TILLFORGE · TILLDEV

A leaked secret
never lands.

Sovereign, security-first code hosting. Your source never leaves your infrastructure except where you explicitly send it — and a credential you commit by mistake is refused at the push boundary, before it can ever enter history. A master coder is fully covered; a beginner’s mistake is never fatal.

SECURE · at the push boundary
sovereign · reject-at-push · protected-main · reflog recovery · byo-ai · air-gapped
WHAT’S INSIDE

A control plane for your source.

Sovereign hostingBETA

Your code never leaves your infrastructure except where you explicitly send it — a mirror you configure, or an AI egress you authorize. Air-gapped operation is a supported mode, not an afterthought.

› Read the docs
Reject-at-pushBETA

A committed credential is refused at the push boundary, with the file and line — it never enters history or the reflog. Rejected before it lands, not alerted after.

› Read the docs
Recoverable by defaultBETA

Protected default branch, server-side reflog retention, and one-click restore of a deleted or force-pushed ref. A beginner’s mistake is never fatal.

› Read the docs
Native crash correlationBETA

commit → PR → release → deploy → crash → author, through TillPulse. Know a release is N% crash-free and which change to look at first — without leaving your host.

› Read the docs
BYO-AI, governed egressBETA

Bring your own model key. TillForge supplies the context and a default-deny, secret-redacting, audited egress boundary — code never reaches a model without an authorized, logged decision.

› Read the docs
Any editor, zero pluginBETA

Standard smart-HTTP and SSH, so every editor’s native git just works. Plus an MCP server for agents and a VS Code extension for inline observability.

› Read the docs
THE PUSH BOUNDARY

A secret is refused,
not alerted after the fact.

Owning the push boundary is the whole point. Every incoming commit is scanned before it is written — and a match on a credential rejects the push with the file and line. Nothing lands: not on the branch, not in the reflog. The industry norm is to scan after the fact and email you once the secret is already in history; by then it must be treated as compromised and rotated. We move the check one step earlier, to the only place it actually prevents the leak.

PUSHSECRET FOUNDCLEANPUSHcommits · blobsPRE-RECEIVEsecret-scan · policy · authorREJECTEDfile:line · nothing writtenDEFAULT-ONACCEPTED → mainprotected · signed · linearTHE SECRET NEVER ENTERS HISTORY OR THE REFLOG · FAILS CLOSED ON SCANNER ERROR

The same boundary enforces the rest of your policy in one pass: signed commits on protected branches, an author identity that has to match the person pushing, and a size rule that sends big blobs through LFS instead of bloating history.

A genuine false positive is handled honestly — an audited, per-repo allowlist with a stamped reason, not a global off-switch. And it fails closed: if the scanner itself errors, the push is rejected, never waved through.

Security model →
bash · push
$ git push origin main

Enumerating objects: 7, done.
Writing objects: 100% (4/4), 612 bytes, done.

remote: ✗ push rejected — a secret would enter history
remote:
remote:   config/prod.env:12   cloud access key id
remote:   config/prod.env:13   cloud secret access key
remote:
remote:   refused at the push boundary. nothing was written —
remote:   not to main, not to the reflog.
remote:
remote:   redact it, or record a reviewed false positive:
remote:     # tillforge:allow-secret   (audited, per-repo)

error: failed to push some refs
RECOVERABLE BY DEFAULT

A mistake is never fatal.

A force-push over main, a deleted branch, a dangling commit — none of these are the end of an afternoon. The server keeps its own history of every ref change, so the state before the mistake is always addressable.

These are defaults, not opt-ins. The beginner gets covered without configuring anything; the expert can tune the policy. Safety you have to remember to switch on is safety most teams never have.

Recovery reference →
bash · recover
# A teammate force-pushed over main. Nothing is lost.
tilldev forge reflog main --repo api

  #4  09:41  force-push  by u_lena  → 4f2a…
  #3  09:02  push        by u_ada   → e91c…   ← last good
  #2  08:50  push        by u_ada   → b7d3…

# Restore the ref to the commit before the mistake.
# Compare-and-swaps on the current value, so a
# newer push is never clobbered.
tilldev forge reflog recover --repo api --to e91c
ON BY DEFAULT
protected main

Force-push and delete of the default branch are refused by default. Turning that off is a deliberate, audited choice — not the starting position.

reflog retention

The server keeps its own reflog and won’t garbage-collect recently-orphaned commits, so a bad push is recoverable independent of anyone’s local clone.

one-click restore

Restore a deleted branch or a force-pushed-over ref to its prior commit. The restore compare-and-swaps on the current value, so a newer push is never clobbered.

branch policy

Required approvals, checks, signatures, and linear history — evaluated at the push boundary itself, not merely suggested by the UI you can route around.

NATIVE CORRELATION

One hop from commit to crash.

Because the commit, PR, and blame graph all live here, TillForge closes the loop the rest of the industry stitches together with brittle webhooks: commit → PR → release → deploy → crash → blame → author, natively, through TillPulse.

The attribution is honest: clean at release granularity, and per-PR only under continuous deploy or explicit ranking. We never claim “that PR did it” when a release bundles many.

Correlation reference →
bash · correlation
# Which release regressed, and who should look first?
tilldev forge correlation --repo api --release v2.4.0

  release   v2.4.0   crash-free  91.2%   grade C
  vs prior  v2.3.1   crash-free  99.6%   Δ  -8.4pp

  suspect PRs — diff touched files in the new crash stacks
    #812  checkout: retry on 5xx           u_ravi
    #809  cart: parallelize price lookups   u_ada

# release-granular by default; PR-granular under CD.
SCHEMATIC · ILLUSTRATIVEopenedmergedshippedobservedlocalises→ ownerCOMMITsha e91cPR#812RELEASEv2.4.0DEPLOYmarkerCRASHrelease healthBLAMEfile : lineAUTHORnotify · ownersrelease v2.4.0 · crash-free 91.2% · grade C — release-granular attribution
BYO-AI, GOVERNED

Your model. Your key.
Our boundary.

