h5i logo
CONTEXT VERSIONING · AI PROVENANCE · AUDITABLE SANDBOX

Next-Gen AI-Aware Git

h5i (pronounced high-five) is a Git sidecar for teams where AI agents write code alongside humans. Git records what changed. h5i records the rest: who, why, what the agent knew, whether it was safe, and how the next agent picks up where the last left off.

Get Started See Workflows View on GitHub
curl -fsSL https://raw.githubusercontent.com/h5i-dev/h5i/main/install.sh | sh
Sandbox
CONFINED & AUDITABLE
95%
LESS TOKEN WASTE
3.5x
PR INFORMATIVENESS
1.8x
MULTI-AGENT LOOP
The Problem

Git records the diff. AI agents need more than Git can give.

An agent opens a PR — having run your commands to make it. Before a human can approve, six gaps Git was never built to fill.

What prompt produced this change?git can't say
Which files did the agent read before editing?git can't say
Did the tests pass — and which ones?git can't say
Did another agent already review or hand this off?git can't say
Any secret leak or prompt-injection risk in the reasoning?git can't say
Was the agent sandboxed from secrets, network, and local state?git can't say
The Solution

An evidence layer that lives beside every Git branch

h5i is a Git sidecar. Your commits, branches, and remotes stay exactly as they are — h5i writes the AI context to its own refs/h5i/* refs that travel with the repo.

refs/h5i/envsandbox environments — confined agent runs, Git-based auditable logs
refs/h5i/notesprovenance per commit — prompt, model, agent, tests, decisions, risk
refs/h5i/contextversioned reasoning trace — OBSERVE / THINK / ACT, branched like Git
refs/h5i/msgcross-agent messages — typed asks, reviews, handoffs
refs/h5i/objectstoken-saving object store — raw tool output, kept out of context
▲  h5i sidecar  ·  carried by h5i share push / pull  ▲
your Git repocommits, branches, any remote — unchanged. No SaaS, no new VCS, no lock-in.
h5i concept diagram showing Codex and Claude sharing versioned context through refs/h5i
Agents capture and recall the same versioned context through refs/h5i/*; audits, dashboards, and PR comments are views over that shared record.
h5i commit

Every AI commit ships with its provenance

One command turns an agent's edit into a reviewable record — written to refs/h5i/notes, never touching your source tree.

~/my-project 
$ git add src/auth/token.rs
$ h5i commit -m "fix token refresh" \
    --agent claude --tests --audit

 commit 1a2b3c4 · notes → refs/h5i/notes
 tests: 142 passed, 0 failed (3.1s)
 integrity audit: 12 rules · clean

$ h5i recall log --limit 1
# the diff — now with the why attached
prompt"harden refresh window"
modelclaude-sonnet-4-6 · 8.4k tokens
agentclaude-code
readtoken.rs, session.rs, 2 more
tests142 passed · 0 failed
auditclean · 12 deterministic rules
h5i msg

Claude and Codex coordinate through Git

Multiple agents share one repo. h5i gives them a typed message channel — ask, review, risk, handoff — stored append-only in refs/h5i/msg.

claude → codex REVIEW_REQUEST
review token refresh on feat/auth — focus token.rs, risk: expiry edges
codex → claude RISK
cache crosses requests under load — flagged session.rs:88
claude → codex ACK
good catch — scoping the cache per-request now
codex → claude DONE
re-reviewed 1a2b3c4 — ships. see PR #42
h5i msg review --focus token.rs codex "…"
Typed work handoffs
The i5h protocol: ASK, REVIEW, RISK, HANDOFF, ACK, DONE — threaded by reply, union-merged across clones.
h5i msg wait · h5i share push
No server, no daemon
The whole conversation travels with the repo. An idle agent is woken when a reply lands.
A live Claude ↔ Codex exchange over refs/h5i/msg — every message a durable Git object, replayable later with h5i msg replay. How it works →
h5i capture run

Tool output stops eating the context window

A test or build log can be megabytes. The agent needs the two failures and the count — not the noise. h5i stores raw output out-of-band and surfaces a tiny structured summary.

h5i object store: raw pytest and cargo output (1,424 and 1,397 tokens) normalized into one ToolResult schema at 47 and 73 tokens — 97% and 95% fewer; raw bytes kept out-of-band and recoverable with h5i recall object
h5i capture run -- cargo test
Wrap any command. Failures always captured & searchable.
h5i recall objects --status failed
Query findings across every capture — "did this fail before?"
h5i recall object 82bf…
Rehydrate full bytes on demand — never sits in context unless asked.
h5i share pr

The PR becomes the reviewer's cockpit

One command renders everything h5i knows about the branch into a sticky, idempotent GitHub PR comment — so a human reviewer sees the context, not just the diff.

PR #42 · fix token refresh h5i ✓ sticky
IntentShip OAuth token refresh safely
Review focustoken.rs refresh window · cache scope in session.rs
Provenance3 AI commits · claude-code, codex · all tested
Auditno secrets · no injection · 1 blind edit reviewed
Agent threadscodex flagged cache scope → resolved
h5i share pr post --style review
Sticky & idempotent
Upserts in place via an HTML marker — re-run after every push, no comment spam. Uses the gh CLI you already have.
h5i share pr body --style review
Render anywhere
Print the markdown to stdout — pipe into CI or any review tool, no gh required.
h5i audit

Deterministic risk triage — no model in the loop

Every signal is rule-based and reproducible — blind edits, scope creep, secrets, prompt injection. Riskiest commits surface first; bad ones blocked at commit time.

