secret-remediation

What problem does it solve?

This Skill provides a repeatable, safety‑first workflow to rewrite git commit history to remove secrets and personally identifiable information that were committed and later detected by secret-scanning, and it emphasizes mandatory credential rotation for any value that reached a remote.

Core Features & Use Cases

• Scenario-aware remediation: Handles main-only, feature-branch local-only, pushed feature with PR, and combined scenarios with clear actions for each.
• Search and scrub tools: Includes a read-only history search, a destructive orchestrator that runs git filter-branch, and a tree-filter helper that applies sed expressions per commit.
• Safety guardrails: Enforces a clean working tree, requires an explicit destructive flag, creates a backup tag, shows a countdown, and prints the force-push command for manual execution.
• Operational guidance: Guides credential rotation, plan confirmation with the Supreme Commander, per-branch execution, and post-scrub verification.
• Use Case: After secret-scanning finds an API key in past commits on main and a pushed feature branch, use this Skill to plan replacements, scrub affected branches, and coordinate credential rotation and force-pushes.

Quick Start

Run the secret-remediation workflow after secret-scanning identifies historical values by creating an expressions file, confirming the replacement plan with the Supreme Commander, running the search to preview matches, and then executing the scrub per affected branch with the required safety flag.