★ 450+ GitHub stars · the #1 worktree manager by stars
Captured with each commit, so results replay.
Carried across sessions, no re-grounding.
A policy-enforced worktree per agent.
Raw output out of context, up to 95% less.
Isolated worktrees, merged into one result.
Risk-ranked review of every AI change.
Turn agent permission prompts off: the box is the permission. Writes stay in $WORK, network egress is allowlisted, and every denial is logged as evidence.
h5i:worker$ claude --dangerously-skip-permissions ✻ Claude Code · permissions off ● Bash(cat ~/.ssh/id_rsa) ⛔ blocked: outside fs.read ● Bash(curl https://internal-billing.corp/api) ⛔ 403: not on the net.egress allowlist ● Edit(sync/worker.py) ✓ task finished inside $WORK · every command captured
The agent still finishes the task. Only the reviewed diff is merged.
The prompt, the reasoning, the commands, the tests, the denials: attached to the commit, versioned in Git, recallable from any clone. No SaaS.
$ h5i recall log --limit 1 commit 4f2c9e1 fix: clamp retry jitter agent claude-code · claude-opus-4-8 prompt "Fix the flaky retry test in tests/test_worker.py" context goal + reasoning trace, restorable per commit tests 241 passed · coverage +1 denials 2 blocked · logged as evidence tokens −94% (412 → 9 lines, raw recoverable)
A week later, you can still answer: why did this diff happen, and was it built safely?
Receipts make triage automatic: h5i audit review ranks commits by uncertainty, blind edits, churn, and scope, so review starts with the ones that need it most.
$ h5i audit review --limit 200 Suggested Review Points — 2 of 200 commits flagged #1 a3f1c0d score 0.94 █████████▍ auth: refresh token rotation ▸ security-sensitive · API token leakage · no tests #2 92c80f4 score 0.71 ███████ db: migration for sessions table ▸ large diff · broad scope · low prompt certainty
The receipt never bloats the context: h5i capture run keeps every command's raw output out-of-band and hands the agent a compact, structured summary. Nothing is lost, only the noise.
$ pytest -q tests/test_api.py .................... [ 18%] tests/test_auth.py ...F................ [ 41%] tests/test_cache.py ................. [ 60%] tests/test_db.py .................... [ 82%] tests/test_util.py .................. [100%] … 412 lines: every PASS, warning, and traceback frame streamed into context … ========= 1 failed, 240 passed =========
$ h5i capture run -- pytest -q 1 failed · 240 passed (240 ok collapsed) ▸ tests/test_auth.py:88 expected 200, got 401
h5i team.h5i team fans one task out to agents in sealed worktrees, so they never overwrite each other. They peer-review each other's work, and only the winner merges.
We spoke with dozens of developers during PhD research in AI and systems security. The repeated bottleneck was not code generation. It was safe code acceptance.
Already using Claude Code, Codex, Cursor, or internal agents, and drowning in unverifiable patches.
A standard workflow for running and reviewing many agents.
Sandboxed autonomy and evidence for every blocked action.
Fintech, health, government: audit every AI-written change.
Agents will write more code across more repos. Teams will not trust raw diffs alone.
The scarce resource is no longer code generation. It is safe code acceptance.
Git tracks the diff. h5i tracks the run.