Smart Commit
Automated, security-aware Git commit workflow. Analyzes changes, groups files logically, and commits with clean Conventional Commit messages.
Activation Triggers
Activate automatically (no confirmation needed) when the user says:
- "commit", "smart commit", "commiter", "drill baby drill", "push"
- "save changes", "push", "send to GitHub"
- "git commit", "commit all", "commit everything"
Workflow
Phase 1 — Security Audit
MANDATORY before any commit. Abort on critical findings.
# 1. Detect secrets and credentials (CRITICAL — block on match)
git diff --cached --name-only | xargs grep -rlE \
'(PRIVATE KEY|password\s*=|api_key\s*=|secret\s*=|token\s*=|AWS_SECRET|sk-[a-zA-Z0-9]{20,})' \
2>/dev/null
# 2. Check for sensitive file extensions
git status --porcelain | grep -iE '\.(env|pem|key|p12|pfx|jks|keystore|secret|credentials|htpasswd)$'
# 3. Detect large files (>10MB)
find . -not -path './.git/*' -not -path './node_modules/*' \
-not -path './.venv/*' -not -path './vendor/*' \
-size +10M -type f 2>/dev/null
# 4. Verify .gitignore covers essentials
# See references/security-checklist.md for full patterns
| Finding | Action |
|---|---|
| Secrets/credentials detected | BLOCK — alert user, never commit |
.env, .pem, .key files staged | BLOCK — alert user, suggest .gitignore |
| Large binaries (>50MB) | WARN — suggest .gitignore or Git LFS |
| Large files (10-50MB) | WARN — ask user for confirmation |
Missing .gitignore patterns | FIX — add essential patterns, include in first commit |
NEVER auto-delete user files. Only warn and suggest actions. File deletion is the user's decision.
Phase 2 — Analyze Changes
git status --porcelain
Classify each file by its git status:
??→ new (untracked)M→ modifiedA→ added (staged)D→ deletedR→ renamed
Phase 3 — Group by Concern
Group files into logical commits using adaptive detection. The agent MUST inspect the actual project structure — do not assume any framework.
Grouping strategy (priority order):
- Configuration — Package manifests, lockfiles, config files, CI/CD,
.gitignore - Types/Schemas — Type definitions, interfaces, schemas, models
- Libraries/Utils — Shared code, helpers, utilities
- Core Logic — Components, services, controllers, routes, pages
- Styles — CSS, SCSS, Tailwind, theme files
- Tests — Test files, test configs, fixtures
- Documentation — Markdown, docs, changelogs
- Assets — Images, fonts, static files
- Infrastructure — Docker, Terraform, deployment configs
Adaptive rules:
- Inspect the actual directory tree to determine project type
- Group related files together (e.g., component + its test + its styles)
- If a feature touches <5 files across categories, consider a single feature commit
- For detailed patterns per framework, see references/grouping-patterns.md
Phase 4 — Commit Sequentially
Commit in dependency order (config → types → libs → core → rest).
git add <files>
git commit -m "<type>(<scope>): <description>"
Message format: Conventional Commits
| Type | When |
|---|---|
feat | New feature or functionality |
fix | Bug fix |
docs | Documentation only |
style | Formatting, whitespace (no logic change) |
refactor | Code restructuring (no behavior change) |
test | Adding or updating tests |
chore | Build, config, dependencies, tooling |
perf | Performance improvement |
ci | CI/CD configuration |
Message rules:
- Imperative mood: "add", "fix", "update" (not "added", "fixes")
- Scope is optional but recommended:
feat(auth): add login endpoint - Max 72 characters for subject line
- Be specific:
feat(ui): add accordion and badge componentsnotfeat: add stuff - Language: match the project's language convention (default: English)
Phase 5 — Report & Push
After all commits:
✅ Smart Commit complete!
📦 N commits created:
1. chore: update dependencies
→ package.json, pnpm-lock.yaml
2. feat(ui): add button and dialog components
→ src/components/ui/button.tsx
→ src/components/ui/dialog.tsx
🔒 Security: No issues detected
🚀 Push to remote? (Y/n)
If user confirms, push to current tracked branch.
Security Guidelines
See references/security-checklist.md for the full checklist.
Hard blocks (NEVER commit):
- Private keys, API keys, tokens, passwords in code
.envfiles with real credentials- Database dumps (
.sqlwith data) - Certificate files (
.pem,.p12,.pfx)
Minimum .gitignore patterns:
# Secrets
.env
.env.*
*.pem
*.key
*.p12
# Dependencies
node_modules/
.venv/
vendor/
__pycache__/
# Build outputs
dist/
build/
*.pyc
# OS files
.DS_Store
Thumbs.db
# Large media (adjust per project)
*.mp4
*.mov
*.zip
*.tar.gz
Edge Cases
| Situation | Action |
|---|---|
| No changes to commit | Report: "Working directory clean" |
| Already staged files | Include in analysis, respect existing staging |
| Merge conflicts | Alert user, abort until resolved |
| Branch behind remote | Warn, suggest git pull first |
| Detached HEAD | Warn user, suggest creating a branch |
| Empty repository | Handle git commit with --allow-empty for initial commit if needed |
| Submodules changed | Group as separate infrastructure commit |
Customization
The skill adapts automatically to any project. For project-specific behavior:
- Doc tracking: If the project has
CHANGELOG.md, suggest updating it - Monorepo: Group by package/workspace, prefix scope with package name
- Pre-commit hooks: Respect existing
.pre-commit-config.yamlorhuskysetup - Branch naming: Follow existing branch conventions for any new branches
Anti-Patterns
| Don't | Do Instead |
|---|---|
feat: add everything | Split into logical atomic commits |
update files | Describe WHAT changed specifically |
| Mix config + features | Separate concerns into distinct commits |
| Auto-delete user files | Warn and suggest, let user decide |
| Commit secrets "temporarily" | NEVER — secrets in git history persist forever |
| Skip security audit | ALWAYS run Phase 1, even for "quick" commits |
References
| File | Contents |
|---|---|
| references/security-checklist.md | Full pre-commit security audit checklist |
| references/grouping-patterns.md | Framework-specific grouping patterns |
| references/conventional-commits.md | Conventional Commits quick reference |