00 / Source control for agents.

Agent-native source control.

Gets it done.

BitterGit turns every agent commit into a verified change. Each commit carries its run, its wake, and its receipt — tied to the loop that produced it and the verification that cleared it.

Git works the way you already use it. The provenance just shows up.

Request early access See the design →

RUN Every change has a run, a reason, and a receipt.

01 / Why BitterGit exists

GitHub was built for human teams. Agent work has a different shape.

A human team produces pull requests — artifacts to discuss, review, approve, merge. An agent fleet produces commits by the hundred, grouped by the run that made them. The atomic unit shifts. BitterGit is shaped for that.

Run-linked by construction

Every agent commit carries a signed Run-Id and Wake-Id trailer, stamped by the Bitter CLI at commit time. The chain from wake packet to diff to verification is a property of the commit itself — not a database the server has to keep in sync.

The run is the review unit

A single run can produce one commit or forty, across one repo or three. Instead of forcing that into a pull request, BitterGit groups commits by the run that made them. Accept, revert, or supersede at the run level. PR theater, retired.

Boring git underneath

Clone, push, pull, branch, tag, blame, log — they all work the way you already know. The provenance is a trailer on the commit, not a new protocol to learn. Any git client can read a BitterGit repo.

02 / How it works

Wake the agent. Capture the change. Review the run.

The plaintext of the work lives between the wake packet that asked for it and the run that produced it. Everything in between is signed, verified, and visible.

Wake the agent.

Goltmund issues a wake packet. The Bitter CLI spawns the run and holds the context — Run-Id, Wake-Id, run-scoped signing key — for the lifetime of the work.

Capture the change.

`bitter git commit` writes the trailer and signs it with the run key. The server-side receive hook rejects any push whose commits don't carry valid provenance. Agents can't forget, can't forge, can't drift.

Review the run.

Open the run, not a PR. See every commit, across every repo it touched. See the BitterGrid build, the test output, the probes, the logs. Accept or revert the whole blast radius in one decision.

From the Bitter CLI

$bitter git runs
$bitter git run show run_4f2a
$bitter git diff run_4f2a
$bitter grid verify --run run_4f2a
$bitter git accept run_4f2a --if-verified
# or, to undo the whole blast radius:
$bitter git revert run_4f2a

What gets stamped

# every agent commit carries these trailers,
# signed with the run's ephemeral key.

Run-Id: run_4f2a
Wake-Id: wake_0129
Agent: factory-agent
Verified-By: bittergrid_build_8821
Signature: ed25519:…

03 / What's inside

Boring git. Sharper edges.

The primitives are the ones you already use every day. What BitterGit adds is the provenance substrate around them.

ProtocolStandard git over HTTPS and SSH. Any client can clone, fetch, and pull.

Client`bitter git` — a thin wrapper over native git that stamps provenance at commit time.

IdentityHumans via SSH key or passkey. Agents via run-scoped ephemeral Ed25519 keypair.

ProvenanceSigned Run-Id / Wake-Id trailers on every agent commit. Verified at receive.

Review unitThe run. Commits group automatically across repos; decisions operate on the run.

VerificationWired to BitterGrid. Build, tests, probes attach before accept.

AuditEvery push and decision emits to BitterLog. Queryable substrate for future wake packets.

HostingYour own substrate. Sovereign over writes. Open over reads. Own failure domain.

04 / Who it's for

For teams that ship with agents.

Solo operator

More agents than PRs you could ever review.

Your fleet produces hundreds of commits a day. You need to know which run made what, what got verified, what failed, and what to accept — without clicking through forty PR pages.

Small team

Humans and agents committing side by side.

Human commits are human commits. Agent commits carry their run. The data tells you what it is — no bot-account fiction, no after-the-fact tagging.

Engineering lead

Auditing agent work at fleet scale.

Every change links back to the wake that asked for it and the verification that cleared it. Reconstruct exactly what an agent did, when, and why — down to the signed commit trailer.

What BitterGit isn't

Not another GitHub clone. No stars, followers, trending, marketplace.
Not a project tracker. Wake packets live in Goltmund.
Not a CI system. Builds, tests, and probes live in BitterGrid.
Not a social network. Your reputation is your signed change history.
Not PR-first. The run is the review unit.

05 / Access

Request early access.

BitterGit is migrating off GitHub first — the Bitter fleet itself is tenant zero. Tell us what you'd want to host here, and which loop you'd point at it.

Invitations go out in waves. Replies come from a human.