AI coding agents now run git add, git commit, and sometimes git push on their own. The risk isn’t the tool, it’s the trust boundary: one misjudged commit can leak a secret, rewrite a teammate’s history, or bury a real change inside a 47-file mega-commit that no one can bisect later. This guide gives you the exact rules, settings, and review flow to keep the agent productive without handing it your git history.
It’s written for developers using Cursor agent mode, Claude Code, or Codex (anything with its own shell). If you’ve ever said “yes, run it” without reading the staged diff, this is for you.
TL;DR
- Pick one trust boundary and write it down: agent stages, you commit, or agent commits, you push. Never let an agent own the final push on a branch with an open PR.
- Put hard rules in
CLAUDE.md/AGENTS.md: no secrets, no amend on published commits, no commits tomain, nogit push --force. - Add a
gitleakspre-commit hook so a secret can’t ship even when both the agent and the human miss it. It runs in under a second on a staged diff. - Cap commit size (one logical change, ~200 lines) and verify with
git log -1 --statafter every agent commit. - Configure attribution explicitly: Claude Code’s
attributionsetting controls theCo-Authored-Bytrailer; Cursor’sonPreCommithook can gate every commit.
Set the trust boundary first
Before you touch any settings, decide where the human sits in the loop. There are two clean options, and the failure mode is picking neither and drifting between them.
| Boundary | Agent does | Human does | Best for |
|---|---|---|---|
| Stage-only | git add, drafts message | reviews diff, runs git commit, pushes | Shared branches, anything near main |
| Commit-only | git add, git commit | reviews git log, runs git push | Solo feature branches, fast iteration |
The line you must never cross: an agent owning git push on a branch that already has a PR open. A push there can trigger CI, notify reviewers, and rewrite what they already approved.
Before you start
- Add a
CLAUDE.md(Claude Code) orAGENTS.md(Cursor, Codex, and the cross-tool convention) at repo root with the hard rules below. Both are read at session start and committed with the repo, so every teammate’s agent inherits them. - Make sure
.gitignorealready covers.env*, credential files, and any local cache the agent might wander into. - Install a
gitleakspre-commit hook (see below) so secrets are blocked at the lowest layer.
Step by step
- Write the rules. In
CLAUDE.md/AGENTS.md: never commit secrets, never amend published commits, never commit tomain, nevergit push --force. Phrase them as imperatives the agent reads literally. - Use a review-then-commit flow. Have the agent stage files and draft the message, then you run
git diff --cachedbefore pressing enter. - Ask for conventional-commit form (
feat:,fix:,chore:), but you finalize the subject line. Subject lines drift fastest across sessions. - Cap commit size in your rules: one logical change per commit, max ~200 changed lines. Big AI commits are where review fatigue silently fails.
- Verify after commit. Run
git log -1 --statand confirm the file list matches what you expected. Surprise files mean roll back withgit reset HEAD~1.
Per-tool settings that actually matter
The defaults differ enough that “I configured it in Claude Code” doesn’t carry over to Cursor. Here’s what to set in each, as of June 2026.
Claude Code
- Attribution. Since v2.0.62 the
attributionsetting (in.claude/settings.jsonfor the repo, or~/.claude/settings.jsonfor global) controls both the commitCo-Authored-Bytrailer and the PR footer. It takes an object withcommitandprkeys; set either to an empty string to drop that attribution. It replaced the olderincludeCoAuthoredByboolean, which only governed the commit trailer and now takes lower precedence. - Permissions. Gate git in
.claude/settings.jsonpermissions so the agent must ask before destructive commands. AllowingBash(git add:*)andBash(git commit:*)while leavinggit pushandgit reset --hardon the ask-list keeps the boundary enforced by the tool, not by memory.
Cursor
- Hooks. Cursor Hooks (2026) wire scripts to editor events. The
onPreCommithook runs before the agent stages a commit, read fromhooks.jsonin your project’s.cursordirectory (or~/.cursorfor all projects). Use it to rungitleaksor block commits to protected branches. - Worktrees. Cursor creates isolated git worktrees for parallel agents, so each agent commits in its own working copy. Confirm which worktree you’re reviewing before you push.
- Yolo mode. Even with auto-run enabled, the Cursor team’s own guidance is to commit before important agent runs so a clean history is your rollback path.
Codex / other agents
Codex and most CLI agents read AGENTS.md, the cross-tool convention for agent instructions. Put the same hard rules there. There’s no per-tool attribution toggle to rely on, so keep the human on the git push.
Commit message template for agents
Drop this into AGENTS.md so the agent doesn’t reinvent the format each session:
type(scope): imperative summary under 60 chars
- What changed (1-3 bullets, files/areas)
- Why (link to ticket or short rationale)
- Tests run / verification done
Expect output like fix(auth): refresh token before retry on 401 followed by 2-3 bullet lines, not a 200-word essay. This follows the Conventional Commits spec, which agents detect reliably from your existing git history.
Wire up a gitleaks pre-commit hook
This is the one safety net that catches a secret even when the agent and you both miss it. With the pre-commit framework, create .pre-commit-config.yaml:
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.2
hooks:
- id: gitleaks
Then run pre-commit install. The hook runs gitleaks with --staged, checking exactly what git diff --cached is about to commit, and finishes in well under a second on a typical diff. After that, every git commit (yours or the agent’s) is scanned automatically.
What NOT to let AI commit
- Anything matching
**/.env*,**/secrets.*,**/*.pem,**/credentials.json— even when the agent insists “it’s only local.” - Binary files larger than ~1MB without you confirming. Lockfile-style binaries (
*.sqlite, big PNGs) bloat history permanently. - Migrations, schema changes, or anything under
infra/andterraform/. Human review required. - Generated files that already have a build script (
dist/,build/,*.lockrebuilds). Commit the script change, not the output. - Merge commits on shared branches. Merges encode intent; let a human decide the strategy.
Recommended workflow
stage -> agent proposes message -> human reads diff -> human commits -> human pushes. The agent never owns the final git push on a branch with an open PR. For solo branches, you can let it push, but require it to print the remote name and branch name first, so you catch a typo before it lands.
FAQ
Should I let the agent run git commit --amend? Only on commits it created in the current session that haven’t been pushed. Never on a teammate’s commit, since amend rewrites history.
What about git rebase? Allow it on local feature branches; forbid it on anything pushed and shared. Put this line in AGENTS.md so it’s enforced every session.
Can the agent write the PR body too? Yes, but treat it as a draft. The agent doesn’t know which reviewer cares about which detail.
How do I undo an unwanted AI commit? git reset --soft HEAD~1 keeps the changes staged; git reset --hard HEAD~1 discards them. If you followed the rules above, no push has happened yet.
Does the agent really need its own git identity? No. By default Claude Code and Cursor commit as you and add a Co-Authored-By trailer for the model. Configure or disable that trailer with the attribution settings above; don’t create a separate bot author unless your CI requires it.
Does this slow things down? The first week, yes. By week three the agent has learned your style and review takes 10-15 seconds per commit.
Common mistakes
- Letting the agent auto-commit unreviewed because “it’s a small change.” The small changes hide the worst surprises.
- Allowing
git commit -am(auto-stage modified files), which sweeps in unrelated edits. - Letting the agent amend shared commits to “clean up” history, which rewrites public history.
- Shipping with no
CLAUDE.md/AGENTS.md, so the agent invents conventions per session. - Trusting a verbal “don’t touch X.” Rules need to be written, in the repo, or they decay within a session.
- One mega-commit per agent session, which kills bisect-ability and makes rollback all-or-nothing.
Related
Tags: #AI coding #Tutorial