feat: add three-layer PII defense system (pre-commit + gitleaks + CLAUDE.md)

Prevents sensitive data (user paths, phone numbers, personal IDs) from
entering git history. Born from redacting 6 historical commits.

- .gitleaks.toml: custom rules for absolute paths, phone numbers, usernames
- .githooks/pre-commit: dual-layer scan (gitleaks + regex fallback)
- CLAUDE.md: updated Privacy section documenting the defense system

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitleaks.toml

@@ -0,0 +1,53 @@
+# Gitleaks custom rules for claude-code-skills repo
+# Catches personal info that shouldn't be in an open source repo
+
+title = "claude-code-skills sensitive data rules"
+
+[extend]
+useDefault = true
+
+# Global allowlist: files that are allowed to contain patterns
+# (the config file itself, hooks, and contribution guides)
+[allowlist]
+paths = [
+  '''\.gitleaks\.toml$''',
+  '''\.githooks/''',
+  '''CONTRIBUTING\.md$''',
+  '''CLAUDE\.md$''',
+]
+
+[[rules]]
+id = "absolute-user-path-macos"
+description = "Hardcoded macOS user home directory path"
+regex = '''/Users/[a-zA-Z][a-zA-Z0-9_-]+/'''
+tags = ["pii", "path"]
+
+[[rules]]
+id = "absolute-user-path-linux"
+description = "Hardcoded Linux home directory path"
+regex = '''/home/[a-zA-Z][a-zA-Z0-9_-]+/'''
+tags = ["pii", "path"]
+
+[[rules]]
+id = "windows-user-path"
+description = "Hardcoded Windows user profile path"
+regex = '''C:\\Users\\[a-zA-Z][a-zA-Z0-9_-]+\\'''
+tags = ["pii", "path"]
+
+[[rules]]
+id = "phone-number-cn"
+description = "Chinese mobile phone number"
+regex = '''1[3-9]\d{9}'''
+tags = ["pii", "phone"]
+
+[[rules]]
+id = "douban-user-id-literal"
+description = "Hardcoded Douban user ID"
+regex = '''songtiansheng'''
+tags = ["pii", "username"]
+
+[[rules]]
+id = "email-personal"
+description = "Personal email address"
+regex = '''[a-zA-Z0-9._%+-]+@(gmail|qq|163|126|outlook|hotmail|yahoo|icloud|foxmail)\.[a-zA-Z]{2,}'''
+tags = ["pii", "email"]