You bring the model key; we never run inference and never put your code’s model bill on our books. What we build is the part that’s hard and defensible — the context pipeline and the egress boundary. Every code-to-model call passes a policy gate: default-deny for repos you mark crown-jewels, secret-redaction before send, size and scope limits, and a full audit record of what left, to which endpoint, for whom.

✗ REFUSEDREDACTEDLOGGEDpayments-corecrown-jewelsDENYdocs-sitepurpose: pr-reviewEGRESS BOUNDARYdefault-deny · redact · auditYOUR MODELbyo key · your endpointAUDIT LOGwho · what · where

Nothing leaves without an authorized, logged decision. The endpoint itself is re-resolved and IP-pinned by the same guard that protects every outbound request, so an attacker can’t point “the model” at your metadata service.

In air-gapped mode, egress is allowed only to an operator-approved endpoint — the AI layer works without your source ever touching the open internet.

AI & egress governance →
yaml · ai-policy.yaml
# Per-repo: may this source leave to a model? Default-deny.
repo: payments-core

ai_egress:
  default: deny             # crown-jewels never leave
  allow:
    - purpose: pr-review     # only for review context
      providers: [openrouter]
      max_bytes: 65536
  redact_secrets: true       # stripped before send, always
  audit: full                # who · what · where · when

# Air-gapped: allow only an operator-approved endpoint.
HOW YOU REACH IT

Any editor. Zero plugin.

Speaking the standard git protocols means the baseline is free: whatever you already write code in, its native git just works. Everything above that — agents, inline observability — is additive, never required.

HTTPS + SSH · ZERO PLUGIN
Native git

Because we speak standard smart-HTTP and SSH, every editor’s built-in git works out of the box. A credential helper and OAuth device flow handle sign-in cleanly, so there’s nothing to install.

AGENT-NATIVE · READ-FIRST
MCP server

A dependency-free server any terminal agent already speaks — the agent brings the model, so there’s no per-user key. It enforces the same repo permissions as the web: no ambient authority.

INLINE OBSERVABILITY
VS Code extension

“Crashed N× in prod” right in the gutter, blame-with-observability on hover, in-editor PR review, and an editor-side secret check that catches the credential at the earliest point in the chain.

NATIVE GIT — WHATEVER YOU ALREADY USE
VS CodeJetBrainsNeovimCursorZedSublimegit CLI
SECURITY IS THE SPINE

Whole classes of bug,
absent by construction.

A code host is the place supply-chain attacks live, so TillForge is built security-first: when security trades against convenience, performance, or a ship date, security wins. A feature that cannot ship safely does not ship.

Where we can, we make a weakness structurally unreachable rather than patch instances of it: command injection (CWE-78) can’t occur because the git node only ever builds argument arrays — never a shell string from input; SSRF (CWE-918) can’t reach your metadata endpoint because every mirror, webhook, and model URL is re-resolved and IP-pinned; and one tenant can’t read another’s repo because on-disk paths are derived from opaque internal ids, never from a user string.

THE SECURITY MODEL
Reject-at-push

A credential is refused before it enters history or the reflog — with the file and line, and a fail-closed scanner.

Default-safe

Protected main, reflog retention, author verification, and branch policy are on by default; experts tune, beginners are covered.

Sovereign by construction

Code never leaves your infrastructure except where you explicitly send it. Air-gapped operation is a supported mode.

Governed AI egress

Default-deny, secret-redacted, fully audited — code never reaches a model without an authorized, logged decision.

Isolated tenants

Every row is org-scoped and answers 404-not-403; on-disk paths come from opaque ids, never a user-supplied name.

Crypto-agility

Repos are envelope-encrypted per org, and every envelope names its suite — so primitives rotate without breaking existing repos. Hybrid post-quantum posture where it matters.

NOT A SILO

Same workspace. Same login.

TillForge isn’t a second identity system to run alongside your others — it’s the source layer of the TillDev workspace you already have. It reuses the suite, which is why enterprise-grade is unusually cheap for it to reach.

01 · CORRELATES WITH

TillPulse

The commit→PR→release→deploy→crash→author pipeline runs through TillPulse, subsuming its old GitHub-link. The git node reports its own health to the same board it protects.

02 · BUILT ON

The suite

Identity, RBAC, and SSO come from TillAuth; repo and CI secrets plus per-org encryption from TillSecrets; edge protection from TillShield and TillGate; backup and restore-verification from TillArk. No parallel anything.

03 · RECORDS

One audit log

Every push decision, policy change, force-push, recovery, and AI egress appends to the shared, append-only TillDev audit log — next to your Pulse, Auth, and Shield events.

WE ARE TENANT #1

We host our own code on TillForge first. It won’t open as something you can buy until it has carried a real team’s history through real mistakes — a force-push, a leaked key caught at the boundary, a recovery under pressure — not just a passing test suite.

TURN IT ON

Sovereign git hosting where a secret never lands, a mistake is never fatal, and every commit is one hop from the crash it caused. Bring any editor — keep your code where it belongs.

PART OF TILLDEV

One of seven.

You don't have to use the rest. But they fit together — same workspace, same audit log, same shortcut to switch between them. Add what you need when you need it.