菜单
Review changes and create a git commit with user confirmation. Use when work is ready to commit, changes need staging, or the user says "commit".
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
End-of-session routine. Ensures test coverage, performs self-review, runs validation, and commits cleanly. Use when finishing a unit of work.
Full feature implementation workflow with explore, plan, code, test, validate, and commit phases. Use for new features, enhancements, or significant code changes.
Iterate on an open PR until CI passes and all review feedback is addressed. Fetches status, categorizes findings by severity, applies fixes, and loops until clean.
Create a detailed implementation plan without writing code. Read-only analysis and planning with user approval gate. Use before implementing features or making significant changes.
Systematic security audit with confidence-based reporting. Analyzes attack surfaces, checks against OWASP categories, and reports only confirmed or likely vulnerabilities. Use for pre-merge security review or periodic audits.
Run validation checks to ensure code quality, security, and correctness. Supports quick (scoped), full (CI pipeline), fix (auto-correct), and CI mirror modes.
| name | commit |
| description | Review changes and create a git commit with user confirmation. Use when work is ready to commit, changes need staging, or the user says "commit". |
| category | process |
| triggers | ["commit changes","save work","stage and commit","git commit"] |
Purpose: Create a clean, well-documented commit Mode: Git operations with user confirmation required Usage:
/commit [scope flags]
ai-assistant-protocol, plus commit as a domain-specific term. Silence, questions, "okay" are NOT approval.| Flag | Description |
|---|---|
--files=<paths> | Commit only specified files |
--uncommitted | Commit all uncommitted changes (default) |
--staged | Commit only already-staged files |
Note: Command examples use
npmas default. Adapt to the project's package manager perai-assistant-protocol— Project Commands.
The commit workflow scales based on the size of changes:
| Tier | Scope | Validation | Suggestion |
|---|---|---|---|
| nano | 1-2 files, <20 lines | Security scan only | Direct commit |
| small | 2-4 files, <100 lines | Security scan + typecheck | Direct commit |
| medium | 5-10 files, 100-500 lines | Full validation (Step 4) | Commit, suggest push |
| large | 10+ files, 500+ lines | Full validation | Suggest feature branch + PR |
Auto-classify from git diff --stat. The user can override ("just commit it").
CURRENT_BRANCH=$(git branch --show-current)
git status --porcelain
MAIN=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@' || echo "main")
If clean working tree (no staged, unstaged, or untracked changes): Report "Nothing to commit — working tree is clean" and exit.
If on main/master: Warn and suggest creating a feature branch. Wait for response.
git diff $MAIN...HEAD -- [scope-paths]
git diff -- [scope-paths]
git diff --staged -- [scope-paths]
Unstaged changes: If git status shows unstaged changes not related to the current commit, leave them alone. Note them in the review output as "out of scope" so the user is aware, but do NOT stage them. Do NOT run git add . or git add -A. Only stage files that are part of the intended commit. If the user asks to include additional files, stage them explicitly by name.
## Changes to Commit
**Branch:** `[current branch]`
**Modified:** `path/to/file.ts` — [brief description]
**Added:** `path/to/new.ts` — [purpose]
**Deleted:** `path/to/old.ts` — [reason]
**Stats:** X files changed, +Y insertions, -Z deletions
**Out of scope (unstaged):** `path/to/other.ts`, `path/to/another.ts` — not included in this commit
If changes include different concern types (feature + refactor, or feature + config), flag it:
These changes appear to mix concerns:
- **Feature:** [files related to new behavior]
- **Refactor:** [files with structural changes only]
Split into separate commits? (yes / no)
Scan changed files for security issues before committing:
# Secrets detection — generic assignment patterns
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.json" \
-E "(api[_-]?key|secret|password|token|credential|private[_-]?key)\s*[:=]" [scope-paths]
# Secrets detection — specific high-confidence patterns
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.json" --include="*.yaml" --include="*.yml" --include="*.env*" \
-E "(AKIA[0-9A-Z]{16}|-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|Bearer [a-zA-Z0-9_.\\-]{20,})" [scope-paths]
# Secrets detection — passwords and tokens in strings
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.json" \
-E "(password|passwd|pwd|token|secret)\s*[:=]\s*[\"'][^\"']{8,}" [scope-paths]
# Insecure patterns
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
-E "(eval\(|new Function\(|innerHTML\s*=|dangerouslySetInnerHTML|\.exec\(|rejectUnauthorized:\s*false)" [scope-paths]
Common secret patterns detected by the scan above:
| Pattern | Example | Risk |
|---|---|---|
| AWS access key | AKIA... (20 chars) | Full AWS account access |
| Private key header | -----BEGIN RSA PRIVATE KEY----- | TLS/SSH compromise |
| GitHub PAT | ghp_... (36 chars) | Repository access |
| OpenAI API key | sk-... (48 chars) | API billing abuse |
| Bearer token in code | Bearer eyJ... | Auth bypass |
| Password in string | password = "hunter2" | Credential leak |
If secrets detected: STOP. Warn the user with the specific file, line number, and secret type. Do NOT proceed to commit. If insecure patterns detected: Flag for review — ask user to confirm these are intentional before proceeding.
Exclude test files and example/documentation files from blocking — flag them as informational only.
If a secret is detected and fixed (moved to environment variable, removed, etc.):
Validation scales by change tier. See references/pre-commit-verification.md for tier-specific requirements and evidence freshness rules.
npm run typecheck
npm run lint
npm run test -- [affected]
**Suggested commit message:**
type: [description]
[optional body]
Options: **yes** / **edit** / **review** / **cancel**
GATE: Do NOT run git commit until user responds with explicit approval.
git add [scope-paths] # Stage files explicitly by name — NEVER use -A or .
git commit -m "[message]"
Staging rule: Only stage files that are part of the intended commit scope. If there are unstaged changes in other files, they must remain unstaged. Verify with git status after staging that no unintended files were included.
**Committed:** `abc1234` — [type](scope): [description]
**Files:** X changed
**Next:** Push? Create PR? Continue working?
See references/commit-conventions.md for extended formats (breaking changes, reverts, multi-issue references, scope conventions, good/bad examples).
[type](scope): [short description]
[optional body]
[optional footer: references, breaking changes]
| Type | Use |
|---|---|
feat | New feature |
fix | Bug fix |
refactor | Structure change (no behavior change) |
test | Adding/updating tests |
docs | Documentation |
chore | Maintenance, dependencies |
perf | Performance |
"update code", "fix bug", "changes", "misc", "wip", "stuff", "updates"
Fixes #123 / Closes #123 (closes on merge) — Refs #123 (links without closing)
If configured, add an AI co-author trailer to commits where AI wrote most of the code. Follow the project's config.yaml setting for git.ai_attribution.
| ID | Type | Prompt / Condition | Expected |
|---|---|---|---|
| CMT-T1 | Positive | "Commit my changes" | Skill triggers |
| CMT-T2 | Positive | "Save my work" | Skill triggers |
| CMT-T3 | Positive | "Stage and commit" | Skill triggers |
| CMT-T4 | Negative | "Push to remote" | Does NOT trigger (git push, not commit) |
| CMT-T5 | Negative | "Create a PR" | Does NOT trigger (→ /pr) |
| CMT-T6 | Negative | "Review my changes" | Does NOT trigger (→ /review) |
| CMT-T7 | Boundary | "Commit and push" | Triggers (commit portion) |