AI agents and Git, governed

MCP context without handing over the controls.

FluxGit's MCP layer gives AI agents repository context through 22 read-only tools, and a safe way to act: writes exist only as proposals. The agent sends an operation and a reason, the desktop app shows you the preview with its risk level and restore point, and nothing executes until you approve.

FluxGit Settings / Agents / MCP panel: 'Quick connect: copy your MCP config' section with online status indicator, the generic MCP JSON config block, copy and test buttons, and tool surface tier badges
Real FluxGit interface · synthetic demo data · Quick Connect surface in Settings → Agents / MCP

The problem: agents need context, but Git writes are high-risk.

AI coding agents can help explain diffs, summarize branch state and plan next steps. They should not get silent end-to-end control over reset, rebase, patch application or branch mutation just because they can read a repo.

Honest beta limit

The propose-approve loop is live and was verified end to end against a real MCP client, but it is beta software: interactive rebase is not yet supported in the handshake, and the result channel is a poll, not a push. What is shipped is tested; what is not is listed on this page.

How FluxGit helps.

inspectread-only

Read-only tools

Expose repository status, fleet signals, diff context and recovery surfaces without granting mutation endpoints.

boundaryapp-controlled

Write boundary

Risky Git actions stay in the FluxGit desktop cockpit where previews, safety rails and human confirmation can apply.

trustaudit

Audit trail

Beta workflows can review what context agents requested, helping teams debug and set trust boundaries.

Free shell vs FluxGit-powered.

The protocol is open and so is the shell: fluxgit-hq/fluxgit-mcp-server on GitHub, Apache-2.0. It speaks MCP and works without the app for standard Git inspection. The tools that need FluxGit return an explicit upgrade hint, not a fake answer.

free shellopen source

Standard Git inspection

repo.brief, repo.scope, conflict.read (an active conflict as structured data: base, ours, theirs and marker regions), repo.status, repo.refs, repo.history, repo.reflog, commit.details, worktree.changes, submodule.status, diff.text. Works with local git alone.

hybridgraceful fallback

Capability-negotiated tools

fleet.radar, diff.semantic, diff.semanticFallbacks, repo.conflictPreflight. Return documented fallback metadata without FluxGit; enriched when the gateway is configured.

FluxGit-poweredrequires the app

Safety-grade tools

safety.timeline, safety.eventDetails, flux.latestRestorePoint, flux.restorePoints, flux.restorePointDetails. Return error code 10001 without FluxGit because synthesizing them from local refs would mislead the agent.

Built and live today.

Version control is shifting from a human authoring tool to a human governance layer over change written by machines. These are not plans; they are in the current build.

provenance

See what the machine wrote

Every agent-authored commit is flagged in the history with an AI badge and the detected signature — from commit trailers and author identity, never guessed. Approvals and executions land in an audit log you can sign with Ed25519.

governance

Approve intent, not clicks

Single operations and multi-step plans go through one approval card with risk copy. A plan captures one restore point before its first step and the completed card offers "Undo entire plan" through the guarded reset flow. A declarative policy can also reject out-of-policy proposals (wrong branch, forbidden operation) before a card even opens.

parallel work

Watch every parallel workspace

Linked worktrees — including agent worktrees — show up as badges on commits, as playhead rings on the graph, and as a cockpit strip with compare, reveal and open actions plus divergence against your checkout.

review at volume

Triage by risk, not by time

The Review Inbox in Review mode ranks pending agent proposals by destructiveness — a hard reset outranks a merge no matter which arrived first — with inline reject, and lists machine-authored commits with reveal-in-graph.

What comes next.

Two things are planned and not built yet. Saying so plainly beats a roadmap of chips.

orchestration

Merge the winning attempt

When several agents try the same task in parallel worktrees, you can already compare the attempts from the cockpit strip. The planned piece is the one-action finish: merge the winner through the guarded flow with a restore point, and clean up the rest.

anywhere

Approve from your phone

The approval queue does not care where you are. A companion view for reviewing and approving agent proposals away from your desk is planned for after the desktop launch.

Built for your agent's context window.

An agent's scarce resource is context, not speed. Understanding a monorepo through raw CLI costs 6-10 git commands and thousands of tokens of human-shaped output. These tools return compact, structured answers designed to be read by a model.

one callrepo.brief

Situational awareness in one call

Branch, ahead/behind, in-progress operation, working-tree summary, stashes, aggregated submodule drift, recent commits and next-step hints — the first call of an agent session, instead of eight.

diffdiff.semantic

Review behavior, not lines

The agent asks for the structural change instead of burning its window on a 5,000-line patch — and the tool says so honestly when it falls back to text.

preflightrepo.conflictPreflight

Know the conflict before proposing

Merge-tree based what-if without fetch or mutation. The agent finds out whether a merge conflicts before it asks you to approve one.

multi-repofleet.radar

Watch a fleet without a fetch

One call summarizes which of your repositories need attention, including predicted upstream conflicts from cached refs. No remote is touched.

Tool surface.

