Git Commits with AI Agents: Rules, Boundaries & Settings

How to set commit conventions, draw commit boundaries, and what NOT to let Claude Code, Cursor, or Codex commit. With real config.

AI coding agents now run git add, git commit, and sometimes git push on their own. The risk isn’t the tool, it’s the trust boundary: one misjudged commit can leak a secret, rewrite a teammate’s history, or bury a real change inside a 47-file mega-commit that no one can bisect later. This guide gives you the exact rules, settings, and review flow to keep the agent productive without handing it your git history.

It’s written for developers using Cursor agent mode, Claude Code, or Codex (anything with its own shell). If you’ve ever said “yes, run it” without reading the staged diff, this is for you.

TL;DR

  • Pick one trust boundary and write it down: agent stages, you commit, or agent commits, you push. Never let an agent own the final push on a branch with an open PR.
  • Put hard rules in CLAUDE.md / AGENTS.md: no secrets, no amend on published commits, no commits to main, no git push --force.
  • Add a gitleaks pre-commit hook so a secret can’t ship even when both the agent and the human miss it. It runs in under a second on a staged diff.
  • Cap commit size (one logical change, ~200 lines) and verify with git log -1 --stat after every agent commit.
  • Configure attribution explicitly: Claude Code’s attribution setting controls the Co-Authored-By trailer; Cursor’s onPreCommit hook can gate every commit.

Set the trust boundary first

Before you touch any settings, decide where the human sits in the loop. There are two clean options, and the failure mode is picking neither and drifting between them.

BoundaryAgent doesHuman doesBest for
Stage-onlygit add, drafts messagereviews diff, runs git commit, pushesShared branches, anything near main
Commit-onlygit add, git commitreviews git log, runs git pushSolo feature branches, fast iteration

The line you must never cross: an agent owning git push on a branch that already has a PR open. A push there can trigger CI, notify reviewers, and rewrite what they already approved.

Before you start

  • Add a CLAUDE.md (Claude Code) or AGENTS.md (Cursor, Codex, and the cross-tool convention) at repo root with the hard rules below. Both are read at session start and committed with the repo, so every teammate’s agent inherits them.
  • Make sure .gitignore already covers .env*, credential files, and any local cache the agent might wander into.
  • Install a gitleaks pre-commit hook (see below) so secrets are blocked at the lowest layer.

Step by step

  1. Write the rules. In CLAUDE.md / AGENTS.md: never commit secrets, never amend published commits, never commit to main, never git push --force. Phrase them as imperatives the agent reads literally.
  2. Use a review-then-commit flow. Have the agent stage files and draft the message, then you run git diff --cached before pressing enter.
  3. Ask for conventional-commit form (feat:, fix:, chore:), but you finalize the subject line. Subject lines drift fastest across sessions.
  4. Cap commit size in your rules: one logical change per commit, max ~200 changed lines. Big AI commits are where review fatigue silently fails.
  5. Verify after commit. Run git log -1 --stat and confirm the file list matches what you expected. Surprise files mean roll back with git reset HEAD~1.

Per-tool settings that actually matter

The defaults differ enough that “I configured it in Claude Code” doesn’t carry over to Cursor. Here’s what to set in each, as of June 2026.

Claude Code

  • Attribution. Since v2.0.62 the attribution setting (in .claude/settings.json for the repo, or ~/.claude/settings.json for global) controls both the commit Co-Authored-By trailer and the PR footer. It takes an object with commit and pr keys; set either to an empty string to drop that attribution. It replaced the older includeCoAuthoredBy boolean, which only governed the commit trailer and now takes lower precedence.
  • Permissions. Gate git in .claude/settings.json permissions so the agent must ask before destructive commands. Allowing Bash(git add:*) and Bash(git commit:*) while leaving git push and git reset --hard on the ask-list keeps the boundary enforced by the tool, not by memory.

