# DD-02 — Aider: The Git-Native Pair Programmer (Teaching Script)

**Format**: Verbatim transcript (~2800 words). Spoken at ~140 wpm. Slide cues `[SLIDE N]` map to `03-slide-deck.html`.

---

[SLIDE 1] Title slide. "Aider: The Git-Native Pair Programmer." Take a beat. Let the title land.

Welcome to Deep-Dive Two. We're moving one step to the right on the thickness spectrum. Pi, in Deep-Dive One, was the thin reference — four tools, a sub-thousand-token prompt, twelve hundred lines of code. Aider is the first harness that is deliberately thicker, and the question we're here to answer is sharp: how much thickness does git buy, and why?

Here are the numbers. Aider is Python, not TypeScript. About twenty-five thousand lines of code — that's twenty times Pi. Roughly eight tools, versus Pi's four. A system prompt around two thousand tokens — twice Pi's. Forty-four thousand five hundred GitHub stars. Apache 2.0 license. One hundred-plus supported models through LiteLLM. And three years of iteration, from 2023 through 2026, which makes it the most mature coding agent in the thin-medium band.

But the headline is not the numbers. The headline is this: Aider created the Aider Polyglot Benchmark — the de facto standard the entire field uses to evaluate coding agents. Most published coding-agent benchmark numbers you have ever read trace back to Aider's methodology. Aider is the reference not because it is the best harness, but because it defined how the field measures "best." Hold onto that. We'll come back to it.

[SLIDE 2] The thesis.

Here is the load-bearing claim for this entire deep-dive. Aider's git-first philosophy is the differentiator. Pi has no memory, no checkpointing, no verification — three of the twelve rubric modules scored at one out of five. Aider gets all three — plus permission, plus observability — for free, by using git as the substrate. One infrastructure choice yields five rubric modules. That is the plus-seven over Pi. Look at the two cards on the slide. Pi at twenty-five out of sixty. Aider at thirty-two out of sixty. The delta is seven points, and almost every one of those seven points comes from git.

This is the comparison question for this deep-dive. It is not "is Aider better than Pi." It is "how much does a single infrastructure decision buy, when that infrastructure is git?" The answer is: a lot. Five modules. But — and this is the second half of the thesis — git buys capability, not safety. We will get to that.

[SLIDE 3] Git-as-substrate. Five modules from one choice.

Walk through the grid. Module 4, Memory: git commits are checkpoints that survive across sessions. `git log` is your history. Pi had ephemeral, in-context-only memory. Aider inherits persistent, version-controlled memory from git for free.

Module 8, State: `git reset` is native rollback. Every change Aider makes is a recoverable checkpoint. You can undo the last ten turns of work with a single command. Pi had no state at all — every interruption meant starting over.

Module 9, Verification: the diff IS the verification. The human reviews `git diff`. This is implicit verification, and it is clever — it turns the change itself into the quality gate. Pi shipped and hoped.

Module 6, Permission: git-gated. Aider commits after each change. The user reviews the diff and resets if the change is wrong. This is a distinct permission architecture — not per-action approval like the standard pattern, but per-commit review with native rollback. It trades real-time approval for post-hoc review with version control. Better for coding, where changes are reviewable; worse for destructive actions, where you want to prevent before, not undo after.

Module 11, Observability: `git log` is the trace. A human-readable history of every change, every commit, every message. Pi had console.log. Aider inherits structured, queryable history from git.

And then Module 3, Context: Aider adds the repo-map — an AST-based file index. The model sees the repository's symbol graph without reading every file. A clean middle path between Pi's nothing and a thick harness's full retrieval.

The callout at the bottom: no other harness in the roster gets this much from a single decision. Git is the multiplier. The entire plus-seven over Pi comes from this one infrastructure choice.

[SLIDE 4] The twelve-module audit. Where the plus-seven comes from.

