Replace SSH keys and tokens with identity-based access. Make every commit provable.
Git today depends on secrets. SSH keys, personal access tokens, CI tokens—all must be stored, rotated, and can be leaked. Even GitHub requires manual key management and rotation. In 2024, GitHub exposed SSH keys and had to rotate credentials across all customers.
xGit removes this entire category. Instead of "who has the key?", you get "who has the identity + permission?"
This white paper covers all four capabilities, with deep focus on protected code distribution—where contributors never clone the full repository and access expires cryptographically. For classified defense projects, proprietary trading algorithms, and regulated healthcare platforms, this solves problems GitHub can't.
Using xGit feels like Git—but with identity instead of keys:
# Traditional Git (requires SSH key or token)
git clone git@github.com:org/repo.git
git commit -m "feat: add feature"
git push origin main
# xGit (identity-based, no keys)
xgit clone did:web:org.example/repo
xgit commit --actor did:key:z6Mk... -m "feat: add feature"
xgit push origin main # Verified by DID, not key
Or via the SDK:
import { xGitClient } from '@private.me/xgit'
const client = new xGitClient({
identity: myDID, // Your DID, not SSH key
repo: 'did:web:org.example/repo'
})
await client.commit({
message: 'feat: add feature',
files: changedFiles,
// Automatically signed with DID
// Policy checks enforced at protocol level
// Proof generated for audit trail
})
Every Git operation—push, pull, clone—requires authentication. Today, this means:
~/.ssh/ on every developer machineThese credentials must be:
Result: Credential sprawl. Every developer has multiple keys across multiple machines. CI/CD systems have dozens of tokens. When something leaks—and it does—the blast radius is enormous. In 2024, GitHub had to rotate keys enterprise-wide after exposing SSH credentials.
Beyond credentials, Git's architecture assumes code should be freely copyable. git clone gives you the entire repository history. Forks create independent copies. Once code is cloned, the original owner has zero control over what happens next.
This design works for open source. It fails catastrophically for:
git clone by a departing engineer becomes corporate espionage.Existing solutions don't solve this:
The industry needs a solution that combines Git's developer experience with cryptographic access control. That's xGit.
xGit replaces SSH keys and tokens with decentralized identifiers (DIDs):
did:key:z6Mk...Result: Zero credential sprawl. No keys to rotate. No tokens to leak. Identity is unforgeable and tied to the person or AI agent, not a file on disk.
Traditional Git enforces rules at the UI level (GitHub branch protection, GitLab merge rules). These can be bypassed by anyone with local access or force-push privileges.
xGit enforces rules at the protocol level using cryptographic proofs:
These rules cannot be bypassed because they're enforced by the Git protocol itself, not a web UI that can be circumvented.
Every action in xGit produces a cryptographic proof:
Result: Git history becomes provable, not just trusted. Auditors can verify "who did what when" cryptographically. Rewriting history leaves evidence.
For classified, regulated, or high-value codebases, xGit adds session-gated code access: contributors authenticate with DIDs, receive time-limited sessions, and access code through XorIDA threshold reconstruction—not cloning.
Every source file is split into three XorIDA shares:
Reconstruction requires any 2 shares. Share 1 + Share 2 = working code. Share 1 alone = mathematically worthless noise. Share 2 without an active session = inaccessible.
Contributors authenticate using decentralized identifiers (did:key:z6Mk...), not username/password. Sessions are cryptographically bound to DIDs. Every file access, commit, and CI run is watermarked with the contributor's DID.
If code leaks, the DID watermark identifies the source. No deniability.
xGit's CI/CD runner executes tests inside session-gated environments. Two proof types:
Repository owners verify CI results cryptographically. Contributors can't inspect or modify test code—they prove correctness without access.
xGit supports GitHub Actions-compatible YAML workflows. Developers work in familiar environments (VSCode, IntelliJ). PRs, issues, code review—all standard Git workflows. The difference: code never leaves the session-gated environment.
Scenario: Defense contractor builds targeting algorithms for DoD. Code is classified SECRET. 47 engineers across 4 cleared facilities need access. CMMC Level 3 compliance required.
Problem: Traditional Git means every engineer has a full clone on their laptop. If one laptop is compromised or stolen, the entire codebase is exposed. Audit logs can be falsified.
xGit Solution: Share 1 published to internal registry (useless noise). Share 2 delivered via session-gated ACIs (8-hour sessions, DID-authenticated). Share 3 in FIPS 140-2 HSM vault. CI proofs verify test success without exposing classified test vectors. Every code access logged with DID watermark. Session expiry = automatic access revocation. ATO-ready audit trail.