Cursor

  • Hooks. Cursor Hooks (2026) wire scripts to editor events. The onPreCommit hook runs before the agent stages a commit, read from hooks.json in your project’s .cursor directory (or ~/.cursor for all projects). Use it to run gitleaks or block commits to protected branches.
  • Worktrees. Cursor creates isolated git worktrees for parallel agents, so each agent commits in its own working copy. Confirm which worktree you’re reviewing before you push.
  • Yolo mode. Even with auto-run enabled, the Cursor team’s own guidance is to commit before important agent runs so a clean history is your rollback path.

Codex / other agents

Codex and most CLI agents read AGENTS.md, the cross-tool convention for agent instructions. Put the same hard rules there. There’s no per-tool attribution toggle to rely on, so keep the human on the git push.

Commit message template for agents

Drop this into AGENTS.md so the agent doesn’t reinvent the format each session:

type(scope): imperative summary under 60 chars

- What changed (1-3 bullets, files/areas)
- Why (link to ticket or short rationale)
- Tests run / verification done

Expect output like fix(auth): refresh token before retry on 401 followed by 2-3 bullet lines, not a 200-word essay. This follows the Conventional Commits spec, which agents detect reliably from your existing git history.

Wire up a gitleaks pre-commit hook

This is the one safety net that catches a secret even when the agent and you both miss it. With the pre-commit framework, create .pre-commit-config.yaml:

repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.24.2
    hooks:
      - id: gitleaks

Then run pre-commit install. The hook runs gitleaks with --staged, checking exactly what git diff --cached is about to commit, and finishes in well under a second on a typical diff. After that, every git commit (yours or the agent’s) is scanned automatically.

What NOT to let AI commit

  • Anything matching **/.env*, **/secrets.*, **/*.pem, **/credentials.json — even when the agent insists “it’s only local.”
  • Binary files larger than ~1MB without you confirming. Lockfile-style binaries (*.sqlite, big PNGs) bloat history permanently.
  • Migrations, schema changes, or anything under infra/ and terraform/. Human review required.
  • Generated files that already have a build script (dist/, build/, *.lock rebuilds). Commit the script change, not the output.
  • Merge commits on shared branches. Merges encode intent; let a human decide the strategy.

stage -> agent proposes message -> human reads diff -> human commits -> human pushes. The agent never owns the final git push on a branch with an open PR. For solo branches, you can let it push, but require it to print the remote name and branch name first, so you catch a typo before it lands.

FAQ

Should I let the agent run git commit --amend? Only on commits it created in the current session that haven’t been pushed. Never on a teammate’s commit, since amend rewrites history.

What about git rebase? Allow it on local feature branches; forbid it on anything pushed and shared. Put this line in AGENTS.md so it’s enforced every session.

Can the agent write the PR body too? Yes, but treat it as a draft. The agent doesn’t know which reviewer cares about which detail.

How do I undo an unwanted AI commit? git reset --soft HEAD~1 keeps the changes staged; git reset --hard HEAD~1 discards them. If you followed the rules above, no push has happened yet.

Does the agent really need its own git identity? No. By default Claude Code and Cursor commit as you and add a Co-Authored-By trailer for the model. Configure or disable that trailer with the attribution settings above; don’t create a separate bot author unless your CI requires it.

Does this slow things down? The first week, yes. By week three the agent has learned your style and review takes 10-15 seconds per commit.

Common mistakes

  • Letting the agent auto-commit unreviewed because “it’s a small change.” The small changes hide the worst surprises.
  • Allowing git commit -am (auto-stage modified files), which sweeps in unrelated edits.
  • Letting the agent amend shared commits to “clean up” history, which rewrites public history.
  • Shipping with no CLAUDE.md / AGENTS.md, so the agent invents conventions per session.
  • Trusting a verbal “don’t touch X.” Rules need to be written, in the repo, or they decay within a session.
  • One mega-commit per agent session, which kills bisect-ability and makes rollback all-or-nothing.

Tags: #AI coding #Tutorial