NEW: Integrated Gitleaks engine for professional-grade secret detection
Gitleaks Integration
- Professional secret scanning powered by Gitleaks engine
- Comprehensive detection of API keys, passwords, tokens, and credentials
- Zero configuration - works out of the box with sensible defaults
- Fast and accurate - scans only staged changes, not entire repository
- Rich context - shows file, line number, and detailed secret information
- Smart severity levels - critical secrets (AWS, GitHub, Stripe) block commits automatically
Automatic Detection For:
- ✅ AWS Access Keys & Secrets
- ✅ GitHub Personal Access Tokens
- ✅ OpenAI API Keys
- ✅ Google Cloud API Keys
- ✅ Stripe API Keys
- ✅ Slack Tokens
- ✅ Private Keys (RSA, SSH, EC, PGP)
- ✅ Database Connection Strings
- ✅ JWT Tokens
- ✅ Generic API Keys & Secrets
- ✅ And 100+ more patterns
- Automatic Scanning: Every commit is scanned for secrets before generation
- Critical Blocking: Dangerous secrets (AWS, GitHub, etc.) block commits immediately
- Warning Prompts: Generic secrets show a warning and ask for confirmation
- Clear Guidance: Helpful error messages explain how to fix issues
🔍 Analyzing changes...
⚠️ Scanning for secrets with Gitleaks...
🚨 BLOCKED: Secrets detected in staged files!
Critical secrets found:
src/config.ts:
Line 42:15
Detected a GitHub Personal Access Token, potentially giving access to repositories and user data.
Found: ghp_**********************qrst (from: githubToken = "ghp_1234567890abc...)
Rule: github-pat
To fix this issue:
1. Remove secrets from code
2. Use environment variables instead
3. Add affected files to .gitignore
4. Create .gitleaksignore file to suppress false positives
✖ Commit blocked: Critical secrets detectedNo configuration needed! Gitleaks works with sensible defaults.
Option 1: Skip scanning with CLI flag (use with caution!)
orc commit --no-secret-scanOption 2: Suppress false positives with .gitleaksignore
# .gitleaksignore
test-fixtures/fake-key.js:1
docs/examples/api-example.ts:*
- Dependency:
gitleaks-secret-scanner(auto-downloads Gitleaks binary) - Binary size: ~15MB (cached after first run)
- Performance: < 1s for typical commits
- Fallback: If Gitleaks is not available, scanning is skipped with a warning
- No breaking changes - all existing workflows continue to work
- Automatic: Secret scanning is enabled by default for all commits
- Opt-out: Cannot be disabled (security by design)
IMPORTANT: This update prevents accidental commits of dependency directories (node_modules/, vendor/, etc.)
Strict Dependency Directory Blocking
- ALWAYS blocks commits containing
node_modules/,vendor/, orbower_components/ - Cannot be overridden even with
--yesflag (by design for safety) - Shows clear error messages with step-by-step fix instructions
- Detects package manager directories early in the commit process
Committing dependency directories is a common mistake that can:
- Bloat repository size significantly (sometimes by gigabytes)
- Cause merge conflicts in teams
- Slow down git operations
- Expose security vulnerabilities
- Violate best practices
When you attempt to commit with staged dependency directories:
🚨 BLOCKED: Cannot commit dependency directories
The following were detected in staging area:
• node_modules directory detected
• pnpm store directory detected
To fix this issue:
1. Unstage unwanted files: git reset HEAD node_modules/
2. Update your .gitignore file
3. Stage only the files you want to commit
The commit is blocked immediately - protecting your repository.
Modified Files:
src/modules/core.ts:917-985- EnhancedhandleSafetyCheck()method- Added special handling for package manager directories
- Strict blocking that cannot be overridden with
--yes - Clear, actionable error messages with fix instructions
- Detects patterns:
node_modules/,vendor/,bower_components/,.pnpm/
No breaking changes - this is a pure safety enhancement.
