AI agents inspect Git safely

MCP context without handing over the controls.

FluxGit's MCP layer is designed for AI agents that need repository context: status, fleet radar, diffs, reflog hints, restore points and safety timeline details. Agents inspect read-only; Git writes stay controlled by the desktop app and the human user.

Request beta accessView Fleet Radar
FluxGit Settings / Agents / MCP panel: 'Quick connect: copy your MCP config' section with online status indicator, the generic MCP JSON config block, copy and test buttons, and tool surface tier badges
Real FluxGit interface · synthetic demo data · Quick Connect surface in Settings → Agents / MCP

The problem: agents need context, but Git writes are high-risk.

AI coding agents can help explain diffs, summarize branch state and plan next steps. They should not get silent end-to-end control over reset, rebase, patch application or branch mutation just because they can read a repo.

Honest beta limit

FluxGit does not claim that agents operate Git safely end-to-end. The MCP sidecar has validated read-only behavior, while installed app visibility and real client smoke testing remain part of beta hardening.

How FluxGit helps.

inspectread-only

Read-only tools

Expose repository status, fleet signals, diff context and recovery surfaces without granting mutation endpoints.

boundaryapp-controlled

Write boundary

Risky Git actions stay in the FluxGit desktop cockpit where previews, safety rails and human confirmation can apply.

trustaudit

Audit trail

Beta workflows can review what context agents requested, helping teams debug and set trust boundaries.

Free shell vs FluxGit-powered.

The protocol is open. The shell speaks MCP and works without the app for standard Git inspection. The tools that need FluxGit return an explicit upgrade hint, not a fake answer.

free shellno app required

Standard Git inspection

repo.status, repo.refs, repo.history, repo.reflog, commit.details, worktree.changes, submodule.status, diff.text. Works with local git alone.

hybridgraceful fallback

Capability-negotiated tools

fleet.radar, diff.semantic, diff.semanticFallbacks, repo.conflictPreflight. Return documented fallback metadata without FluxGit; enriched when the gateway is configured.

FluxGit-poweredrequires the app

Safety-grade tools

safety.timeline, safety.eventDetails, flux.latestRestorePoint, flux.restorePoints, flux.restorePointDetails. Return error code 10001 without FluxGit because synthesizing them from local refs would mislead the agent.

Tool surface.

Eighteen read-only tools, plus five write-with-UI-handshake tools that dispatch through the FluxGit approval card. All labelled with their tier. Direct mutations stay in the desktop cockpit; the agent only proposes.

repo contextfree

Read the repo

  • repo.status · working tree, current branch, dirty paths
  • repo.refs · branches, tags, remotes, stashes
  • repo.branchStack · current vs upstream/base/related
  • repo.history · paginated commit history
  • repo.reflog · movement timeline with recovery hints
  • commit.details, worktree.changes, submodule.status
difffree + enhanced

Explain changes

  • diff.text · standard git diff compatible patch
  • diff.semantic · negotiated. Returns supported=false fallback unless FluxGit's semantic engine is wired
  • diff.semanticFallbacks · per-path fallback metadata
multi-repofree + enhanced

Cross-repo signals

  • fleet.radar · prioritized attention stack across selected repos. Cached refs only without FluxGit; predictive when gateway is wired
  • repo.conflictPreflight · advisory merge/rebase outcome before running, never mutating
safetyFluxGit-powered

Recovery context

  • safety.timeline · synthesized risk events from restore points + reflog
  • safety.eventDetails · drill-down into one event
  • flux.latestRestorePoint, flux.restorePoints, flux.restorePointDetails · audit-grade undo/redo points
write-with-UI-handshake (NEW)🤖 Requested by AI

Agent proposes, you approve.

  • operation.preview.merge · agent proposes a merge; FluxGit renders the approval card
  • operation.preview.rebase · rewrites-history warning surfaced in the card
  • operation.preview.discard · irrecoverable-warning card with path list
  • operation.preview.reset · mode-aware (hard mode forces strong confirmation)
  • operation.preview.patch · monospace patch preview with applyToIndex toggle

The agent dispatches a proposal through the gateway; FluxGit shows a "🤖 Requested by AI agent" card in the desktop cockpit with the agent's plain-language reason. You approve or reject; FluxGit executes through the existing safety pipeline with restore points. The agent never holds write power.

Semantic diff with explicit fallback.

Agents lie when they describe a patch as "semantic" without a semantic payload behind it. The contract makes that impossible: diff.semantic only returns supported: true when the FluxGit engine produced structural output. Otherwise it returns the arguments the agent should pass to diff.text as a text-diff fallback, and a precise reason.

Agents connected to FluxGit MCP must say "FluxGit reported a text-diff fallback for this file" when supported=false, never "this is a semantic diff". The wording is published as a contract; we treat over-claiming as a bug.

Honest by protocol

No silent fallback. No fake structure inferred from a text patch. If the file fell back, the agent surfaces which path and why. Senior engineers notice this; it's why we wrote it down.

Connect any MCP-compatible agent.

FluxGit MCP is protocol-aligned, not vendor-aligned. Paste this block into any MCP host config. The desktop app pre-fills the absolute sidecar path and gateway address from the running process.

{
  "mcpServers": {
    "fluxgit": {
      "command": "<absolute path to fluxgit-mcp-sidecar bundled with FluxGit>",
      "env": {
        "FLUXGIT_GATEWAY_ADDR": "<auto-filled, e.g. 127.0.0.1:14660>",
        "FLUXGIT_MCP_AUDIT_LOG": "<optional path to a JSONL audit file>"
      }
    }
  }
}

Works with any MCP-compatible code agent. No client-specific install required.

FluxGit desktop cockpit with the '🤖 Requested by AI agent' modal open: an agent has proposed merging refs/heads/feature/cart-redesign into refs/heads/main with the reason 'All tests are green, this implements the cart redesign discussed in #234' and the user can approve or reject with the FluxGit safety pipeline behind the approval
Real FluxGit interface · synthetic demo data · 🤖 Requested by AI agent flow
Shipped 2026-05-28

Write with UI handshake.

FluxGit MCP closes the loop: agents propose writes, FluxGit shows the preview, the user approves in the app, FluxGit executes through its existing safety pipeline. The agent never has write power; the user reviews everything in the UI they already trust.

All five operations are live: operation.preview.merge, operation.preview.rebase, operation.preview.discard, operation.preview.reset, operation.preview.patch. Every preview gets a previewId; the audit chain links agent intent → user approval → execution.

The moat

Cloud-hosted MCP servers without an app cannot do this. FluxGit can because the approval UI lives in the desktop cockpit. It's the structural reason FluxGit-powered tools require FluxGit.

Privacy and security posture.

MCP can expose sensitive repository facts to a connected agent, so the boundary must be explicit. FluxGit keeps writes blocked from MCP, labels semantic diff fallback, avoids aggressive fleet fetch from agents and treats AI/provider data sharing as a separate user-controlled decision. The audit log hashes arguments rather than storing them verbatim.

Related features.

  • Fleet Radar gives agents a read-only attention stack across selected local repos.
  • Semantic diff gives structural context when supported and fallback labels when not.
  • Safety rails keep write decisions in the guarded desktop workflow.