---
description: Check git status, verify .gitignore, stage everything safe, commit and push
argument-hint: <commit message>
allowed-tools: Bash, Read, Write, Edit, Glob, Grep
---

Commit and push all changes with message: $ARGUMENTS

## Instructions

### Phase 1: Audit What's Changed

```bash
git status
git diff --stat
git diff --cached --stat
```

### Phase 2: Security Check

Scan for files that should NEVER be committed:

- `.env` files (except `.env.example`)
- `*.pem`, `*.key`, `*.p12`, `*.pfx`
- `credentials.json`, `service-account*.json`
- `.envault/` directory

```bash
git diff --cached --name-only | xargs grep -l -E "(api_key|apikey|secret|password|token)\s*[:=]\s*['\"][^'\"]+['\"]" 2>/dev/null || true
```

### Phase 3: Verify .gitignore

Check that .gitignore covers secrets, dependencies, build artifacts.

### Phase 4: Stage and Commit

```bash
git add -A
git diff --cached --name-only | grep -E "\.(env|pem|key)$" && echo "WARNING: Sensitive files staged!" || true
git commit -m "$ARGUMENTS"
```

### Phase 5: If Commit Fails

If pre-commit hooks fail:
1. Fix the issues
2. Re-stage: `git add -A`
3. Retry commit (max 3 times)

### Phase 6: Push

```bash
git push origin HEAD
```

## Safety Rules

**NEVER commit:** `.env` with real values, private keys, credentials, files > 50MB.
**ALWAYS verify** .gitignore before staging.