Your code stays where it should.
When a developer's access is revoked, the local copy on their machine becomes unreadable within seconds — even on personal Windows or Macs, even offline.
Three steps, zero trust in the laptop.
1. Enroll
Developer installs the agent. A keypair is generated and sealed to the device's TPM or Secure Enclave — it never leaves the chip.
2. Encrypt
Every file in the watched repo is wrapped with AES-256-GCM under a key only this device can unwrap. Copy the bytes anywhere — they're noise.
3. Revoke
Click revoke in the console. Within seconds the agent destroys the device key and tombstones the vault. Offline machines die on lease expiry.
A live tamper log for every endpoint.
Every read, write, copy attempt, and key event flows back to the console. Forensic watermarks, git-push blocks, and decoys all show up here — with the device, user, and file path that triggered them.
- Replayable audit trail per device and per file.
- Signed events — tamper-evident.
- Opt-in auto-revoke when an integrity check fails.
Defense in depth, from chip to cloud.
AES-256-GCM, device-bound
Files are encrypted at rest with a key sealed to the developer's machine. Copy them anywhere — they don't decrypt.
Revoke in seconds
One click in the admin console. The agent deletes the device key and tombstones the vault on the next poll.
Offline-safe dead-man
Cached lease with TTL. Tolerates hours offline, then auto-revokes locally if it can't phone home.
Forensic watermarks
Every read is invisibly tagged. A leaked file points back to the device and the moment it left the agent.
Git push blocks
Pre-push hook stops protected code from being pushed to unauthorized remotes — even from inside the IDE.
Tamper detection
Integrity checks on the agent and vault. Move, rename, or patch it and we know — and you can revoke instantly.
Stop trusting the laptop.
Set up Repo Guard for your team in under ten minutes. Free for the first three devices — no credit card to start.