PDF version
1 /
Sandboxed worktrees · AI-aware versioning · persistent memory

Auditable Workspaces
for AI Coding Agents

  • h5i gives every coding agent a sandboxed Git worktree.
  • h5i records the evidence behind each change: prompts, commands, logs, policies, and reviews.
  • In Git, no SaaS.

450+ GitHub stars · the #1 worktree manager by stars

AI agents are becoming
production labor.

today

An agent run is unsafe and opaque

  • Untracked prompts and context
  • Dangerous tool usage
  • Conflicting multi-agents
with h5i

An agent run is safe and auditable

  • Sandboxed environment
  • Tracked prompt and context
  • Conflict-free multi-agent development

The pain is already here.

prompts Untracked prompts Can't improve them or reproduce a result.
context Lost
context
Every session re-grounds from scratch.
safety Unsupervised tool use Wrecked envs, malware, secret exfil.
tokens Multi-agent token waste Each agent re-reads the whole repo, and run many tools.
conflict Multi-agent conflict They overwrite each other's work.
audit Hard to audit Which prompt or model shipped a change? Unknown.

h5i solves all six.

promptsPrompt versioning

Captured with each commit, so results replay.

contextPersistent context

Carried across sessions, no re-grounding.

safetySupervised sandbox

A policy-enforced worktree per agent.

tokensToken reduction

Raw output out of context, up to 95% less.

conflictConflict-free ensemble

Isolated worktrees, merged into one result.

auditEasy to audit

Risk-ranked review of every AI change.

A sealed workspace per agent.

Turn agent permission prompts off: the box is the permission. Writes stay in $WORK, network egress is allowlisted, and every denial is logged as evidence.

The agent still finishes the task. Only the reviewed diff is merged.

Every diff gets a receipt.

The prompt, the reasoning, the commands, the tests, the denials: attached to the commit, versioned in Git, recallable from any clone. No SaaS.

a week later · any clone
$ h5i recall log --limit 1
commit 4f2c9e1  fix: clamp retry jitter
  agent    claude-code · claude-opus-4-8
  prompt   "Fix the flaky retry test in tests/test_worker.py"
  context  goal + reasoning trace, restorable per commit
  tests    241 passed · coverage +1
  denials  2 blocked · logged as evidence
  tokens   −94% (412 → 9 lines, raw recoverable)
Prompt
Reasoning context
Commands
Test output
Denied actions
Final diff

A week later, you can still answer: why did this diff happen, and was it built safely?

Triage the riskiest AI changes
before they merge.

Receipts make triage automatic: h5i audit review ranks commits by uncertainty, blind edits, churn, and scope, so review starts with the ones that need it most.

h5i audit review
$ h5i audit review --limit 200
Suggested Review Points — 2 of 200 commits flagged

  #1 a3f1c0d  score 0.94  █████████▍
     auth: refresh token rotation
      security-sensitive · API token leakage · no tests

  #2 92c80f4  score 0.71  ███████
     db: migration for sessions table
      large diff · broad scope · low prompt certainty

Tool output is trimmed before it
burns through the context window.

The receipt never bloats the context: h5i capture run keeps every command's raw output out-of-band and hands the agent a compact, structured summary. Nothing is lost, only the noise.

raw
every line into context
$ pytest -q
tests/test_api.py ....................  [ 18%]
tests/test_auth.py ...F................ [ 41%]
tests/test_cache.py .................    [ 60%]
tests/test_db.py ....................    [ 82%]
tests/test_util.py ..................    [100%]
  … 412 lines: every PASS, warning, and
    traceback frame streamed into context …
========= 1 failed, 240 passed =========
≈ 4,600 tokens spent
filtered
h5i capture run · structured
$ h5i capture run -- pytest -q

  1 failed · 240 passed  (240 ok collapsed)
   tests/test_auth.py:88  expected 200, got 401
≈ 280 tokens · 94% fewer · rehydrate: h5i recall object 41a337be

Scale to many with h5i team.

h5i team fans one task out to agents in sealed worktrees, so they never overwrite each other. They peer-review each other's work, and only the winner merges.

h5i team: one task fans out to claude and codex in sealed sandboxes; they peer-review each other in a continuous loop; a neutral verifier replays and tests every candidate; the one verified result is merged back into your repo.

Agent-heavy developers are
already pulling this.

450+GitHub stars
30+forks
8+active contributors
#1worktree manager by GitHub stars

Teams that generate code faster
than they can safely accept it.

We spoke with dozens of developers during PhD research in AI and systems security. The repeated bottleneck was not code generation. It was safe code acceptance.

beachhead · buys first Agent-heavy engineering

Already using Claude Code, Codex, Cursor, or internal agents, and drowning in unverifiable patches.

Expansion →
Platform / DevEx

A standard workflow for running and reviewing many agents.

Security

Sandboxed autonomy and evidence for every blocked action.

Governance & regulated

Fintech, health, government: audit every AI-written change.

h5i wins by becoming the default auditable workspace for agents.

Agents will write more code across more repos. Teams will not trust raw diffs alone.

Coding agentsgenerate patches.
Sandboxescontain risky execution.
Observabilityrecords what happened.
h5igives every agent run a workspace with isolation, provenance, logs, policies, and reviews.

The scarce resource is no longer code generation. It is safe code acceptance.

We will make h5i the default way
teams accept AI-written code.

Why this exists
  • PhD research in AI + systems security.
  • Dozens of developer conversations on agent safety, sandboxing, and AI-code review.
Built already
  • 450+ GitHub stars.
  • #1 worktree manager by GitHub stars.
  • Dogfooded with real agent-team workflows.
Next 12 weeks
  • Ship the GitHub PR verifier.
  • Convert 10 design partners.
  • Run 1,000 verified agent attempts.
  • Land first paid pilots.

Git tracks the diff. h5i tracks the run.