sovereignty, the push boundary, AI egress governance, and recovery.
  • CLI reference — every tilldev forge command.

Start with the Quickstart. TillForge is part of TillDev — one workspace, one login, one audit log.