If you intentionally need to commit dependencies (e.g., vendoring for deployment):
- This is generally not recommended
- If absolutely necessary, manually commit without using
orc - Consider alternative approaches like Docker or build artifacts
No configuration needed - works automatically out of the box.
To check what files are staged:
git statusTo unstage unwanted directories:
git reset HEAD node_modules/
git reset HEAD vendor/Always maintain a proper .gitignore:
# Dependencies
node_modules/
.pnpm/
bower_components/
vendor/
# Build outputs
dist/
build/
.next/All tests passing: 78/78 (100% success rate)
-
✅ diff-filter.test.ts (17/17 passing)
- Fixed whitespace-only change detection with new
filterWhitespaceChanges()function - Improved formatter pattern detection (removed overly aggressive patterns)
- Added proper filtering for removed/added line pairs
- Fixed whitespace-only change detection with new
-
✅ config.test.ts (20/20 passing)
- Updated config file path from
openrouter-commit.jsontoorcommit.json - Fixed
maskSensitive()test expectations (correct asterisk count) - Added proper mocks for directory creation
- Updated config file path from
-
✅ api.test.ts (27/27 passing)
- Updated User-Agent from
openrouter-commit/1.0.0toorcommit/1.0.0 - Implemented commit message cleaning (removes AI-generated prefixes)
- Added proper error interceptor mocks
- Improved error handling to preserve original error messages
- Updated User-Agent from
-
✅ core-workflow.test.ts (14/14 passing)
- Added p-queue mock for ES module compatibility
- Added missing mocks for
analyzeStagedFilesSafety,diffFiltermethods - Fixed TypeScript type issues
API Module (src/modules/api.ts)
- Enhanced
extractCommitMessage()to clean AI-generated noise:- Removes prefixes: "Commit message:", "This is commit message:", etc.
- Removes quotes around messages
- Removes leading dashes and asterisks
- Truncates to 200 characters max
- Improved error handling to preserve
ApiErrorinstances withisRetryableflag
Diff Filter Module (src/modules/diff-filter.ts)
- New
filterWhitespaceChanges()method for intelligent whitespace filtering - Detects and removes removed/added pairs that differ only in whitespace
- More accurate formatter pattern matching (only targets actual formatting noise)
Configuration Module (src/modules/config.ts)
- Standardized config file name to
orcommit.json - Improved
getMaskedApiKey()calculation
- Config file renamed:
~/.config/openrouter-commit.json→~/.config/orcommit.json- Old configs will need to be migrated manually or re-initialized with
orc config
- Old configs will need to be migrated manually or re-initialized with
This update introduces major improvements to commit message generation:
- Custom prompt support - Override default AI prompts with your own
- Interactive regeneration with user feedback loop
- Two-stage AI processing - Generation + finalization for better quality
- Comprehensive diff filtering - Expanded patterns for all ecosystems
- Enhanced UI/UX - Better spinners and user experience
You can now override the default AI prompts with your own:
# Override system prompt completely
orc commit --prompt "Generate a detailed technical commit message"
# Add additional context to the default prompt
orc commit --context "This is a critical security fix for production"# Save custom prompt to config (persists across sessions)
orc config prompt "Your custom prompt here"
# Clear custom prompt (revert to default)
orc config promptBenefits:
- Full control over AI behavior
- Team-specific commit message styles
- Project-specific requirements
- Different prompts for different contexts
When generating a commit message, users now have three options:
- ✅ Accept - Use the generated message
- ❌ Cancel - Abort the commit
- 🔄 Regenerate - Provide feedback and regenerate
- AI generates initial commit message
- User sees the message and is asked: "Accept this commit message?"
- If user declines, they're asked: "Would you like to regenerate with additional instructions?"
