Git tracks the diff. h5i tracks the workspace behind it, a Git-backed worktree where every prompt, command, log, policy, and handoff is recorded in your repo and provable after the fact. Posts on four pillars: sandboxed workspaces, reviewable agent work, prompt provenance, and context compression.
h5i teamPoint several coding agents at the same task in sealed workspaces, let each work blind, then let a neutral, sandboxed verifier — not any agent's own say-so — pick the winner. Sealed workspaces, permissioned reviews, auditable convergence, so a human can merge with proof, hands-off.
The sandboxed worktree is the canonical auditable workspace, what it could and couldn't reach, provable. h5i env.
Run an agent in a confined, disposable environment, a git worktree plus tiered isolation (Landlock, seccomp, namespaces) and an airtight, rootless network egress allowlist a raw socket can't bypass, then audit everything it did before it touches your branch.
What a sandbox is, what it can defend, what it cannot defend, and why AI coding agents require capability boundaries rather than permission prompts.
A practical implementation guide covering worktrees, Landlock, seccomp, namespaces, cgroups, network egress allowlists, secrets brokers, and audit captures.
container-use, sandbox-runtime, OpenSandbox, E2B, gVisor, Kata, Firecracker, and h5i compared by boundary, workflow, egress control, and provenance.
h5i's env design in detail: tiered rootless isolation, supervised egress, mediated commits, secrets, captures, boundary pressure, and honest defense limits.
settings.json Decides TrustClaude Code < 2.1.53 resolved permissions.defaultMode from a committed .claude/settings.json before deciding whether to show the workspace trust dialog. CWE-807, fixed in 2.1.53.
A load-order bug let project code execute before the user accepted Claude Code's startup trust prompt. CWE-94, fixed in 1.0.111. The mechanics, the patch, and the design lesson for any agentic CLI.
Git tracks the diff; reviewers need the workspace behind it, intent, context coverage, risk, evidence, and a way to undo by intent. Review-ready PR evidence.
Git remains the source of truth for code. The auditable workspace adds the missing layer: why an agent changed the code, what context it used, what evidence it saw, and how reviewers can audit the result.
A diff tells you what changed. It does not tell you what the agent was asked, which files it ignored, why it chose the approach, or whether the risky part was tested.
Reviewing agent-written code is not just line-by-line inspection. Start with intent, verify context coverage, rank risky files, and require evidence for the behavior that changed.
The PR body is one view of h5i's shared context: review focus, risk signals, reasoning highlights, tests, and provenance where reviewers already work.
git blame to AI blame: per-line provenance for AI-era codegit blame answers "who wrote this" with a name and a date. h5i recall blame adds the prompt, the model, the agent, and the test result that produced each line, same ergonomics, four more answers.
Your team merges 50 PRs a week, 30 of them AI-assisted. A four-vector framework, blind edits, uncertainty, scope creep, prompt injection, produces a single ranked review queue.
Turn captured uncertainty signals into a per-file review heatmap so human reviewers can focus on the parts of an AI-assisted diff that deserve the most attention.
Git notes are a useful primitive for attaching metadata. h5i is the workflow layer: capture, recall, audit, share, and multi-agent context.
Git hooks protect repository operations. Claude Code hooks observe and steer the agent while it works. They are complementary, not interchangeable.
Who asked, why, what the agent knew, and how agents hand work to each other, recorded in refs/h5i/notes and refs/h5i/context.
A prompt quality signal without an LLM: h5i turns each AI commit's prompt into an explainable 0–100 score, seven classical-NLP signals, anti-gaming guards, and balance gates.
Claude Code can edit real repositories. The missing workflow is durable provenance: prompt, agent identity, changed files, tests, and review context stored next to the commits.
The injection lives in the trace, not the output. Eight deterministic regex rules over OBSERVE/THINK/ACT entries catch override and exfiltration patterns with no model in the audit path.
Code has Git. Agent reasoning usually has a disappearing chat window. h5i stores OBSERVE, THINK, ACT, NOTE, branches, merges, and checkpoints as shared context.
Agents already coordinate through files and commits. h5i makes the communication explicit: typed asks, reviews, risks, handoffs, and done messages stored in a shareable Git ref.
Two agents sharing one repo usually have no way to talk. i5h gives them a channel built from Git: typed work handoffs, ask, review, hand off, done, appended as durable, replayable Git objects, with no server to run.
Anthropic gives you a memory primitive. h5i gives you the layers above it, versioned reasoning, per-commit snapshots, and a SessionStart hook that injects the right slice of context into every new session.
The workspace keeps raw logs out of the agent's context window, recoverable, structured, searchable. Compressed tool logs.
A content-addressed object store keeps raw tool output (test logs, builds, big JSON) out of the context window and hands the agent a structured summary, ~95% fewer tokens in a reproducible benchmark, fully recoverable.
Compressed tool logs make output small; a unified JSON/YAML result schema makes it actionable, one shape across tests, compilers, linters, and type checkers, that an agent can branch on, dedupe, and query. h5i's layer beyond rtk/headroom.