File-level access control for Git

Give every agent its own private workspace inside a shared repository. Standard git clone and git push. The server rewrites the tree so each agent sees only its files.

git clone http://t:AGENT_TOKEN@server/repo workspace
ls workspace/
  agent-alpha/  shared/
  # agent-beta/, secrets/ - not in this clone

Why this matters

AI agents that generate code need a place to write it. When multiple agents work on the same codebase, they overwrite each other's output, leak context across tasks, or require elaborate orchestration to stay isolated.

graph.storage solves this at the Git protocol level. Each agent clones the same repository URL but receives a filtered tree containing only its permitted files. Pushes outside the agent's scope are rejected before reaching the canonical repo. No wrappers, no SDKs, no file locking.

Multi-agent isolation

Five agents write to the same repo without conflicts. Each sees only its own directory and shared context. A supervisor token clones the full tree to review all output.

# Agent Alpha sees:    agent-alpha/  shared/
# Agent Beta sees:     agent-beta/   shared/
# Supervisor sees:     agent-alpha/  agent-beta/  shared/  secrets/

# Agent pushes its work
echo '{"status":"done"}' > agent-alpha/result.json
git add -A && git commit -m "task complete" && git push  # accepted

# Agent tries to write outside scope
echo x > agent-beta/exploit.txt && git push
  # REJECTED: write denied on agent-beta/**

Client data rooms

Each client gets a private directory. Analysts read and write only their assigned clients. Compliance gets read-only access to everything for auditing.

# Analyst A sees:    client-acme/  templates/
# Analyst B sees:    client-beta/  templates/
# Compliance sees:   client-acme/  client-beta/  templates/  reports/

# Analyst A pushes to client-acme/ - accepted
# Analyst A pushes to client-beta/ - rejected

CI/CD with scoped tokens

Mint short-lived tokens for CI pipelines. Each token is scoped to a repo, a set of paths, and an expiration. Revoke instantly if a pipeline is compromised.

# Mint a 1-hour token for the deploy pipeline
curl -X POST /api/admin/tokens \
  -d '{"username":"ci-deploy",
       "repo":"myrepo",
       "scopes":"git:read,git:write",
       "ttl":3600}'

# CI clones with the token
git clone http://t:TOKEN@server/myrepo build

REST API

Read files, list commits, attach notes over HTTP. Same access rules apply. No checkout needed.

GET /api/files?ref=master
[{"path":"agent-alpha/result.json","size":21},
 {"path":"shared/config.yaml","size":84}]

GET /api/file?path=shared/config.yaml&ref=master

POST /api/notes {"ref":"master","note":"QA passed"}

Webhooks

HMAC-signed notifications on push, branch create, and notes. Path-scoped so each listener fires only on relevant changes.

POST /api/admin/webhooks
{"url":"https://ci.internal/build",
 "events":["push"],
 "path_filter":"agent-alpha/**"}

# Payload:
{"event":"push", "pusher":"agent-alpha",
 "files_changed":["agent-alpha/result.json"]}

How it works

The server rewrites Git's Merkle tree on the fly. Each clone gets a shadow tree with only the allowed files. Commits touching only invisible files are elided from history. The canonical repository is never modified.

Clone	Shadow tree filtered to readable paths
Push	Write ACL enforced before accept
Log	Invisible commits elided
Deny	Hard block on `secrets/**`, `.env`
Branches	Per-agent ephemeral refs, invisible to others
Tokens	Scoped to repo + paths, revocable, with TTL

Get started

python demo.py              # 4 users, 2 repos, token auth
docker compose up           # or run with Docker

Read the docs for deployment, API reference, and token configuration.