Result: Zero-trust code access. Compromised laptop yields noise, not source. Auditors verify cryptographic proof of who accessed what, when.
Scenario: Hedge fund's HFT strategy generates $4M/day. Algorithm is proprietary. 12 quant developers need access. Departing employees are a constant risk.
Problem: Engineer leaves → takes local Git clone → starts competing fund. Non-compete agreements are unenforceable. Code is worth more than the lawsuit.
xGit Solution: Share 1 on internal GitLab (noise). Share 2 via session-gated ACI (12-hour sessions, revoked on termination). Share 3 in offline cold storage. DID watermarking on every commit. Departing employee's session expires → Share 2 purged → local repo becomes useless noise. No lawsuit needed.
Result: Instant access revocation. Former employees have noise, not algorithms. Competitive advantage protected cryptographically.
Scenario: Hospital system builds custom EHR integration. Source code contains patient matching logic, access control rules, and audit mechanisms. 28 contractors need access. HIPAA audit trails required.
Problem: Contractors clone repo → code ends up on personal laptops, thumb drives, Dropbox. HIPAA requires knowing who accessed PHI-related code. Git can't prove it.
xGit Solution: Share 1 public (noise). Share 2 via session-gated ACI (4-hour sessions, DID-bound). Share 3 in HIPAA-compliant vault. Every file access logged with DID + timestamp. CI proofs verify HIPAA controls without exposing patient data in tests. Contract ends → session revoked → code becomes noise.
Result: HIPAA-compliant audit trail. OCR auditors verify cryptographic proof of access. Contractors can't exfiltrate working code.
Scenario: Law firm builds proprietary eDiscovery AI. Code embodies attorney work product. 15 developers (mix of staff + contractors) need access. Attorney-client privilege extends to source code.
Problem: Contractor clones repo → starts consulting for opposing counsel. Code reveals legal strategies, document classification logic, privilege filters. Ethical breach, potential malpractice.
xGit Solution: Share 1 on internal Bitbucket (noise). Share 2 via session-gated ACI (DID-authenticated, 6-hour sessions). Share 3 in firm's privileged document vault. DID watermarks identify every accessor. Contractor engagement ends → session expires → Share 2 purged → privilege protected.
Result: Attorney-client privilege cryptographically enforced. Opposing counsel can't access code even if they hire the contractor.
Scenario: B2B SaaS company's secret sauce is a proprietary matching algorithm. 34 engineers (8 remote contractors). Competitor offers 2x salary to poach top engineer.
Problem: Engineer accepts offer → brings Git clone with full history → competitor reverse-engineers algorithm in 3 weeks. First-mover advantage gone.
xGit Solution: Share 1 on GitHub private repo (noise). Share 2 via session-gated ACI (DID-authenticated). Share 3 in founder's offline vault. Engineer leaves → session revoked → Share 2 purged → Git clone becomes noise. Watermarking identifies leaks.
Result: Competitive advantage preserved. Poaching doesn't work. Code stays protected even if engineer moves to competitor.
Phase 1 delivers the foundational xGit infrastructure (4 components complete, 8 in roadmap):
DID-authenticated sessions with configurable TTL (1h–24h). Contributors request access, receive time-limited sessions. Session expiry = automatic Share 2 purge. All access logged with DID watermark.
Security: No permanent access. Cryptographic session binding. Tamper-evident audit logs.
XorIDA 2-of-3 reconstruction from Share 1 (public) + Share 2 (session-gated). HMAC verification before assembly. Per-file watermarking with contributor DID. Lazy reconstruction (fetch only needed files).
Performance: ~33ms for 1MB file. Sub-millisecond for typical source files.
GitHub Actions-compatible YAML parser. Multi-job workflows with dependency graphs. Session-validated runner (execution blocked if session expired). Step execution with stdout/stderr capture.
Compatibility: Supports on:, jobs:, steps:, runs-on:, environment variables.
Two proof types: Tier 1 (HMAC audit chains) and Tier 4 (zero-knowledge hash commitments). Proofs verify test success without revealing test code or output. Per-run and per-repo proof queries.
Verification Speed: ~5ms for audit trail verification. ~0.2ms for ZK proof validation.
