fix(ce-demo-reel): prevent secrets in recorded demos (#664)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

plugins/compound-engineering/skills/ce-demo-reel/references/tier-browser-reel.md

@@ -84,6 +84,12 @@ agent-browser screenshot [RUN_DIR]/frame-01-initial.png
 - Wait 2-3 seconds after navigation for the page to settle
 - Capture the full viewport (sidebar, header give reviewers context)
 
+**Keep secrets out of frame:**
+- Do not open DevTools, the Network panel, or Application/Storage -- these expose auth headers, cookies, session storage, and tokens in plain view
+- Skip pages that display raw credentials (unmasked API-key settings, OAuth consent screens, `.env` viewers, billing/payment detail)
+- Check the URL bar before each screenshot -- if it carries a session token or credential query param (`?access_token=`, `?api_key=`, `#id_token=`), navigate to the clean canonical URL first
+- Prefer a demo account or seeded fixture data over a real logged-in account when the screenshot will include account identifiers that are themselves sensitive
+
 ## Step 3: Stitch into GIF
 
 Use the capture pipeline script to normalize frame dimensions, stitch with two-pass palette, and auto-reduce if over 10 MB:
@@ -100,8 +106,10 @@ python3 scripts/capture-demo.py stitch --duration 2.0 [RUN_DIR]/demo.gif [RUN_DI
 
 **If stitching fails:** Fall back to static screenshots tier using the individual PNGs already captured. If no PNGs were captured, report the failure.
 
-## Step 4: Cleanup
+## Step 4: Secrets Scan and Cleanup
 
-After successful GIF creation, remove individual PNG frames. Keep only the final GIF for upload.
+Before uploading, inspect the final GIF for any credential material visible on-screen. If any appears, discard the GIF and recapture with the offending page or state routed out of frame. Do not upload, do not blur.
+
+After a clean GIF is confirmed, remove individual PNG frames. Keep only the final GIF for upload.
 
 Proceed to `references/upload-and-approval.md`.