From efbe74b30220ac681a1c03909e2adbffcb12dc19 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Fri, 6 Feb 2026 12:26:57 +0800
Subject: [PATCH] feat: add security scrubbing skill documentation.

---
 .agent/skills/security_scrubbing/SKILL.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .agent/skills/security_scrubbing/SKILL.md

diff --git a/.agent/skills/security_scrubbing/SKILL.md b/.agent/skills/security_scrubbing/SKILL.md
new file mode 100644
index 0000000..d5a2f65
--- /dev/null
+++ b/.agent/skills/security_scrubbing/SKILL.md
@@ -0,0 +1,18 @@
+# Security Scrubbing Skill
+
+This skill provides a standardized workflow for identifying and removing sensitive information (passwords, tokens, keys) from Git history using `git filter-repo` and `gitleaks`.
+
+## Guidelines
+
+1. **Identification**: Always run `gitleaks detect -v` first to identify the scope of exposed secrets.
+2. **Replacement Plan**: Create a mapping file (e.g., `expressions.txt`) using the format `old_value==>new_value`.
+3. **Execution**: Use `git filter-repo --replace-text expressions.txt --force` to rewrite history.
+4. **Verification**: Re-run `gitleaks` to ensure zero leaks remain.
+5. **Synchronization**: Force-push to all remote remotes (`git push origin <branch> --force`). Update all collaborators.
+6. **Archiving**: Log the operation in the project's Runbook directory with a timestamped record.
+
+## Best Practices
+
+- Always use descriptive placeholders like `YOUR_PASSWORD` or `MFA_SECRET_PLACEHOLDER`.
+- Scan all branches, not just the active one, if secrets were historically committed elsewhere.
+- Notify the team immediately after a force-push as it breaks local clones.