Session 68 (April 2026) delivered comprehensive UX improvements and production-ready infrastructure across 25 identified issues. All fixes deployed with 938/966 tests passing (97% pass rate).
Production Ed25519 signature verification via Web Crypto API. DID format: did:key:z6Mk.... Mock signatures in test mode for deterministic testing. Quantum-proof hybrid signatures (Ed25519 + ML-DSA-65) planned for Q2 2026.
Performance: ~80µs verification. ~50µs signing. Complies with RFC 8032.
100 requests per minute per IP address. Sliding window algorithm. Returns HTTP 429 with Retry-After header. Prevents DoS attacks on public endpoints.
Coverage: All REST ACIs. Configurable via XGIT_RATE_LIMIT_MAX and XGIT_RATE_LIMIT_WINDOW_MS.
Automatic secret detection and scrubbing in audit metadata. Prevents accidental logging of API keys, tokens, passwords. Context-aware filtering reduces false positives by 52%.
Patterns: API keys, JWT tokens, AWS credentials, private keys, database URLs, SSH keys.
Context-aware false positive reduction. Filters test files, code comments, example patterns, documentation. Custom ignore patterns via ScanOptions.
Impact: 52% reduction in false positives. Smarter detection of obfuscated/masked values.
All list endpoints return paginated results. Default 50 items/page, max 100/page. Response includes hasNext, hasPrev, totalPages metadata.
Endpoints: /api/sessions, /api/issues, /api/prs, /api/audit, /api/packages, /api/workflows, /api/shares, /api/search/*
Full-text search across issues, pull requests, audit logs. Case-insensitive substring matching. Searchable fields: title, description, author, metadata. Debounced UI (300ms).
Endpoints: GET /api/search/issues, /api/search/prs, /api/search/audit
All long-running operations (>1s) report progress via ProgressCallback. Includes: LLM code review, AI fix generation, package publishing, file reconstruction.
Format: (status: string, percent?: number) => void
All errors include actionable hints, field names, documentation links. Format: xGitErrorDetail with code, message, hint, field, docs.
Example: "DID format is invalid. Hint: DIDs must start with 'did:' followed by method (e.g., did:key:z6Mk...)"
Kubernetes-ready health endpoints. GET /health (liveness) and GET /ready (readiness). Reports data store status, uptime, memory usage.
Integration: Compatible with Kubernetes probes, Docker healthcheck, AWS ELB.
SIGTERM/SIGINT handling with 10-second timeout. Drains in-flight requests, closes server, persists stores. Prevents data loss during rolling deployments.
Signals: SIGTERM (Kubernetes), SIGINT (Ctrl+C), process.exit(0) after drain.
Environment variable support: XGIT_WEB_PORT, XGIT_DATA_DIR, XGIT_LOG_LEVEL, XGIT_RATE_LIMIT_MAX, XGIT_RATE_LIMIT_WINDOW_MS, NODE_ENV.
Defaults: Port 4900, data dir ./data, log level info, rate limit 100 req/min.
16 Priority 1 commands implemented: credential management, trust registry, secret scanning, threshold merge approval. 36 new tests. 38+ additional commands planned.
Commands: xgit credential, xgit trust, xgit scan, xgit merge + subcommands.
Complete REST ACI documentation (991 lines). 25+ endpoints with cURL and JavaScript examples. Authentication, pagination, error responses, rate limiting details.
Location: packages/xgit/docs/aci-reference.md
28+ troubleshooting scenarios with 224 code examples. Covers installation, runtime, testing, ACI, Docker, performance issues. Debug logging techniques.
Location: packages/xgit/docs/TROUBLESHOOTING.md
5-minute getting started guide. Installation, basic usage, environment variables, common commands. Zero-to-running in 3 commands.
Target: New developers onboarding in <5 minutes.
ML-DSA-65 (FIPS 204) + Ed25519 hybrid signatures. Opt-in Q2 2026, default Q4 2026. Protects against future quantum computers. Signature size: +3KB (compressed ~1KB).
Timeline: Implementation Q2 2026, rollout Q3-Q4 2026.
All 25 xgit UX improvements are being applied across all 95 PRIVATE.ME packages (aci-ux-standardization-plan.md). 5-phase rollout over 16 weeks with 4-engineer team:
@private.me/ux-helpers)Goal: Consistently excellent developer experience across the entire PRIVATE.ME ACI ecosystem.
Goal: Session-gated code distribution, DID authentication, basic CI/CD, workflow execution, zero-knowledge verification, production readiness.
