Source control for the code your agent wrote

git for humans.
au for agents.

Read the paper

4 MB Rust binary · works with Codex, Claude Code, Cursor, Cline, Aider, and plain CLI wrappers

~/my-project

$ au oops

⚠ last agent session · 14:32 · 5 files

src/auth.rs (-87)

src/middleware.rs (-23)

src/lib.rs (-4)

tests/auth.rs (deleted)

Cargo.toml (-2)

Roll back? [Y/n]

The shift

Source control assumed a human writer.
AI broke the assumption.

git

Versions human intent.

You commit when you mean to.
Every change is a deliberate act.
History reflects what you wanted to keep.
git blame tells you which human wrote each line.

Records agent action.

Every byte is captured on write.
No deliberate act required.
History reflects what actually happened.
au blame tells you which agent wrote each line.

Not a replacement. A second system, running alongside.

Why this exists

The current safety nets
break under agent speed.

The receipts happen to come from Cursor because the receipts are public and unusually blunt. The underlying problem is broader: editor-local undo and checkpoint features were not designed for tools that can rewrite a project between commits.

“This is a known issue, a bug caused by a conflict between the Agent Review Tab and file editing. Close the Agent Review Tab before the agent makes edits.”

deanrie, Cursor staff · Jan 16, 2026 · forum.cursor.com

“cursor agent went off the hinges and started deleting my entire app. 90% of my app is gone … I hadn't gotten a chance to push to github yet.”

Jonneal3 · May 27, 2025 · forum.cursor.com

Install

One command.
No account. No telemetry.

download release binary

If your tool exposes hooks, add them. If it does not, wrap the CLI with au exec --agent ... . The watcher is the base layer either way.

The principle

The agent is
an untrusted process.

Every piece of engineering ceremony — commits, review, blame, audit — assumed one thing: the writer of the code is a human you can hold accountable.

That assumption broke. Agents silently delete tests, rewrite mocks to pass, refactor across boundaries without understanding intent. A bad decision at 14:32:07 is 200 files deep by 14:32:42.

Treat AI coding agents the way a security engineer treats any process with write access: assume it will eventually do something wrong, and build the controls that let you recover.

au is the substrate. Observability, attribution, reversibility — the three primitives the next decade of agent-aware tooling will be built on.

Read the full essay

Technical paper

A product-grade paper for agent-undo, not hand-wavy launch fluff.

The paper frames agent-undo as a local provenance-and-rollback substrate for agent-written code, then backs it with a real artifact snapshot, two workload measurements, and explicit limits on what is still unmeasured.

Read the paper page Download PDF

binary

4.85 MiB

write detect

157–161 ms

oops

7–8 ms

agent-undo micro-evaluation chart comparing synthetic and repo-snapshot workloads

Questions

Eight things developers ask
before they install.

How is this different from git?

git versions intent — commits are deliberate acts. au records action — every byte, the moment it hits disk. You run both.

Does it replace my editor's undo?

No. Editor undo is in-memory and editor-bound. au is on-disk, editor-agnostic, and survives crashes, restarts, and agent rampages.

Does it work with Cursor, Cline, Aider, Codex?

Yes. The watcher captures writes regardless of source. Explicit sessions and hooks improve attribution when a tool exposes session context. Claude Code has a built-in hook today, and au exec --agent ... already works for any CLI you can wrap.

Does it touch my .git directory?

Never. au maintains its own store under .agent-undo/. If your agent nukes .git itself, au is unaffected and can still roll everything back.

What if the daemon isn't running when my agent writes?

You miss those events. No daemon, no capture. au init sets up the project. au serve --daemon starts the watcher. au doctor tells you at a glance whether it is alive.

How much disk does it use?

Content-addressable and deduped — usually under 100 MB on an active project. au gc uses a 7-day cutoff by default and you can change that in .agent-undo/config.toml.

Is there a technical paper for this?

Yes. There is a product-grade paper with system design, artifact status, and measured micro-evaluation at /paper, plus a downloadable PDF if you want the full writeup.

Can I run it on CI?

You can, but it's built for local use. CI is already good at capturing state via commits and artifacts. au fills the gap in the inner-loop dev environment, where agents move faster than your commit cadence.

Stop reconstructing
what your agent did after the fact.

Install the binary. Start the watcher. Add hooks where they exist, or wrap the CLI you use. Leave it alone until you need a rollback.

Read the source

git for humans. au for agents.

Source control assumed a human writer. AI broke the assumption.

The current safety nets break under agent speed.

One command. No account. No telemetry.

The agent is an untrusted process.