From Dev10x
Safely handles git push by blocking force-pushes to protected branches like main/master and automates non-interactive rebases without editor prompts. Triggers on git push or rebase commands.
npx claudepluginhub dev10x-guru/dev10x-claude --plugin Dev10xThis skill is limited to using the following tools:
**Announce:** "Using Dev10x:git to [push / groom commits]."
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Announce: "Using Dev10x:git to [push / groom commits]."
Provides hardened scripts for safe git push and non-interactive rebase.
Add the allowed-tools entries to your project's settings.local.json
to pre-approve the scripts without per-call prompts.
This skill follows references/task-orchestration.md patterns.
Create a task at invocation, mark completed when done:
REQUIRED: Create a task at invocation. Execute at startup:
TaskCreate(subject="Safe git push", activeForm="Pushing safely")Mark completed when done: TaskUpdate(taskId, status="completed")
Primary: MCP tool call (no permission friction):
mcp__plugin_Dev10x_cli__push_safe(flags="[flags]", remote="origin", refspec="branch")
MCP calls avoid Bash() allow-rule matching and provide
structured responses. Use the MCP tool as the default for
all push operations.
MCP server unavailable. If mcp__plugin_Dev10x_cli__push_safe
is listed as "no longer available" in system-reminders, STOP and
ask the user to reconnect via /mcp or a session restart. Do NOT
fall back to the wrapper script (blocked by
validate-bash-command.py) or use DEV10X_SKIP_CMD_VALIDATION —
see references/mcp-unavailable-escape-hatch.md.
Fallback: wrapper script (only when MCP is healthy but the tool call errored for another reason):
${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-push-safe.sh [flags] [remote] [refspec]
# Do NOT pass "push" — the script runs `git push` itself.
# Example: git-push-safe.sh -u origin feature-branch
Default protected branches: main master
To extend the list, set GIT_PROTECTED_BRANCHES before calling:
GIT_PROTECTED_BRANCHES="main master staging" \
${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-push-safe.sh --force-with-lease
--force-with-lease is always allowed (verifies the remote has not
diverged before overwriting). --force and -f are blocked on
protected branches.
Two scripts power fully automated rebases:
git-seq-editor.sh — replaces GIT_SEQUENCE_EDITOR; reads the
rebase todo from the path in GROOM_SEQ_FILE env var.git-rebase-groom.sh — convenience wrapper that sets
GIT_SEQUENCE_EDITOR and GIT_EDITOR=true, then runs
git rebase -i <base-ref>. Takes <seq-file> <base-ref> args./tmp/Dev10x/bin/mktmp.sh git rebase-seq .txt
Store the returned path (e.g., /tmp/Dev10x/git/rebase-seq.a7b3c9.txt).
Write <unique-path>:
pick abc1234 First commit
pick def5678 Second commit
fixup fed9876 fixup! Second commit
Note: The Write tool requires reading a file before writing to it.
For a new file, mktmp.sh already created it (empty), so Read it first,
then Write the sequence content.
${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-rebase-groom.sh <unique-path> <base-ref>
The sequence file must list commits oldest at the top, newest at the
bottom — the same order git rebase -i expects. Use tac to
reverse git log output:
git log --oneline <base>..HEAD | tac
After each rebase pass all commit SHAs change. Always re-run
git log --oneline <base>..HEAD after each pass and use fresh SHAs
when writing the next sequence file.
Use git aliases instead of embedding $(git merge-base ...) in
commands. The $(...) substitution creates compound commands that
break Claude Code permission prefix matching, causing unnecessary
permission prompts.
| Alias | Equivalent |
|---|---|
git develop-log | git log --oneline $(git merge-base develop HEAD)..HEAD |
git develop-diff | git diff $(git merge-base develop HEAD)..HEAD |
git develop-rebase | git rebase -i --autosquash $(git merge-base develop HEAD) |
The alias name includes the base branch. When a different base is
needed (e.g., trunk), add a parallel set: trunk-log, trunk-diff,
trunk-rebase.
Never use $(git merge-base ...) inline — always use the alias.
Add to your project's .claude/settings.local.json:
{
"permissions": {
"allow": [
"Bash(${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-push-safe.sh:*)",
"Bash(${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-rebase-groom.sh:*)",
"Bash(${CLAUDE_PLUGIN_ROOT}/skills/git/scripts/git-seq-editor.sh:*)",
"Bash(git reset --soft:*)",
"Bash(git push --force-with-lease:*)",
"Bash(/tmp/Dev10x/bin/mktmp.sh:*)",
"Write(/tmp/Dev10x/git/**)"
]
}
}