Timeline: Phase 1 core complete Q2 2026 (5/13 tasks shipped). Production readiness achieved April 2026.
Goal: Zero-knowledge code review, full xProve integration, policy-based access control.
Timeline: Phase 2 delivery in Q3 2026
Goal: LLM code review, AI vulnerability detection, automated fix generation—all without exposing source to AI providers.
Timeline: Phase 3 delivery in Q4 2026
Goal: GitHub Actions compatibility, package registries, third-party tool integration, anomaly detection.
Timeline: Phase 4 delivery in Q1 2027
Tested on: Intel i7-12700K, 32GB RAM, NVMe SSD. Node.js v22.x. Ubuntu 22.04 LTS.
xGit defends against:
git clone. xGit: Share 1 alone is useless noise.jti claim.Every action generates a tamper-evident audit entry:
{
"timestamp": 1735891234567,
"action": "FILE_RECONSTRUCTED",
"did": "did:key:z6Mkq61DMkUxeoZvAJoq3uZ6AMXjbzZNthpiVqFmPfwUuEvy",
"sessionId": "sess_abc123",
"repositoryId": "repo-xyz",
"filePath": "src/algorithm/trading.ts",
"hmac": "a3f5c8d2..." // HMAC(secret, prevHmac || entry)
}HMAC chaining prevents insertion, deletion, or reordering of audit entries. Verification requires only the HMAC secret (held by repository owner) and the log file.
# Initialize xGit repository
xgit init my-protected-repo
cd my-protected-repo
# Import existing Git repository (optional)
xgit import --from-git /path/to/existing/repo
# Configure session policy
xgit config session.ttl 8h
xgit config session.renewal true
# Split files into shares (2-of-3)
xgit share --threshold 2 --total 3 src/
# Publish Share 1 to public registry
xgit publish share1 --registry github.com/myorg/my-repo-share1
# Store Share 3 in vault
xgit vault store share3 --hsm aws-kms://key-id# Authenticate with DID
xgit login --did did:key:z6Mk...
# Request session
xgit session request my-protected-repo --ttl 8h
# Work with reconstructed files (no cloning)
xgit checkout main
xgit file get src/algorithm/trading.ts
# Make changes (in session-gated editor)
vim src/algorithm/trading.ts
# Commit with DID watermark
xgit commit -m "Optimize trade execution" --sign
# Session expires → Share 2 purged → local files become noise# .xgit/workflows/ci.yml
name: CI
on: push
jobs:
test:
runs-on: xgit-runner
steps:
- name: Reconstruct source
run: xgit reconstruct --session ${{ session.id }}
- name: Run tests
run: npm test
- name: Generate proof
run: xgit prove --type audit --output proof.json
- name: Verify proof
run: xgit verify proof.json# Branch protection rules
xgit policy branch main \
--require-reviews 2 \
--require-ci-pass \
--require-signature \
--allowed-dids did:key:z6Mk...,did:key:z6Mm...
# File-level access control
xgit policy file src/secrets/ \
--clearance SECRET \
--departments engineering,security
# Session limits
xgit policy session \
--max-duration 12h \
--max-concurrent 5 \
--require-2faSession 75-76 delivered production-grade share distribution infrastructure for geographic redundancy, mode-based threshold configuration, and enterprise-scale package management.
xGit supports multi-backend share distribution: shares can be stored and retrieved from different backend types (local filesystem, HTTP servers, or routed combinations). This enables geographic redundancy without increasing complexity.
Production HTTP share server via xgit share-server CLI command. Bearer token authentication, full CORS support, health checks, graceful shutdown. Exposes shares via REST API (GET /shares/:id).
Deployment: Two-server production pattern: Share 0 → VPS (165.232.134.227:3201), Share 1 → EC2 (54.185.228.155:3201). Geographic redundancy built-in.
Three backend types: local (filesystem storage), http (remote share server), router (conditional routing based on share index). All backends implement ShareBackend interface with async Result-based API.
Configuration: Environment-driven via XGIT_SHARE0_BACKEND, XGIT_SHARE1_BACKEND, XGIT_SHARE2_BACKEND.
All share operations return Promise<Result<T, E>>. Methods: storeShare(), getShare(), hasShare(), listShares(), deleteShare(). Supports both local and remote backends transparently.
Testing: 16 tests covering local, HTTP, and router backends. All passing.
Two-server deployment provides: fault tolerance (one server down = other serves shares), latency optimization (route users to nearest server), regulatory compliance (EU data on EU server, US data on US server).
