Origin Docs

Cloud Worktrees

Run your repository inside a TDX sandbox from CDE — worktrees, SSH attach, Projects sidebar, and recovery.

Cloud worktrees connect your desktop IDE to confidential sandboxes on ORGN — not ordinary shared cloud VMs. Each worktree is an isolated Git branch running inside a TDX Trust Domain: a hardware-isolated virtual machine with encrypted memory that the cloud operator, hypervisor, and ORGN cannot read.

This is runtime confidentiality. Origin Agent inference is a separate boundary — prompts route through ORGN Gateway unless you pick a TEE model.

For when to use cloud vs local mode, see Local vs confidential cloud.

Git in the sandbox

A cloud worktree is a live Git checkout in the remote sandbox — not a static copy. When you create a worktree for a task, CDE provisions (or reuses) a sandbox whose repository fetches the latest base branch from GitHub before branching. Your edits stay on the worktree branch until you commit, push, or open a pull request.

The sandbox does not silently sync every upstream commit while you are idle. When you start new work, ORGN fetches fresh. Use the integrated terminal to git pull or git fetch if you need to catch up mid-session.

Agent @codebase search uses a workspace semantic index built from files on disk — re-index after large merges if search feels behind.

What is a worktree?

A worktree is an isolated copy of your repository on its own branch, running in its own sandbox. In CDE you create worktrees per task so parallel agents or experiments do not collide on the same branch.

TermMeaning
WorktreeWhat you see in the UI — one branch in one confidential sandbox
SandboxThe TDX-backed remote environment CDE attaches to over SSH
ProjectA repository-backed workspace in ORGN Studio, with tasks and worktrees

Projects sidebar

Open the Origin Studio entry in the activity bar. The inner view is labeled Projects.

From the sidebar you can:

  • Browse team projects and tasks
  • Create new worktree for a task
  • Switch between active worktrees
  • See sandbox status (provisioning, running, stopped)
  • Open project settings in the browser at cde.orgn.com

The sidebar container displays Origin Studio while the inner view is Projects. Both refer to the same cloud project and worktree picker.

Or open the picker from the welcome screen: Open Cloud Project, or the command palette → Enter Confidential Workspace.

Context breadcrumb

When a cloud worktree is active, the title bar shows your place in the hierarchy:

Team → Project → Task → Worktree

In local mode the breadcrumb shows Local followed by your folder name. Use it to confirm which execution boundary you are in before running agents or fetching attestation.

How attach works

When you activate a worktree, CDE orchestrates provisioning and remote editor attach. You may see progress messages such as:

PhaseWhat you see
Provision"Spinning up your isolated TDX environment…" / "Provisioning hardware-isolated compute…"
Start"Bringing your encrypted workspace online…"
Verify"Verifying agent runtime is live…"
AttachSSH connect → remote file tree loads in the editor

Behind the scenes CDE:

  1. Provisions or wakes the sandbox through the ORGN platform API (api.orgn.com)
  2. Probes SSH access to the sandbox gateway
  3. Installs the remote editor server if needed
  4. Attaches the window as a remote SSH session
  5. Loads the repository worktree in the remote file tree

Provisioning typically takes 30–60 seconds on a fresh worktree. Returning to a running sandbox is faster.

You do not call platform APIs directly during normal use. CDE handles id-orgn authentication, team context, and error surfacing.

Open a cloud worktree

Pick a project and task

From the welcome screen, choose Open Cloud Project, or focus the Projects sidebar (CDE: Focus on Projects view).

Select a project and task. If no worktree exists, choose Create new worktree in the sidebar.

Wait for attach

Watch the progress banner until the remote file tree loads. If attach stalls past a few minutes, see Troubleshooting — SSH gate errors.

Work in the sandbox

Once attached:

  • Editor, terminal, and Git operate against the remote sandbox
  • Origin Agent tool calls execute inside the sandbox — file edits and terminal commands stay in the Trust Domain
  • Sandbox attestation is available via the status bar TDX shield

Parallel workstreams

Use separate worktrees when running multiple agents concurrently:

  • Each worktree gets its own branch and sandbox
  • Agents on different worktrees do not stomp each other
  • Switch from the sidebar or CDE: Switch worktree

Recommended pattern: one worktree, one agent focus, one branch.

Tasks can trigger automation when a worktree is created (runOn: worktreeCreated) — for example dependency install or environment validation before an agent starts.

Switching and recovery

Command palette actionWhen to use
CDE: Switch worktreeReturn to the picker and change worktree
CDE: Attach editor to active worktree (remote SSH)Window lost remote context but worktree is still active
CDE: Re-provision active worktree's sandboxOrphaned runner, stale sandbox, or repeated SSH failures

GitHub access

Cloud worktrees clone from your connected GitHub repository. If Git operations fail with a token error, install or refresh the ORGN GitHub App — see Troubleshooting — Connect GitHub.

Next steps

Local vs Confidential Cloud

Choose Open Project or Open Cloud Project in CDE — what each mode protects, when to use it, and how it relates to TDX sandboxes.

Origin Agent

Origin Agent in CDE — confidential agentic assistance with verifiable runtime and inference, Gateway routing, and ZDR vs TEE models.

On this page

Git in the sandboxWhat is a worktree?Projects sidebarContext breadcrumbHow attach worksOpen a cloud worktreePick a project and taskWait for attachWork in the sandboxParallel workstreamsSwitching and recoveryGitHub accessNext steps