chore(workspace): add hardened startup/security workflows and skill suite

skills/git-workspace-hygiene/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: git-workspace-hygiene
+description: Maintain safe, low-noise Git workflows for OpenClaw workspaces. Use when initializing repository tracking, creating secure .gitignore rules, making clean checkpoint commits, reviewing diffs, preventing secret leaks, and preparing rollback-friendly history.
+---
+
+# Git Workspace Hygiene
+
+## Goals
+
+- Keep change history clear and reversible.
+- Prevent accidental commits of secrets and noisy runtime files.
+- Encourage small, meaningful checkpoints.
+
+## Setup workflow
+
+1. Ensure repository exists (`git init` if missing).
+2. Create/update `.gitignore` with workspace-safe defaults.
+3. Verify ignored files include credentials, env files, logs, and transient runtime state.
+4. Stage intended files only.
+5. Create baseline commit.
+
+## Commit hygiene rules
+
+- Prefer small scoped commits (one concern per commit).
+- Use Conventional Commits format: `<type>(<scope>): <summary>`.
+  - Types: `feat`, `fix`, `docs`, `chore`, `refactor`, `test`, `build`, `ci`.
+  - Examples: `chore(boot): harden startup checks`, `feat(skills): add inbox-triage`.
+- Review `git diff --staged` before committing.
+- Never commit tokens/secrets.
+
+## Quick review routine
+
+1. `git status --short`
+2. `git diff --stat`
+3. `git diff --staged`
+4. Run secret/noise scan script: `skills/git-workspace-hygiene/scripts/precommit-scan.sh`
+5. Commit only after clean scan
+
+## Rollback playbook
+
+- Inspect history: `git log --oneline --decorate -n 20`
+- Undo last commit (keep changes): `git reset --soft HEAD~1`
+- Restore a file from HEAD: `git restore <path>`
+- Revert committed change safely: `git revert <commit>`
+
+## Optional cadence
+
+- Create end-of-day checkpoint commit if meaningful changes accumulated.
+- Tag stable milestones (`git tag <name>`) when workflow is known-good.

skills/git-workspace-hygiene/references/commit-template.md

@@ -0,0 +1,18 @@
+# Commit Message Template
+
+Use concise scope-based messages:
+
+- `boot: harden startup checks`
+- `skills: add calendar-sentinel and inbox-triage`
+- `security: tighten prompt-injection boundaries`
+- `docs: update USER preferences`
+
+Format:
+
+`<scope>: <single-line summary>`
+
+Body (optional):
+
+- why change was needed
+- key files touched
+- notable risk/rollback notes

skills/git-workspace-hygiene/scripts/precommit-scan.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="${1:-.}"
+cd "$ROOT"
+
+echo "[scan] checking for likely secrets in staged changes..."
+STAGED=$(git diff --cached --name-only || true)
+if [[ -z "${STAGED}" ]]; then
+  echo "[scan] no staged files"
+  exit 0
+fi
+
+FAIL=0
+
+# simple patterns (high-signal only)
+PATTERN='(AKIA[0-9A-Z]{16}|-----BEGIN (RSA|EC|OPENSSH|PRIVATE) KEY-----|xox[baprs]-|ghp_[A-Za-z0-9]{20,}|AIza[0-9A-Za-z\-_]{35})'
+
+if git diff --cached | grep -E -n "$PATTERN" >/tmp/precommit-scan-matches.txt; then
+  echo "[scan] possible secret patterns found:"
+  cat /tmp/precommit-scan-matches.txt
+  FAIL=1
+fi
+
+# block obvious sensitive paths
+while IFS= read -r f; do
+  case "$f" in
+    .openclaw/credentials/*|*.pem|*.key|*.p12|*.pfx|.env|.env.*)
+      echo "[scan] blocked sensitive path staged: $f"
+      FAIL=1
+      ;;
+  esac
+done <<< "$STAGED"
+
+if [[ "$FAIL" -ne 0 ]]; then
+  echo "[scan] FAILED. unstage/remove sensitive data before commit."
+  exit 2
+fi
+
+echo "[scan] ok"