- User provides specific feedback (e.g., "Be more specific about the bug fix")
- AI regenerates with the feedback as
[IMPORTANT_USER_FEEDBACK] - Process repeats up to 5 times (configurable)
📝 Generated commit message:
——————————————————
fix: resolve authentication issue
——————————————————
? Accept this commit message? › No
? Would you like to regenerate with additional instructions? › Yes
? What should be changed or improved? › Mention the specific JWT token validation fix
🔄 Regenerating commit message (attempt 1/5)...
📝 Generated commit message:
——————————————————
fix(auth): resolve JWT token validation in login endpoint
Fixed token expiration check that was causing premature logouts
——————————————————
? Accept this commit message? › Yes
💾 Creating commit...
✓ Commit createdThe commit message generation now uses a two-stage process:
Stage 1: Generation
- AI analyzes the diff deeply with comprehensive instructions
- Generates detailed commit message with all important changes
- Focus on accuracy and completeness
Stage 2: Finalization
- Second AI pass to clean and perfect the message
- Removes explanatory text, prefixes, formatting artifacts
- Ensures proper format (conventional commits, line length, etc.)
- Lower temperature (0.3) for consistent results
Benefits:
- Higher quality messages with better formatting
- No more "Here is the commit message:" prefixes
- Consistent output format
- Better handling of edge cases
All prompts are now organized into clearly labeled blocks:
[INSTRUCTIONS]...[/INSTRUCTIONS]- Main task instructions[RULES]...[/RULES]- Quality standards and requirements[CONTEXT]...[/CONTEXT]- User-provided additional context[IMPORTANT_USER_FEEDBACK]...[/IMPORTANT_USER_FEEDBACK]- Regeneration feedback[DIFF_CONTENT]...[/DIFF_CONTENT]- Git diff to analyze[RAW_MESSAGE_TO_CLEAN]...[/RAW_MESSAGE_TO_CLEAN]- Stage 2 finalization input
- Clear separation - AI can easily distinguish between different sections
- Better focus - Important feedback stands out in its own block
- Consistency - Standardized format across all prompts
- Debugging - Easier to debug and improve prompts
Greatly expanded the diff filter patterns to cover all major development ecosystems:
New Patterns Added:
- Lock files: Pipfile.lock, poetry.lock, Cargo.lock, Podfile.lock, pubspec.lock, flake.lock
- Build outputs: target/ (Rust/Java), bin/, obj/ (.NET), .next/, .nuxt/, .astro/, .svelte-kit/
- Test coverage: .nyc_output/, htmlcov/, test-results/, .pytest_cache/
- Dependencies: vendor/, venv/, .venv/, bower_components/, .pnp/
- IDE/VCS: .fleet/, .vs/, .svn/
- Generated code: *.g.cs, *.g.go, more protobuf patterns
- Package files: *.whl, *.egg, *.jar, *.war, *.deb, *.rpm
- Config files: .env., secrets., credentials.*
- Documentation builds: _site/, .docusaurus/, .vuepress/
Benefits:
- Works seamlessly with Python, Rust, Go, .NET, Flutter, and more
- Reduces noise in commit messages
- Focuses on actual code changes
- Prevents accidental secret commits
New visual improvements for better user experience:
New Spinner Types:
createAIThinkingSpinner()- For AI generation with brain emojicreateProcessingSpinner()- For git operations
Improvements:
- Better status messages ("Polishing the message", "Creating commit")
- Timing information
- Clear success/failure states
- More informative progress updates
New utilities in src/utils/formatting.ts:
// Clean text (trim, remove double spaces/newlines)
cleanText(text: string): string
// Wrap text in named blocks
wrapInBlock(blockName: string, content: string, clean?: boolean): string
// Create multi-block structured prompts
createStructuredPrompt(blocks: Array<{name, content, clean?}>): stringwrapUserFeedback(feedback: string): string
wrapDiffContent(diff: string): string
wrapInstructions(instructions: string): string
wrapRules(rules: string): string
wrapContext(context: string): string
wrapExamples(examples: string): string-
src/cli.ts- Added
--prompt <text>option for custom system prompts - Added
--context <text>option for additional context - Added
config prompt [text]command to save/clear custom prompts - Updated command structure and help text
- Added
-
src/modules/core.ts- Updated
createSystemPrompt()to support custom prompts and structured blocks - Added
finalizeCommitMessage()for two-stage AI processing - Modified
generateCommitMessage()to acceptuserFeedbackparameter - Replaced
confirmCommit()with interactive regeneration flow - Added regeneration loop with max 5 attempts and safety limits
- Updated cache logic to skip caching during regeneration
- Integrated custom spinners for better UX
- Imported formatting utilities (wrapInstructions, wrapRules, etc.)
