SANDBOXED GIT WORKTREES · AI-AWARE VERSIONING · PERSISTENT MEMORY

Auditable Workspaces
for AI Coding Agents

Run Claude Code, Codex, or whole agent teams inside sandboxes. h5i records the prompts, commands, and reviews behind every change.

curl -fsSL https://raw.githubusercontent.com/h5i-dev/h5i/main/install.sh | sh

A sandboxed, auditable workspace for AI coding agents.

h5i (pronounced high-five) gives every AI coding agent a sandboxed Git worktree, and records the prompts, commands, logs, policies, and reviews behind every change. Run one agent safely, scale to many via a conflict-free multi-agent orchestra, then merge one auditable result. It all lives in your repo, carried by Git, with no SaaS.

Prompt versioning
Every commit carries the prompt, model, and agent that produced it, versioned beside the code.
Persistent context and memory
Goals, reasoning traces, and memory snapshots restore across sessions, so the next run skips re-grounding.
Supervised sandboxed environment
Landlock, seccomp, and namespaces confine each run, up to a network egress allowlist. Nothing lands until you apply.
Token reduction up to 95%
Raw tool output stays out-of-band; agents see compact summaries of failures, counts, and paths.
Conflict-free multi-agent orchestra
Each agent works sealed in its own worktree, so files, branches, and ports never collide.
Fully automated audit of AI code
Deterministic risk scan and review ranking flag prompt-injection and the riskiest commits, with no model in the loop.
h5i serve · localhost:7421

fix-auth

base 3d80a8d7b4 ·3 agents ·3 sealed
applied
  1. 1Draftroster created · agents working sealed
  2. 2Sealsubmissions frozen, immutable
  3. 3Reviewpermissioned peer review
  4. 4Verifyneutral verifier replays each candidate
  5. 5Applyone winner committed to base
claude-1sealed
opus-4-8designcontainer
3 files+91−20independent
appliestests
verdict
codex-1
codexbuildcontainer
4 files+272−31independent
appliestests
claude-2sealed
sonnet-4-6securityprocess
1 file+12−3independent
appliestests
neutral verdict sub-codex-1-r1-c34f11daf8e2
verify:replay-tests · smallest-diff tiebreak · auto-apply enabled
  • sub-codex-1-r1-c34f11daf8e2 applies cleanly
  • sub-codex-1-r1-c34f11daf8e2 verifier tests passed
  • smallest diff among verifier-passing candidates

A live record of what each agent did, why it changed the code, and what evidence supports merging it.

Code generation got cheap.
Code acceptance got risky.

Agents now produce more patches than any team can safely review. Git shows you the diff, but not the prompt, the commands, the sandbox policy, the failed attempts, the peer reviews, or the verifier evidence behind it. The scarce resource is no longer writing code. It is accepting it, whether you run one agent or many:

One agent, unaudited
What happens
Opaque provenance
The diff lands, but the prompt, model, and commands behind it are gone.
Token explosion
Every run re-reads the whole repo and drags raw logs into context.
Unsafe autonomy
An agent can run destructive commands without enough containment.
Review overload
Humans can't reconstruct every prompt, command, retry, and failure.
Many agents, uncoordinated
What happens
Environment conflict
Agents overwrite each other's files, ports, caches, credentials, and branches.
Context contamination
Agents see each other's output before an independent attempt, and diversity collapses.
No fair winner
You get many patches but no neutral evidence for which one to merge.

Three primitives.

Isolate the run, record the evidence, then review it before anything merges. It works the same for one Claude Code session or a whole team, and everything writes to Git-native sidecar refs under refs/h5i/* that travel with your repo.

01 · Isolate
Every agent runs in a sandbox
A disposable, confined worktree per agent: fail-closed Landlock, seccomp, and namespaces, up to a network egress allowlist. Files, branches, and ports never collide, and nothing lands until you apply.
02 · Record
The evidence travels with the repo
Prompts, commands, logs, policies, and reviews are stored beside the code in refs/h5i/*. Raw logs stay out-of-band, so agents see compact summaries and context stays lean, up to 95% less token waste.
03 · Audit & Accept
Review the diff before merge
Read back the prompt, commands, and risk signals behind any change with audit review, then merge one evidence-backed result. For agent teams, sealed candidates can also be replayed by a neutral verifier.

Powered by h5i env, h5i capture, h5i audit, h5i team, and refs/h5i/*.

Run many coding agents. Merge one auditable result.

The same auditable workspace that contains one agent scales to a whole team. h5i team runs several agents on the same task, each in its own isolated h5i env, then drives them through a phased, permissioned protocol. A roster member is a persona, not a backend: three Claudes with different skills, a Claude+Codex mix, or one model under two roles. The audit records which configuration produced which candidate.

01 · createRosterN envs, each a persona: runtime · model · role
02 · dispatchOne task → allsame task delivered to every agent
03 · independentSealed workno agent sees a peer's attempt
04 · freezeSubmissionsimmutable frozen candidates
05 · reviewPermissionedscoped peer review + opt-in discuss
06 · verifyNeutral judgesandboxed replay at shared base
07 · verdictApply winnerexplainable, gated, one patch

independence-first: diversity is protected until freeze · discussion is opt-in and logged afterward ⟶

h5i team flow: one task fans out to Claude and Codex in sealed sandboxes; they peer-review each other in a continuous loop; a neutral verifier replays and tests every candidate; the winning result is applied.
Two heads are better than one. Dos cabezas piensan mejor que una. 三个臭皮匠,胜过一个诸葛亮。 एक से भले दो। 三人寄れば文殊の知恵。 Deux avis valent mieux qu'un.