~/my-project 
$ h5i audit policy check
   model declared (claude-sonnet-4-6)
   audit flag present
   test metrics missing          [error]
  1 error — commit blocked

$ h5i audit compliance --since 2026-04-01
── Compliance Report ──────────────────────
  AI-generated:    74% of commits (30d)
  Audit coverage:  91%
  Policy errors:   3  warnings: 8
  Top risk file:   src/billing/token.rs
h5i audit review --limit 50
Triage funnel
Riskiest AI commits first, before humans spend review cycles.
h5i audit scan
Injection scan
Scan reasoning traces for prompt-injection and exfiltration patterns.
h5i audit policy init
Policy gate
.h5i/policy.toml rules — block on credential leak, require audit on auth.
h5i env

A confined, fully auditable agent sandbox

Hand an agent a disposable environment — a git worktree plus a policy that limits what code can read, write, and reach over the network. It picks the strongest isolation the host supports, records every command and blocked access, and nothing reaches your branch until you apply.

~/my-project 
$ h5i env create fix-auth
  created env · isolation: supervised
  # net.egress = ["example.com"]  — allowlist

$ h5i env shell fix-auth
box$ curl https://example.com
  200 OK          — on the allowlist
box$ curl https://evil.example
  could not resolve host — blocked
box$ nft flush ruleset
  Operation not permitted — can't undo it
h5i env create · shell
Work in a box
Make a confined environment, then work in it — or hand it to an agent. Every command inside is confined by construction.
tiered isolation
As strong as the host allows
Landlock + seccomp + namespaces up to a rootless network egress allowlist — no root, no VM. If the host can't enforce it, h5i refuses rather than quietly running with less.
h5i env diff · log · apply
Audit, then merge
See what changed and every blocked access, then merge onto your branch — reviewer-selected, never automatic.

See every command in action

Eight worked use cases — blame, resume, uncertainty heatmaps, claims, the web dashboard, and the full five-verb feature reference.

Explore all features & use cases →
Get Started

Up and running in one minute

INSTALL

# Install the prebuilt binary curl -fsSL https://raw.githubusercontent.com/h5i-dev/h5i/main/install.sh | sh # …or build from source cargo install --git \ https://github.com/h5i-dev/h5i h5i-core # Init in your project cd your-project && h5i init

CLAUDE CODE

# Print the full hooks config h5i hook setup # Init reasoning workspace if needed h5i recall context init \ --goal "your project goal" # MCP tools + hooks keep context fresh

CODEX

# Start with shared memory h5i codex prelude # Backfill reads/edits h5i codex sync # End with a checkpoint h5i codex finish \ --summary "what changed"

REVIEW + SHARE

# Commit with provenance h5i capture commit -m "ship feature" \ --agent codex --prompt "..." # Publish a PR view of context h5i share pr post \ --style review # Browse locally h5i serve
FAQ

Frequently asked questions

The short answers. The blog and manual have the long ones.

What is h5i?
h5i (pronounced high-five) is an open-source Git sidecar for AI-era development. Git records what changed; h5i records the rest — the prompt, model, agent, reasoning, file observations, decisions, audit signals, and memory behind every change — and versions it alongside your code in refs/h5i/*.
Does h5i work with Claude Code and Codex?
Yes. h5i is built for teams where AI agents write code alongside humans. Claude Code integrates via hooks and MCP; Codex uses explicit prelude, sync, and finish commands. Both agents restore the same shared context when a session starts and check their work back in when it ends.
How is h5i different from plain Git?
Git versions code. h5i adds five semantic dimensions on top: temporal (history), structural (AST), intentional (AI provenance), empirical (test metrics), and associative (cross-agent messaging). It stores this metadata in dedicated refs/h5i/* refs, so it travels with the repo without touching your commit history.
Can h5i reduce AI token costs?
Yes. h5i records verified facts as content-addressed claims and snapshots agent memory, so the next session skips re-grounding. In a reproducible N=5 experiment, seeded claims reduced estimated session cost by 51% and cache-read tokens by 35.5% with full task fidelity.
Is h5i free and open source?
Yes. h5i is free and open source under the Apache 2.0 license, with no lock-in. It is written in Rust and runs on Linux, macOS, and Windows.
Can h5i detect prompt injection in AI-generated code?
h5i audit scan applies deterministic regex rules to every OBSERVE/THINK/ACT entry in an agent's reasoning trace to flag prompt-injection signals — with no model in the audit path — and can rank which commits most need human review.
Can h5i sandbox an AI agent's commands?
Yes. h5i env gives an agent a disposable, confined environment — a git worktree plus a policy that limits what code can read, write, and reach over the network. It picks the strongest isolation the host can enforce (Landlock + seccomp + namespaces, up to a rootless network egress allowlist), records every command and blocked access, and nothing reaches your branch until you apply. No root and no VM required.

Your AI's reasoning deserves version control.

h5i versions the thinking behind your code — so every session resumes where the last one left off. Apache 2.0. No lock-in.

Star on GitHub Read Workflows Read the Manual