A code host where a mistake is not fatal.
GATillForge is sovereign, security-first git hosting. Your editor’s native git works with zero plugin — over HTTPS or SSH — but a secret can’t leak past the push boundary, the default branch is protected and recoverable, and every repo is natively correlated with the crashes it causes in production. It reuses the rest of TillDev: identity from TillAuth, keys from TillSecrets, and observability from TillPulse.
Default-safe, not opt-in-safe
Every host stores git. Almost none make the unsafe path the one you have to choose. TillForge inverts that: the protections a beginner would forget to enable are on from the first push, and an expert can tune them.
- Secrets can’t leak. The push boundary scans every introduced blob and rejects the push — with file and line — so a credential never enters history or the reflog. It fails closed: if the scanner can’t run, the push is refused, not waved through. See Branch protection.
- No mistake is fatal. The default branch is protected against force-push and delete, and a server-side reflog keeps recently-orphaned commits — so a deleted branch or a force-pushed-over ref is a one-click restore, not a lost afternoon.
- Sovereign by construction. Code never leaves your infrastructure except where you explicitly send it — a mirror you configure, or an AI call you authorize through the egress boundary. Air-gapped operation is a supported mode.
The promise isn’t “we host your code” — it’s “a master coder is fully covered and a beginner’s mistake is not fatal.”
One boundary, both transports
TillForge owns the push boundary. Whether a push arrives over HTTPS or SSH, it passes the same pre-receive policy — secret-reject, branch policy, author-identity check — before a single ref moves. Only a clean, authorized push lands.
your editor · CI · terminal agent
│ git over HTTPS (tfp_ token) or SSH (registered key)
▼
┌──────────────────────────────────────────────────┐
│ push boundary (pre-receive · fails closed) │
│ secret-reject · branch policy · author identity │ ◀─ every push,
└───────────────────────┬────────────────────────────┘ both transports
│ only a clean, authorized push lands
▼
your repositories (org-isolated · encrypted at rest)
│ │
▼ ▼
history & recovery AI egress boundary
reflog · one-click restore default-deny · redact · auditTwo front doors reach the same repos: git (clone / fetch / push, authenticated by a tfp_ token or an SSH key) and the dashboard & CLI (session or token auth) for policy, PRs, findings, and recovery. A control-plane outage never blocks a git push or clone. More in Repositories.
What's on by default
These defaults ship active on every repo — you don’t configure them to be safe, you configure them to be less strict when you have a reason:
| Default | What it does | How you tune it |
|---|---|---|
| Protected default branch | Force-push and delete of the default branch are rejected. | Branch policy |
| Secret-reject at push | A credential in any pushed blob rejects the push; fails closed. | Audited per-repo allowlist |
| Reflog retention | Recently-orphaned commits are kept; deleted / force-pushed refs recover. | Recovery window |
| Author verification | A commit author must map to the authenticated identity — no impersonation. | Verified secondary emails |
| Org isolation | One org can never read, clone, or influence another org’s repos. | — |
| AI egress default-deny | Code never leaves to a model unless you allow it — redacted and audited. | Per-repo egress policy |
Security is the spine, not a section
A code host is the place a supply-chain attack lives — the source is the asset and the signing keys are a harvest-now, decrypt-later target. TillForge is designed accordingly: whole weakness classes are made absent by construction rather than patched instance by instance.
- No shell string is ever built from input — command injection is structurally unreachable; the git node executes argv arrays only.
- Every outbound URL is SSRF-validated and IP-pinned — mirror sources, webhook targets, and AI endpoints alike.
- The on-disk repo path is derived from opaque ids, never a user string, and one org’s objects are unreachable from another’s.
The full posture — sovereignty, the push boundary, AI egress governance, recoverability, and the CWE coverage map — is one screen: Security.
What's in the box
- Quickstart — create a repo, mint a token, clone and push over HTTPS from any editor, watch a secret get rejected.
- Repositories — create, clone, and push over HTTPS + SSH; the clone URL and
tfp_token flow; browse code, history, and blame. - Access & tokens —
tfp_tokens, SSH keys, and the owner / admin / developer / viewer roles that govern git and the API. - Branch protection — protected branches, secret-reject-at-push, and one-click reflog recovery — the security wedge.
- Pull requests — reviews, the merge gate, the checks / status API, and CODEOWNERS.
- Code search — literal, line-numbered search across a repo at any revision, from the CLI or the Code tab.
- Releases & builds — tagged releases with a generated changelog and a checksummed build per platform.
- Deployments — preview before production, with an approval gate and commit-pinned crash correlation.
- Events & webhooks — signed webhooks for your pipeline and personal notifications for your work.
- Security — the posture: sovereignty, the push boundary, AI egress governance, and recovery.
- CLI reference — every
tilldev forgecommand.
Start with the Quickstart. TillForge is part of TillDev — one workspace, one login, one audit log.