Safety Rails

The Git panel has a set of guardrails built into it — deliberate checks, confirmations, and defaults that exist to stop you from losing work, pushing the wrong thing, or leaking secrets. Most of them have been introduced in context in earlier sub-sections; this card collects them all in one place so you can find them quickly when you need them.

Confirmations Before Destructive Actions

Every action the panel exposes that can permanently throw away work opens a confirmation dialog first. None of them skip the dialog with a hidden "Don't ask me again" option — the confirmation is always explicit.

  • Discard Changes: clicking Discard on an unstaged file opens "Discard Changes?" with the line "All uncommitted changes in this file will be lost. This action cannot be undone." Nothing on disk is touched until you confirm.
  • Force Push: when a push fails because the remote has moved ahead, Force Push is offered as one of three choices. Picking it does not run immediately — it opens a second dialog warning you that "Remote commits that don't exist locally will be lost" and asking you to confirm one more time.
  • Delete branch: only offered in the branch context menu for local branches that are not HEAD. The menu item itself is styled as destructive so it cannot be misread as one of the neutral actions above it.
  • Abort (merge, pull, stash): aborting a conflict resolution is always a safe backward step, not a destructive one — nothing committed is lost. But the abort buttons still spell out which operation they will cancel (Abort, Abort Pull Merge, Abort Stash Apply) so you always know exactly what you are backing out of.

Protections Against Losing Work-in-Progress

Several safety rails specifically exist to prevent "oops, I didn't mean to do that" moments when you have uncommitted changes in the working tree:

  • Uncommitted-changes checkout guard: trying to switch to another branch while your working tree has staged or unstaged changes opens an "Uncommitted Changes" dialog that blocks the switch and offers three paths: Go to Commit, Go to Stash, or Cancel. There is no "force checkout" shortcut — every route through the dialog is deliberate.
  • Clone only into empty folders: the Setup Wizard's Clone Existing Repository option is hidden for group folders that already have content. You cannot clone a remote on top of existing flows or specs by accident, because the button for it is not even offered.
  • Commit never rolled back after a failed push: Commit & Push treats the commit and the push as two separate phases. If the commit succeeds and the push fails — for any reason — the commit is still recorded locally and is never rolled back. You can always push it again from the toolbar once the cause of the failure is resolved.
  • Stash preserved on aborted apply: aborting a stash apply that hit a conflict leaves the stash entry intact in the Stashes section. The point of a stash is that it sticks around until you explicitly drop it, and an in-flight conflict does not change that.

No Surprises on Remote Operations

Remote operations — Pull, Push, Fetch — are where most unpleasant Git surprises happen. The panel intercepts every situation that would normally produce one and hands you a dialog explaining what is going on before anything changes:

  • Unrelated History Detected: when you try to push into a remote that was initialized independently (for example with a README), the push is intercepted and a "Merge & Push" dialog is offered. The message explicitly reassures you that Tigrister only manages its own files — any pre-existing README, LICENSE, or other files on the remote are preserved through the merge.
  • Remote Has Newer Commits: when your local branch is behind the remote, a push is intercepted with a three-way choice dialog — Pull Now (safe), Force Push (destructive, confirmed twice), or Cancel. You never push over someone else's commits silently.
  • Token Required: when Pull, Push, Fetch, or the push step of Commit & Push fails because no token is stored for the remote's host, the operation is paused and a dedicated dialog asks for the token for that host. Saving the token retries the original operation in place — you do not have to start over.
  • Concurrent-operation lockout: while any remote operation is running, the Pull, Push, and Fetch buttons are all disabled. You cannot accidentally start a second operation on the same repository before the first one finishes.

Secret and State Hygiene

A final class of guardrails keeps secrets out of the repository and keeps the panel's view of the world in sync with the file system without you having to refresh anything.

  • Tokens live in the OS keychain. Every access token collected by the Setup Wizard, by the Clone dialog, by Quick Connect, and by the Token Required dialog is stored in the operating system's native secret store — Keychain on macOS, Credential Manager on Windows, Secret Service / libsecret on Linux. Tokens are never written into the tracked repository or any plain configuration file that lives inside the group folder.
  • Auto-gitignore: the panel makes sure the group folder has a .gitignore that excludes everything sensitive by default. When the file is adjusted on your behalf, a short blue banner near the top of the panel tells you what was changed (for example ".gitignore updated: added entries for secrets"). The banner dismisses itself after a few seconds, or you can close it immediately with its × button.
  • File-watcher live refresh: edits made to a flow or a spec from Tigrister's main UI are reflected in the Git panel instantly. You do not have to click anywhere to refresh — saved changes show up in the Changes list, diff viewers redraw, and counters in Overview and the section nav update on their own.
  • Scope enforcement: the Git panel only accepts flow group and spec group folders as scopes. Other areas of Tigrister cannot be routed into it even by accident — the panel will refuse anything that is not a flows/ or load-tests/ group.
SettingsWhat is Not Versioned