- Updated
-
src/modules/api.ts- Simplified
extractCommitMessage()- minimal cleanup only - Moved final cleaning to Stage 2 finalization
- Improved message extraction logic
- Simplified
-
src/modules/diff-filter.ts- Massively expanded
generatedFilePatternsarray - Added 100+ new patterns for all major ecosystems
- Improved pattern specificity and coverage
- Added comprehensive comments for pattern categories
- Massively expanded
-
src/utils/formatting.ts(NEW)- Text cleaning and block wrapping utilities
cleanText(),wrapInBlock(),createStructuredPrompt()- Helper functions: wrapInstructions, wrapRules, wrapContext, etc.
- Removes double spaces, excessive newlines, normalizes line endings
-
src/modules/spinner.ts(NEW)createAIThinkingSpinner()- For AI operationscreateProcessingSpinner()- For git operations- Consistent spinner interface across the app
-
src/modules/promo.ts(NEW)- Promotional message functionality (not included in release notes)
-
tests/unit/formatting.test.ts(NEW)- Comprehensive tests for all formatting utilities
- Edge case coverage
- 30+ test cases
None - all changes are backward compatible.
Before:
You are a senior software engineer...
YOUR MISSION: Analyze the git diff...
QUALITY STANDARDS:
- Be SPECIFIC...
After:
[INSTRUCTIONS]
You are a senior software engineer...
YOUR MISSION: Analyze the git diff...
[/INSTRUCTIONS]
[RULES]
- Be SPECIFIC about what changed
- Be ACCURATE - every word counts
- Be COMPLETE - don't omit details
[/RULES]
[CONTEXT]
This is a production hotfix
[/CONTEXT]
[IMPORTANT_USER_FEEDBACK]
Mention the specific API endpoint that was fixed
[/IMPORTANT_USER_FEEDBACK]
[DIFF_CONTENT]
+++ src/api/auth.ts
@@ -15,3 +15,4 @@
+ validateToken(token);
[/DIFF_CONTENT]
orc --yes # Skips confirmation, uses first generationorc # Interactive mode with regeneration optionorc --context "This is a critical security fix"orc --prompt "Generate a very detailed commit message with examples"No configuration changes needed. The feature works out-of-box.
To skip interactive confirmation (old behavior):
orc config set auto-confirm true
# or use --yes flag- Maximum regenerations: 5 attempts per commit
- Cache behavior: Regenerated messages are not cached (fresh each time)
- Fallback: If interactive prompts fail (e.g., in CI), falls back to simple yes/no
- Validation: Feedback must be at least 3 characters
- Be specific in feedback: Instead of "make it better", say "mention the specific function that was refactored"
- Use context flag: For project-specific requirements that apply to all commits
- Iterate gradually: Small improvements work better than complete rewrites
- Check before accepting: The AI learns from your feedback patterns
Run formatting utility tests:
npm test tests/unit/formatting.test.tsVerify build:
npm run build- Regeneration feedback is added to the prompt in a prominent
[IMPORTANT_USER_FEEDBACK]block - All text is automatically cleaned (trimmed, double spaces/newlines removed)
- Diff content is NOT cleaned to preserve exact formatting
- The two-stage AI process (generation + finalization) still applies to regenerated messages