Twenty-two read-only tools and six write-with-UI-handshake operations, all labelled by tier. Writes never leave the desktop app — the agent proposes, you approve in FluxGit.

repo contextfree

Read the repo

  • repo.brief · one-call situational awareness: branch, ahead/behind, in-progress operation, working-tree summary, stashes, submodule drift, recent commits and next-step hints
  • repo.scope · monorepo scoping: one subtree's changes, recent commits, churn and CODEOWNERS owners in a single call
  • repo.status · working tree, current branch, dirty paths
  • repo.refs · branches, tags, remotes, stashes
  • repo.branchStack · current vs upstream/base/related
  • repo.history · paginated commit history
  • repo.reflog · movement timeline with recovery hints
  • commit.details, worktree.changes, worktree.list, submodule.status
difffree + enhanced

Explain changes

  • diff.text · standard git diff compatible patch
  • diff.semantic · negotiated. Returns supported=false fallback unless FluxGit's semantic engine is wired
  • diff.semanticFallbacks · per-path fallback metadata
multi-repofree + enhanced

Cross-repo signals

  • fleet.radar · prioritized attention stack across selected repos. Cached refs only without FluxGit; predictive when gateway is wired
  • repo.conflictPreflight · advisory merge/rebase outcome before running, never mutating
safetyFluxGit-powered

Recovery context

  • safety.timeline · synthesized risk events from restore points + reflog
  • safety.eventDetails · drill-down into one event
  • flux.latestRestorePoint, flux.restorePoints, flux.restorePointDetails · audit-grade undo/redo points
write-with-UI-handshake (NEW)Requested by AI

Agent proposes, you approve.

  • operation.preview.merge · agent proposes a merge; FluxGit renders the approval card
  • operation.preview.rebase · rewrites-history warning surfaced in the card
  • operation.preview.discard · irrecoverable-warning card with path list
  • operation.preview.reset · mode-aware (hard mode forces strong confirmation)
  • operation.preview.patch · monospace patch preview with applyToIndex toggle
  • operation.preview.plan · a 1-10 step sequence reviewed and approved as one unit; execution stops at the first failure and reports per-step results

The agent dispatches a proposal through the gateway; FluxGit shows a "🤖 Requested by AI agent" card in the desktop cockpit with the agent's plain-language reason. You approve or reject; FluxGit executes through the existing safety pipeline with restore points and reports the captured restore point back to the agent, so it can tell you the change is reversible from Safety Timeline. The agent never holds write power.

Semantic diff with explicit fallback.

Agents lie when they describe a patch as "semantic" without a semantic payload behind it. The contract makes that impossible: diff.semantic only returns supported: true when the FluxGit engine produced structural output. Otherwise it returns the arguments the agent should pass to diff.text as a text-diff fallback, and a precise reason.

Agents connected to FluxGit MCP must say "FluxGit reported a text-diff fallback for this file" when supported=false, never "this is a semantic diff". The wording is published as a contract; we treat over-claiming as a bug.

Honest by protocol

No silent fallback. No fake structure inferred from a text patch. If the file fell back, the agent surfaces which path and why. Senior engineers notice this; it's why we wrote it down.

Connect any MCP-compatible agent.

FluxGit MCP is protocol-aligned, not vendor-aligned. Paste this block into any MCP host config. The desktop app pre-fills the absolute sidecar path and gateway address from the running process.

{
  "mcpServers": {
    "fluxgit": {
      "command": "<absolute path to fluxgit-mcp-sidecar bundled with FluxGit>",
      "env": {
        "FLUXGIT_GATEWAY_ADDR": "<auto-filled, e.g. 127.0.0.1:14660>",
        "FLUXGIT_MCP_AUDIT_LOG": "<optional path to a JSONL audit file>"
      }
    }
  }
}

Works with any MCP-compatible code agent. No client-specific install required.

FluxGit desktop cockpit with the '🤖 Requested by AI agent' modal open: an agent has proposed merging refs/heads/feature/cart-redesign into refs/heads/main with the reason 'All tests are green, this implements the cart redesign discussed in #234' and the user can approve or reject with the FluxGit safety pipeline behind the approval
Real FluxGit interface · synthetic demo data · 🤖 Requested by AI agent flow
Shipped 2026-05-28

Write with UI handshake.

FluxGit MCP closes the loop: agents propose writes, FluxGit shows the preview, the user approves in the app, FluxGit executes through its existing safety pipeline. The agent never has write power; the user reviews everything in the UI they already trust.

All six operations are live: operation.preview.merge, operation.preview.rebase, operation.preview.discard, operation.preview.reset, operation.preview.patch and operation.preview.plan for multi-step proposals with one approval. Every preview gets a previewId; the audit chain links agent intent → user approval → execution.

The moat

Cloud-hosted MCP servers without an app cannot do this. FluxGit can because the approval UI lives in the desktop cockpit. It's the structural reason FluxGit-powered tools require FluxGit.

Privacy and security posture.

MCP can expose sensitive repository facts to a connected agent, so the boundary must be explicit. FluxGit gives agents no direct write capability: every mutation is a proposal that a human approves in the app. Semantic diff fallback is labeled, fleet status never fetches aggressively on an agent's behalf, and AI/provider data sharing is a separate user-controlled decision. The audit log hashes arguments rather than storing them verbatim.

Related features.