The evidence is a Git ref,
not a SaaS.

h5i adds no hosted control plane. Every workspace, capture, review, and verdict is stored under refs/h5i/* beside your code, so it clones, pushes, and pulls with the repo and outlives any one tool.

refs/h5i/envsandboxed workspaces, policies, and run evidence
refs/h5i/notesper-commit provenance: prompt, model, tests, audit
refs/h5i/contextthe reasoning workspace: goals, milestones, traces
refs/h5i/teamroster, sealed submissions, and neutral verdicts
refs/h5i/msgcross-agent messages and handoffs
▽ all carried by
h5i share push / pullevidence rides your existing remote · no external services

h5i builds h5i

This very page was rewritten by Claude and Codex coordinating over h5i msg: the agents traded positioning notes, flagged risks, and signed off, all on refs/h5i/*. The project keeps its own development record inside itself.

256
CROSS-AGENT MESSAGES
96
REASONING MILESTONES
1,200+
OBSERVE / THINK / ACT TRACES
0
EXTERNAL SERVICES, ALL IN GIT

See every command in action

Eight worked use cases, blame, resume, uncertainty heatmaps, the web dashboard, and the full five-verb feature reference.

Explore all features & use cases →

Frequently asked questions

The short answers. The blog and manual have the long ones.

What is h5i?
h5i (pronounced high-five) is an open-source auditable workspace layer for AI coding agents. It runs Claude Code, Codex, and other agents in isolated Git workspaces and records the prompt, model, agent, reasoning, commands, logs, sandbox policy, reviews, and verifier results behind every change, then lets teams merge one evidence-backed result. Technically, h5i stores this evidence as Git-native sidecar refs under refs/h5i/*, so it travels with your repo with no hosted control plane.
How does h5i run an agent team?
h5i team runs several agents on the same task, each in its own isolated h5i env, through a phased protocol: create a roster of personas (runtime, model, role) → dispatch the task to all → each agent works sealed and independentlyfreeze immutable submissions → permissioned review → a neutral sandboxed verifyapply one winner. Run state is an append-only event log in refs/h5i/team that travels with the repo. It's a thin coordination layer, not a group chat, not a daemon.
How is the winning patch chosen?
By a neutral verifier, not by the agents. h5i team verify replays each frozen candidate at the shared base in a fresh, sandboxed worktree and runs the declared command itself, so finalization never trusts an agent's own captures. Hard gates (tests pass, applies cleanly) come only from that run; smallest-diff breaks ties only among gate-passers, so nothing wins by deleting tests or stubbing features. The verdict is explainable, apply is gated, and if nothing clears the gates it records no_verdict instead of merging a loser.
Does h5i work with Claude Code and Codex?
Yes. h5i is built for teams where AI agents write code alongside humans. Claude Code integrates via hooks and MCP; Codex uses explicit prelude, sync, and finish commands. Both agents restore the same shared context when a session starts and check their work back in when it ends.
How is h5i different from plain Git?
Git versions code. h5i versions the workspace around it, the sandboxed worktree the agent ran in, the prompt and model behind each commit, the compressed command logs, the cross-agent handoffs, and the audit signals, stored in dedicated refs/h5i/* refs that travel with the repo without touching your commit history.
Who is h5i for?
The first adopters are platform, security, and DevEx leads at engineering orgs rolling out Claude Code and Codex: the people who have to keep PR review and audit defensible while agents write a growing share of production diffs. h5i is the audit trail for AI coding sessions: every change carries who/which-model authored it, how well it was prompted, what commands ran, whether tests passed, and what risks were flagged, all versioned in your own Git repo, shareable with push/pull, no SaaS. It makes agent work reproducible, reviewable, and accountable without adding a new system of record.
Can h5i reduce AI token costs?
Yes. h5i keeps raw tool output out of the agent's context with content-addressed capture and snapshots agent memory, so the next session skips re-grounding. In a reproducible benchmark, capture cut tool-output tokens by ~95% with full task fidelity.
Is h5i free and open source?
Yes. h5i is free and open source under the Apache 2.0 license, with no lock-in. It is written in Rust and runs on Linux, macOS, and Windows.
Can h5i detect prompt injection in AI-generated code?
h5i audit scan applies deterministic regex rules to every OBSERVE/THINK/ACT entry in an agent's reasoning trace to flag prompt-injection signals, with no model in the audit path, and can rank which commits most need human review.
Can h5i sandbox an AI agent's commands?
Yes. h5i env gives an agent a disposable, confined environment, a git worktree plus a policy that limits what code can read, write, and reach over the network. It picks the strongest isolation the host can enforce (Landlock + seccomp + namespaces, up to a rootless network egress allowlist), records every command and blocked access, and nothing reaches your branch until you apply. No root and no VM required.

Run your next change as a team.

Spin up a roster of agents, seal their independent attempts, let a neutral verifier pick the winner, and merge one auditable result. Versioned in your Git. Apache 2.0. No SaaS, no lock-in.