From an empty repo to a protected push.
GACreate a repo, mint a token, clone and push with your editor’s native git, then watch a secret get rejected at the boundary — the whole loop, in a few commands.
Install the CLI and log in
TillForge lives inside the one tilldev CLI, alongside pulse, auth, cache, and ark. The CLI talks to the dashboard API over HTTPS only.
# The TillForge commands ship inside the one TillDev CLI.
npm i -g @tilldev/cli # or: pnpm add -g @tilldev/cli
tilldev login # opens the browser; scopes the CLI to your orgCreate a repository
A repo is created with a protected default branch and secret scanning on from the first push. Visibility is private, internal, or public.
# Create a repo. The default branch is seeded PROTECTED and
# secret-scanned from the very first push — no configuration.
tilldev forge repos create --name acme-api --visibility private
# → repo acme-api default: main (protected) visibility: privateMint a tfp_ token
Over HTTPS, a tfp_ token is your git password. Scope it read, write, or admin, optionally pin it to a single repo, and give it an expiry.
# Mint a tfp_ token — this is your git password over HTTPS.
# The secret is shown ONCE and stored hash-only; scope it write.
tilldev forge tokens create --scope write --repo acme-api --expires 90
# → tfp_live_… (copy it now — it is never shown again)Clone and push from any editor
Because TillForge speaks standard smart-HTTP, your editor’s built-in git works with no plugin. Clone over HTTPS and push — the token is the password.
# Clone from any editor — native git, zero plugin.
git clone https://git.tilldev.dev/acme/acme-api.git
# Username: your TillDev email (or 'x-access-token')
# Password: the tfp_ token you just minted
cd acme-api
echo "# acme-api" > README.md
git add README.md && git commit -m "first commit"
git push -u origin main
# → pushed · main protected · scanned cleanPrefer keys? SSH works the same way — ssh://git@git.tilldev.dev:2222/acme/acme-api.git — once you register a key.
Watch a secret get rejected
This is the headline. Push a blob that contains a credential and the boundary rejects the whole push — the secret never enters history or the reflog. It fails closed: a scanner that can’t run refuses the push rather than passing it.
# Now try to push a secret. The push boundary rejects it BEFORE
# it can enter history or the reflog — the credential never lands.
git commit -am "add config" # config contains an API key
git push
# ! [remote rejected] main -> main (secret detected)
# config.env:3 aws-access-key-id — remove it and re-push,
# or allowlist with a reason if it is a false positive.Read the findings and the trail
Everything the boundary caught, plus a recovery trail, is one command away — and the same views live in the dashboard.
# Everything the boundary caught, and the recovery trail:
tilldev forge findings acme-api # secrets rejected at the push boundary
tilldev forge reflog acme-api # ref-change history (one-click recover)
tilldev forge audit --limit 5 # the append-only privileged-action logWhat's next
- Repositories — clone / push over HTTPS + SSH and browse code, history, and blame.
- Branch protection — the protected branch, secret-reject, and one-click reflog recovery in depth.
- Pull requests — reviews, the merge gate, checks, and CODEOWNERS.
- CLI reference — every command and flag.