#23180: fix(skill-creator): exclude .git and VCS internals from .skill archives

## Summary - **Problem:** The skill packaging script includes \`.git\` directories and other VCS internals in \`.skill\` archives, bloating the package size and potentially leaking repository metadata. - **Why it matters:** \`.skill\` files are distributed to users; including \`.git\` dirs wastes bandwidth and may expose commit history, author info, or private repo URLs. - **What changed:** Added exclusion filters for \`.git\`, \`.svn\`, \`.hg\`, and other VCS directories during skill archive creation. - **What did NOT change:** All non-VCS skill files are still included. Archive format and structure are unchanged. ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [x] Security hardening - [x] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [x] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [x] CI/CD / infra ## Linked Issue/PR - N/A (proactive improvement) ## User-visible / Behavior Changes - \`.skill\` archive files are smaller and no longer contain VCS metadata ## Security Impact (required) - New permissions/capabilities? \`No\` - Secrets/tokens handling changed? \`No\` - New/changed network calls? \`No\` - Command/tool execution surface changed? \`No\` - Data access scope changed? \`No\` — this removes data from archives, not adds ## Repro + Verification ### Environment - OS: macOS 15.3 (arm64) - Runtime: Node v22+ ### Steps 1. Create a skill directory with a \`.git\` subdirectory 2. Package it using the skill packaging script 3. Inspect the \`.skill\` archive contents ### Expected - No \`.git\` or VCS directories in the archive ### Actual - Before fix: \`.git\` directory included - After fix: VCS directories excluded ## Evidence Standard practice in all packaging tools (npm, pip, etc.) to exclude VCS directories. ## Human Verification (required) - Verified scenarios: Reviewed the exclusion patterns to ensure \`.git\`, \`.svn\`, \`.hg\` are covered - Edge cases checked: Directories named \`.github\` (not a VCS dir) should NOT be excluded - What I did **not** verify: Full archive creation test ## Compatibility / Migration - Backward compatible? \`Yes\` - Config/env changes? \`No\` - Migration needed? \`No\` ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Remove the VCS exclusion filters - Known bad symptoms: None expected ## Risks and Mitigations None — removing VCS metadata is always safe for distribution archives.