Salvager is a filesystem-level safety net for AI coding agents. A passive watcher saves every file revision as you and your agent work, so anything the agent breaks, you can get back.
View on GitHub How it works
Zero config. Run it in any project root:
The problem
An agent can rewrite a file faster than you can read the diff.
AI coding agents edit real files on disk. Most of the time that's exactly what you want. But mistakes are silent. A clobbered function, a deleted block, a refactor that ran too far, and by the time you notice, the previous version may already be gone.
Recovery shouldn't depend on the agent being careful, on you having committed at the right moment, or on an editor that happened to be open. You need a guarantee that lives below the agent, down at the filesystem.
How it works
A passive watcher, not a workflow you have to remember.
Think Local History for AI agents: capture is automatic, recovery is whatever you want, whether CLI, MCP, or your bare hands. The two are decoupled on purpose, so the part that protects you never depends on the part that might fail.
-
Run salvager watch in any project root. No config, no accounts, no cloud. It starts observing the tree immediately.
-
02
Capture every revision
Each time a file changes, whether your keystrokes or an agent's edit, Salvager saves a new per-file revision into .salvager/. Automatically. Continuously.
-
Browse the timeline for any file from the CLI, over MCP, or by hand with plain ls and cat. Every version is there, with a content signal to tell them apart.
-
Roll any file back to any earlier revision. The restore itself first saves the current state, so it's reversible too. Nothing is ever a dead end.
What it protects
The work your safety net was never built to catch.
Watch an agent do real work, destroy it, and find that git, the filesystem, and the editor have nothing to give back. Then watch Salvager hand it over, unharmed. Pick a case.
For agents · MCP
A recovery layer your agent can drive itself.
Salvager exposes the history over MCP. An agent that breaks something can discover the timeline, inspect past revisions, and restore the right one, no human in the loop. Read first, then restore.
salvager_list_versions read-only
List the saved revisions for a file, newest first. Each carries its content signal (lines, line delta, start signature) so the agent can pick the right one without re-reading every version.
salvager_get_version read-only
Fetch the exact contents of one revision. Read-only inspection, so the agent confirms it found the version it wants before changing anything.
salvager_restore write
Restore a file to a chosen revision. First saves the current state as a pre-restore revision, so the restore is itself undoable.
Register with any MCP client:
No delete over MCP
There is no purge or delete tool exposed over MCP. The safety net can't be erased by the thing that might break it. An agent can recover work, but never destroy the record of it.
Why trust it
The guarantee holds because of how it's built.
Captures everything → everything is reversible. The design removes the ways a safety net usually fails: missing config, partial coverage, destructive recovery, lock-in.
Zero configuration
salvager watch in any project root. No config files, no accounts, no setup ritual. It just starts protecting you.
Single static binary
One static Go binary with no cgo, no runtime, no dependencies. Drop it in and run. Linux and macOS, amd64 and arm64.
Readable without the tool
History is plain files under .salvager/. Lost the binary? A bare ls and cat recovers anything by hand. No lock-in, no proprietary format.
Whole-tree coverage
When the OS real-time watch ceiling is hit, overflow subtrees fall back to a polling sweep automatically. Coverage stays complete, never silently partial.
Restore is reversible
Every restore first saves the current state as a pre-restore revision. Restoring is itself undoable. There are no one-way doors.
Can't be erased over MCP
No purge or delete is exposed over MCP. The agent that might break your code cannot erase the record that lets you recover it.
Self-hosted, no cloud
Everything stays on your machine. No telemetry, no upload, no third party. Apache-2.0 licensed and fully self-hostable.
Running with known gaps is possible, but only as an explicit opt-in via
--allow-partial. Coverage is never reduced behind your back.
Quickstart
Up and running in under a minute.
Install
The install script drops a single static binary on your PATH. It never uses sudo, sends no telemetry, and doesn't touch your shell config. macOS and Linux.
On Homebrew (macOS/Linux):
Prefer to build it yourself? With a Go toolchain,
go build -o salvager . from a
clone. Prebuilt binaries for Linux and macOS (amd64 + arm64), each with a
SHA-256 checksum, are on the
releases page. Windows is best-effort from source.
Watch, inspect, restore
One command to start. Everything from there is recovery on your terms.
To wire it into an agent over MCP, see For agents above.
FAQ
Questions, answered plainly.
What happens if an AI agent breaks my code?
The watcher has already saved a revision of the file, automatically, as the edit happened. List the versions, restore the good one, and you're back. The restore itself first saves the current state, so even that is reversible.
How is this different from git?
No commits, no staging, nothing to remember. Salvager captures every save in the background, including work you never committed, and complements git rather than replacing it. git is your durable, shared history; Salvager is the always-on local safety net underneath it.
Do I need to configure anything?
No. Run salvager watch in any project root. Zero configuration: no accounts, no cloud, no config files. It records an initial revision of every tracked file on startup, then captures every change thereafter.
Where is my history stored, and can I read it without the tool?
In a plain .salvager/ directory inside your project. Objects are deduplicated by content hash and revisions are listed in plain logs, so a bare ls and cat recover anything by hand. No proprietary format, no lock-in.
Can an AI agent erase my recovery history over MCP?
No. The MCP server exposes exactly three tools: list versions, get a version, and restore. There is no purge or delete over MCP, so the safety net can't be erased by the agent that might break things.
What platforms does it run on?
A single static Go binary with no runtime and no dependencies. macOS and Linux (amd64 and arm64), with Windows best-effort from source. Apache-2.0 licensed.