HydraGit Docs
v0.3.1

Trust, privacy & safety

HydraGit runs your git, on your machine, and talks to nobody else. No telemetry, no accounts, no cloud — and a set of guardrails that assume the riskiest thing in the room is an honest mistake.

Local-only by design

  1. Zero network egress from the UI. Every panel ships a Content-Security-Policy of default-src 'none' + connect-src 'none', with no remote image loading — the webviews cannot phone home, by browser enforcement, not by promise.
  2. No telemetry, no analytics, no accounts. The only network traffic is git itself talking to your remotes when you fetch/pull/push.
  3. Zero runtime dependencies. No third-party npm packages ship in the extension; the Go backend has no production dependencies. The supply chain is: VS Code, git, HydraGit.
  4. Logs stay on disk in VS Code's extension log folder, owner-readable only (0700/0600), rotated after 7 days.

Hardened webview boundary

The panels are webviews; the extension host treats them as untrusted and verifies what they ask for:

  1. Requests may only target repositories the extension has actually discovered in your workspace — a panel can't point git at an arbitrary directory.
  2. "Open worktree" only opens paths git itself reports as worktrees.
  3. The Go backend validates required parameters on every state-changing command and runs git with argument lists only — there is no shell anywhere in the path.

The full security model lives in the repo's docs/PROJECT_CONTEXT.md.

Destructive-op guardrails

  1. Force-class operations (force delete, force push, clear all stashes) only execute moments after you've answered a native VS Code dialog — a confirmation the UI layer can't fake.
  2. Force-push always uses --force-with-lease — it refuses to overwrite remote commits you haven't seen.
  3. Before every risky operation the working tree is snapshotted automatically; hard resets auto-stash on top.
  4. Pre-commit safety checks warn before a secret, a conflict marker or a huge file lands in history.

Concurrent backend

Requests to the git backend run concurrently, with git operations serialized per repository: writes are exclusive (two state-changing commands never race on one .git), reads run in parallel, and a slow network operation — a fetch against a dead remote — can't freeze the rest of the UI. In multi-repo workspaces, repositories never block each other.

License

GPL-3.0 — free forever, and every fork must stay open source under the same license, so nobody can take HydraGit, tweak it, and put it behind a paywall. The HydraGit name and logo are not covered by the license.

RelatedWorking-tree snapshotsPre-commit safety checksLogging & diagnostics