Native gitBecause we speak standard smart-HTTP and SSH, every editor’s built-in git works out of the box. A credential helper and OAuth device flow handle sign-in cleanly, so there’s nothing to install.
Your code never leaves your infrastructure except where you explicitly send it — a mirror you configure, or an AI egress you authorize. Air-gapped operation is a supported mode, not an afterthought.
› Read the docsA committed credential is refused at the push boundary, with the file and line — it never enters history or the reflog. Rejected before it lands, not alerted after.
› Read the docsProtected default branch, server-side reflog retention, and one-click restore of a deleted or force-pushed ref. A beginner’s mistake is never fatal.
› Read the docscommit → PR → release → deploy → crash → author, through TillPulse. Know a release is N% crash-free and which change to look at first — without leaving your host.
› Read the docsBring your own model key. TillForge supplies the context and a default-deny, secret-redacting, audited egress boundary — code never reaches a model without an authorized, logged decision.
› Read the docsStandard smart-HTTP and SSH, so every editor’s native git just works. Plus an MCP server for agents and a VS Code extension for inline observability.
› Read the docsOwning the push boundary is the whole point. Every incoming commit is scanned before it is written — and a match on a credential rejects the push with the file and line. Nothing lands: not on the branch, not in the reflog. The industry norm is to scan after the fact and email you once the secret is already in history; by then it must be treated as compromised and rotated. We move the check one step earlier, to the only place it actually prevents the leak.
The same boundary enforces the rest of your policy in one pass: signed commits on protected branches, an author identity that has to match the person pushing, and a size rule that sends big blobs through LFS instead of bloating history.
A genuine false positive is handled honestly — an audited, per-repo allowlist with a stamped reason, not a global off-switch. And it fails closed: if the scanner itself errors, the push is rejected, never waved through.
Security model →A force-push over main, a deleted branch, a dangling commit — none of these are the end of an afternoon. The server keeps its own history of every ref change, so the state before the mistake is always addressable.
These are defaults, not opt-ins. The beginner gets covered without configuring anything; the expert can tune the policy. Safety you have to remember to switch on is safety most teams never have.
Recovery reference →protected mainForce-push and delete of the default branch are refused by default. Turning that off is a deliberate, audited choice — not the starting position.
reflog retentionThe server keeps its own reflog and won’t garbage-collect recently-orphaned commits, so a bad push is recoverable independent of anyone’s local clone.
one-click restoreRestore a deleted branch or a force-pushed-over ref to its prior commit. The restore compare-and-swaps on the current value, so a newer push is never clobbered.
branch policyRequired approvals, checks, signatures, and linear history — evaluated at the push boundary itself, not merely suggested by the UI you can route around.
Because the commit, PR, and blame graph all live here, TillForge closes the loop the rest of the industry stitches together with brittle webhooks: commit → PR → release → deploy → crash → blame → author, natively, through TillPulse.
The attribution is honest: clean at release granularity, and per-PR only under continuous deploy or explicit ranking. We never claim “that PR did it” when a release bundles many.
Correlation reference →You bring the model key; we never run inference and never put your code’s model bill on our books. What we build is the part that’s hard and defensible — the context pipeline and the egress boundary. Every code-to-model call passes a policy gate: default-deny for repos you mark crown-jewels, secret-redaction before send, size and scope limits, and a full audit record of what left, to which endpoint, for whom.
Nothing leaves without an authorized, logged decision. The endpoint itself is re-resolved and IP-pinned by the same guard that protects every outbound request, so an attacker can’t point “the model” at your metadata service.
In air-gapped mode, egress is allowed only to an operator-approved endpoint — the AI layer works without your source ever touching the open internet.
AI & egress governance →Speaking the standard git protocols means the baseline is free: whatever you already write code in, its native git just works. Everything above that — agents, inline observability — is additive, never required.
Native gitBecause we speak standard smart-HTTP and SSH, every editor’s built-in git works out of the box. A credential helper and OAuth device flow handle sign-in cleanly, so there’s nothing to install.
MCP serverA dependency-free server any terminal agent already speaks — the agent brings the model, so there’s no per-user key. It enforces the same repo permissions as the web: no ambient authority.
VS Code extension“Crashed N× in prod” right in the gutter, blame-with-observability on hover, in-editor PR review, and an editor-side secret check that catches the credential at the earliest point in the chain.
A code host is the place supply-chain attacks live, so TillForge is built security-first: when security trades against convenience, performance, or a ship date, security wins. A feature that cannot ship safely does not ship.
Where we can, we make a weakness structurally unreachable rather than patch instances of it: command injection (CWE-78) can’t occur because the git node only ever builds argument arrays — never a shell string from input; SSRF (CWE-918) can’t reach your metadata endpoint because every mirror, webhook, and model URL is re-resolved and IP-pinned; and one tenant can’t read another’s repo because on-disk paths are derived from opaque internal ids, never from a user string.
A credential is refused before it enters history or the reflog — with the file and line, and a fail-closed scanner.
Protected main, reflog retention, author verification, and branch policy are on by default; experts tune, beginners are covered.
Code never leaves your infrastructure except where you explicitly send it. Air-gapped operation is a supported mode.
Default-deny, secret-redacted, fully audited — code never reaches a model without an authorized, logged decision.
Every row is org-scoped and answers 404-not-403; on-disk paths come from opaque ids, never a user-supplied name.
Repos are envelope-encrypted per org, and every envelope names its suite — so primitives rotate without breaking existing repos. Hybrid post-quantum posture where it matters.
TillForge isn’t a second identity system to run alongside your others — it’s the source layer of the TillDev workspace you already have. It reuses the suite, which is why enterprise-grade is unusually cheap for it to reach.
The commit→PR→release→deploy→crash→author pipeline runs through TillPulse, subsuming its old GitHub-link. The git node reports its own health to the same board it protects.
Identity, RBAC, and SSO come from TillAuth; repo and CI secrets plus per-org encryption from TillSecrets; edge protection from TillShield and TillGate; backup and restore-verification from TillArk. No parallel anything.
Every push decision, policy change, force-push, recovery, and AI egress appends to the shared, append-only TillDev audit log — next to your Pulse, Auth, and Shield events.
We host our own code on TillForge first. It won’t open as something you can buy until it has carried a real team’s history through real mistakes — a force-push, a leaked key caught at the boundary, a recovery under pressure — not just a passing test suite.
Sovereign git hosting where a secret never lands, a mistake is never fatal, and every commit is one hop from the crash it caused. Bring any editor — keep your code where it belongs.
You don't have to use the rest. But they fit together — same workspace, same audit log, same shortcut to switch between them. Add what you need when you need it.