Walk the table. Module 3, Context: Pi scored two, Aider scores four. Plus two. The repo-map. Module 4, Memory: Pi one, Aider three. Plus two. Git commits as checkpoints. Module 6, Permission: Pi two, Aider three. Plus one. Git-gated review. Module 7, Errors: Pi two, Aider three. Plus one. Diff-failure self-correction — when a search/replace block fails to apply, the model sees the error and retries. Module 8, State: Pi one, Aider four. Plus three. Git commits as rollback — this is the single biggest module gain in the entire deep-dive roster. Module 9, Verification: Pi one, Aider three. Plus two. Diff as implicit verification. Module 11, Observability: Pi two, Aider three. Plus one. Git log as trace.

Now the offsets. Module 2, Tools: Pi five, Aider four. Minus one. Aider has more tools, and more tools mean more dispatch noise — but this is purposeful noise, because each tool is coding-specific and built for a real task. Module 12, Prompt: Pi five, Aider four. Minus one. Aider's prompt is around two thousand tokens versus Pi's sub-thousand — denser, but more capable. And Module 5, Sandbox: both score one. No sandbox. Same blast radius. That is the load-bearing security finding, and we are about to spend a full slide on it.

Total: thirty-two out of sixty. Plus seven versus Pi. The plus-seven comes almost entirely from git: plus two context, plus two memory, plus three state, plus two verification, plus one permission, plus one observability. The two minus-ones are the cost of specialization — more tools, denser prompt. Git is the multiplier.

[SLIDE 5] The security nuance. This is the most important slide in the deep-dive.

Git-gating catches wrong. It does not catch malicious. These are two different failure modes, and conflating them is the most common mistake engineers make when they first look at Aider.

Left card. The honest mistake. The model produces a wrong edit — it misunderstood the task, applied a refactor to the wrong function, broke a test. The human reviews `git diff`, spots the error, types `git reset HEAD-tilde-one`, and the change is rolled back. Git-gating works. This is the case Aider is designed for, and it handles it well.

Right card. The injection. The model is prompt-injected — a README it read contained an ASI01 payload, or an issue comment contained an ASI07 instruction. The model produces a benign-looking "refactor" that also reads `~/.ssh/cred` and curls the contents to an attacker-controlled server. The human reviews the diff. The exfiltration payload may be buried in a refactor that looks legitimate — a renamed function, a moved import, a new helper. The human is reviewing for "is this the change I asked for," not "is this change safe to apply." The payload passes review. The commit executes. Exfiltration succeeds.

The callout: git-gating is a change-quality control, not an injection defense. The diff-review answers "is this the change I asked for" — not "is this change safe to apply." A prompt-injected model produces a change that is exactly what the attacker asked for. Git-gating has no opinion on whether that change is safe. This is the critical limitation, and if you take one thing from this deep-dive, take this.

[SLIDE 6] Three decisions I agree with.

First: git-as-substrate. The multiplier. Five modules from one choice. No other decision in the roster delivers this much. If you remember nothing else about Aider, remember that one infrastructure decision — use git as the substrate for everything — bought five rubric modules.

Second: diff-based editing. Search-and-replace blocks are more reliable than whole-file writes. Less token cost, fewer hallucinated-full-file errors. Three years of iteration have refined this to the field's best diff-editing implementation. When Aider applies a search-and-replace block and it fails — the search string doesn't match — the model sees the failure and retries with a corrected block. This is a coding-specific error-recovery loop that Pi's write-file approach cannot match.

Third: the repo-map. AST-based structure, not padding. Aider parses the repository's source files, extracts the symbol graph — classes, functions, signatures — and presents it to the model as a compact index. The model knows what exists and where, without reading every file. This is a genuine innovation in context management, and it is the cleanest middle path in the roster between Pi's nothing and a thick harness's full vector-retrieval pipeline.

[SLIDE 7] Three decisions I would make differently.

First: add a sandbox. Docker, or equivalent. Blast radius is the host, same as Pi. Git-gating catches wrong changes, but not malicious exfiltration. A compromised Aider process can read `~/.ssh` before the human ever reviews the diff — the exfiltration happens at tool-execution time, not at commit time. The git gate is downstream of the damage. This is the single most important fix.

Second: add untrusted-content tagging on file reads. A README read by the agent could contain injection that survives the diff-review — that is the injection case from slide five. The fix is to tag content read from files as untrusted, so the model treats it as data, not instructions. This is the M2.4 / ASI01 surface. Aider does not implement it.

