diff --git a/scripts/auto-fix-gitleaks.sh b/scripts/auto-fix-gitleaks.sh
new file mode 100644
index 0000000..0387b24
--- /dev/null
+++ b/scripts/auto-fix-gitleaks.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+set -euo pipefail
+
+REMOTE_URL="git@github.com:svc-design/Modern-Container-Application-Reference-Architecture.git"
+
+echo "[*] Step 1: 使用 Gitleaks 扫描泄露路径..."
+LEAKED_PATHS=$(gitleaks detect -v --report-format json \
+  | jq -r '.[].File // .file' \
+  | sort -u)
+
+if [ -z "$LEAKED_PATHS" ]; then
+  echo "[✓] 没有泄露路径，无需清理。"
+  exit 0
+fi
+
+echo "[*] Step 2: 即将清理以下敏感文件路径："
+echo "$LEAKED_PATHS"
+echo
+
+# 构建参数列表
+ARGS=()
+while read -r path; do
+  [ -n "$path" ] && ARGS+=(--path "$path")
+done <<< "$LEAKED_PATHS"
+
+echo "[*] Step 3: 使用 git filter-repo 删除历史路径..."
+git filter-repo --force "${ARGS[@]}" --invert-paths
+
+echo "[*] Step 4: 检查并配置远程仓库 origin..."
+if ! git remote get-url origin &>/dev/null; then
+  echo "[!] 未检测到 origin，正在添加远程仓库：$REMOTE_URL"
+  git remote add origin "$REMOTE_URL"
+else
+  echo "[✓] 已配置 origin -> $(git remote get-url origin)"
+fi
+
+echo "[*] Step 5: 强制推送全部历史..."
+git push origin --force --all
+git push origin --force --tags
+
+echo
+echo "[✓] 历史清理完毕 ✅"
+echo "[*] 可选：运行 gitleaks detect 再次验证无泄露"
diff --git a/scripts/clean_git_binaries_fixed.sh b/scripts/clean_git_binaries_fixed.sh
new file mode 100644
index 0000000..b8a0c9d
--- /dev/null
+++ b/scripts/clean_git_binaries_fixed.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+set -e
+
+echo "📦 自动扫描 Git 中最大的历史文件并清理..."
+
+# 检查 git-filter-repo 是否存在
+if ! command -v git-filter-repo &> /dev/null; then
+  echo "❌ 请先安装 git-filter-repo（https://github.com/newren/git-filter-repo）"
+  exit 1
+fi
+
+# 提取前 20 个最大文件路径（唯一化）
+echo "🔍 获取 Git 历史中前 20 个大文件路径..."
+LARGE_PATHS=$(git rev-list --objects --all | \
+  git cat-file --batch-check='%(objecttype) %(objectname) %(objectsize) %(rest)' | \
+  grep '^blob' | \
+  sort -k3 -n -r | \
+  head -20 | \
+  awk '{print $4}' | sort | uniq)
+
+echo "🗑️ 以下路径将被从 Git 历史中永久删除："
+echo "$LARGE_PATHS"
+
+# 确认清理
+read -p "⚠️ 确定要执行清理吗？此操作将重写历史 (y/n): " confirm
+if [[ "$confirm" != "y" && "$confirm" != "Y" ]]; then
+  echo "❎ 已取消"
+  exit 0
+fi
+
+# 构造参数数组并执行 git-filter-repo
+echo "🚨 正在清理..."
+git filter-repo \
+  $(echo "$LARGE_PATHS" | awk '{print "--path " $1}') \
+  --invert-paths
+
+echo "✅ 清理完成！你现在可以检查仓库大小：du -sh .git"
+
+# 可选推送
+read -p "🚀 是否强制推送更改到远程？(y/n): " pushconfirm
+if [[ "$pushconfirm" == "y" || "$pushconfirm" == "Y" ]]; then
+  git push origin --force --all
+  git push origin --force --tags
+  echo "✅ 已强推完成"
+else
+  echo "⚠️ 请手动执行以下命令推送："
+  echo "   git push origin --force --all"
+  echo "   git push origin --force --tags"
+fi
+