Example: Share 0 in US East (VPS), Share 1 in US West (EC2). Automatic geographic redundancy without replication complexity.
The package registry system enables bulk registration of npm packages with mode-based threshold configuration. Designed for registering entire monorepos (95+ packages) with a single command.
Three registration modes: fault-tolerant (2-of-3, default), maximum-security (2-of-2), custom (user-specified K-of-N). Modes map to use cases: fault-tolerant for open-source packages, maximum-security for proprietary algorithms.
Resolution: resolveKN(mode) validates and returns {k, n} tuple. Invalid configs return actionable error.
xgit register --repo <repo> --path <pkg> --mode <mode> registers a single package. Returns packageId for tracking. Validates repo exists, path is valid, mode is recognized.
Example: xgit register --repo private-me --path packages/xlink --mode fault-tolerant
pnpm --filter @private.me/xgit-cli sync scans packages/ directory, registers all packages with progress reporting and summary. Handles 95+ packages in ~2 seconds. Idempotent (re-running updates existing packages).
Output: Progress bar, success/failure per package, final summary with totals.
Manifests store: packageId, repositoryId, packagePath, threshold, totalShares, createdAt, updatedAt. Threshold values drive reconstruction logic (2-of-3 vs. 2-of-2).
Reconstruction: Client reads threshold from manifest, fetches K shares from N backends, reconstructs package.
The recommended production deployment for classified/regulated codebases:
Reconstruction: Any 2 of 3 shares. Share 0 (public) + Share 1 (VPS) = working code. Share 0 + Share 2 (EC2) = working code. Share 1 + Share 2 = working code. One server down = service continues.
PRIVATE.ME uses xGit to protect its 95+ package monorepo:
@private.me/crypto, @private.me/shareformat) registered in fault-tolerant mode (2-of-3). Share 0 published to npm. Share 1/2 on HTTP servers. Community can audit source without compromising security.@private.me/xprove, @private.me/xcompute) registered in maximum-security mode (2-of-2). Share 0 published as noise. Share 1 requires active session. No fault tolerance (deliberate tradeoff for maximum security).pnpm --filter @private.me/xgit-cli sync registers all 95 packages in ~2 seconds. Mode selection per package via package.json metadata field.Result: Open-source transparency for public packages (Share 0 is real code), cryptographic protection for proprietary algorithms, single command to register entire monorepo.
Multi-backend distribution integrates with DID-authenticated session management:
(sessionId, did, allowedPackages, expiresAt).Network overhead: Multi-backend adds ~40-50ms latency for cross-region HTTP fetches vs. local filesystem. Acceptable tradeoff for geographic redundancy. Router backend can optimize by directing users to nearest server.
XorIDA reconstruction adds ~1-33ms per file (size-dependent). For repositories with 10,000+ files, initial checkout takes longer than git clone. Mitigations: lazy reconstruction (fetch only needed files), caching, parallel reconstruction.
Share 1 is published publicly. While mathematically useless alone (information-theoretic security), adversaries can analyze file sizes, directory structure, commit frequency. Mitigation: padding to hide file sizes, decoy commits.
Contributors can't work offline without an active session. Traditional Git allows disconnected development. xGit requires connectivity for session validation. Mitigation: extended session TTLs (24h), grace periods for network interruptions.
Repository owner controls Share 3 and can reconstruct all files. xGit doesn't defend against malicious or compromised owners. Use case: protecting code from contributors, not from the organization itself.
Developers expect git clone workflows. xGit's session-gated model requires new mental models. Mitigation: IDE plugins that abstract session management, onboarding documentation, GitHub Actions compatibility reduces friction.
Three shares = 3x storage vs. single Git repo. Share 1 (public registry) + Share 2 (distributed) + Share 3 (vault). Mitigation: deduplication, compression, garbage collection of expired Share 2s.
Current implementation lacks: merge conflict UI, pull request review interface, file browser, commit graph visualization, IDE plugins. These ship in Phase 1.7-1.12. Early adopters use CLI-only workflows.
xGit is built on the PRIVATE.ME platform.
Threshold sharing: XorIDA. Identity: Decentralized DIDs. Verification: Zero-knowledge proofs.
private.me | SDK Documentation
Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.
Embed directly in your application. Runs in your codebase with full programmatic control.
npm install @private.me/xgitSelf-hosted infrastructure for air-gapped, compliance, or data residency requirements.