Third: add a token budget. Three years of iteration, and Aider still has no token-budget stop condition. A long session — a complex refactor, a large codebase — can run away. The model keeps calling tools, the context keeps growing, the bill keeps climbing. This is the cheapest missing stop condition, and its absence is surprising in a harness this mature.

[SLIDE 8] Aider's defining contribution — the benchmark.

The Aider Polyglot Benchmark. A standardized set of coding tasks across multiple programming languages, used by the field to evaluate coding-agent performance. Most published coding-agent benchmark numbers you have ever seen — in papers, in blog posts, in launch announcements — trace back to Aider's benchmark methodology.

This is why Aider is the reference. Not because it is the best harness — on the rubric it scores thirty-two out of sixty, which is solid but not dominant. Aider is the reference because it defined how the field measures "best." Every coding-agent benchmark you read is either Aider's, or measured against Aider's, or defined in reaction to Aider's. That is an outsized contribution for a single open-source project, and it is the reason Aider belongs in this roster even though several thicker harnesses outscore it.

And the maturity point: three years of iteration, 2023 through 2026. The diff-editing, the repo-map, the git integration — these are battle-tested in a way no newer harness matches. When you read Aider's source, you are reading three years of refinement. That maturity shows up in the rubric as reliability, not as raw module scores.

[SLIDE 9] Anti-patterns. Three mistakes to avoid when reasoning about Aider.

First: "Aider has git-gating, so it is secure." We have spent the last four slides dismantling this. Git-gating catches wrong changes, not malicious ones. If your threat model includes prompt injection — and after Course 2B, it should — git-gating is necessary but not sufficient. Add untrusted-content tagging if the agent reads attacker-controllable files.

Second: "Aider's diff-editing makes it general-purpose." It does not. The diff format is coding-specific. The search-and-replace blocks assume source files with parseable structure. Do not deploy Aider for non-coding tasks — use Pi for general tool-use, use Aider for code. This sounds obvious, but it is a real anti-pattern: engineers reach for Aider because it is mature and well-documented, then try to use it for DevOps scripts or data analysis, and the diff-editing fights them.

Third: "Aider's roughly eight tools violate the four-tool philosophy." This conflates two different things. The four-tool philosophy is a noise-reduction strategy for general tool-use — Pi's bash, read-file, write-file, search. Aider's roughly eight tools are coding-specific and git-integrated: read-file, write-file, edit, bash, search, plus git operations. They add capability without dispatch noise, because each one maps to a specific coding task the model already understands. Evaluate tool count against use case, not against a universal limit.

[SLIDE 10] What you can now do.

Read the six objectives. By the end of this deep-dive you should be able to apply the six-phase methodology to Aider and produce a scored card with file-and-line evidence. You should be able to explain Aider's git-first philosophy as a distinct architectural bet — git-as-substrate yielding five modules from one choice. You should be able to compare Aider against Pi module-by-module and show that the plus-seven comes from git. You should be able to state why Aider's benchmark creation makes it the field's reference for coding-agent performance. You should be able to articulate the critical limitation — git-gating catches wrong changes, not malicious ones. And you should be able to identify the three changes that move Aider from "mature" to "production-grade" without compromising its git-first value: a sandbox, untrusted-content tagging, and a token budget.

The lab. You will model Aider's git-gated loop as a trace — the same seven-step dispatch you traced for Pi, but with a git-commit node that multiplies into state, memory, verification, permission, and observability. You will score Aider against Pi module-by-module to confirm the plus-seven from git. And you will construct the malicious-but-benign-looking scenario — a prompt-injected model producing a diff that passes human review but exfiltrates credentials. That last exercise is the point of the lab: git-gating catches wrong, not malicious, and the best way to internalize that is to build the attack.

Next: Deep-Dive Three. OpenCode — the terminal-native harness. We move from git-as-substrate to terminal-as-interface, and the question shifts again.

That is Aider. The thin-medium reference. The benchmark creator. The git-first philosophy. Thirty-two out of sixty — plus seven over Pi, almost entirely from git. Git is the multiplier.

---

*End of teaching script. ~2,800 words. Maps to `03-slide-deck.html` (10 content slides).*
