chore(security): add gitleaks pre-commit hook + .gitleaks.toml

- .gitleaks.toml extends gitleaks default rules with project-specific allowlists
  for the 2026-04-25 redacted-token markers + intentional template placeholders.
- scripts/install-pre-commit-hook.sh — idempotent local-hook installer.
- README documents the hook + bypass.

Source: 2026-04-25 secret-scrub follow-on

Author: fidgetcoding

.gitleaks.toml

@@ -0,0 +1,26 @@
+# .gitleaks.toml — extends gitleaks default rules
+# Generated 2026-04-25 by fminimax pre-commit hook deployment.
+
+[extend]
+useDefault = true
+
+[[allowlists]]
+description = "Redacted-token markers from the 2026-04-25 history scrub"
+regexes = [
+  '''gho_REDACTED-AUDIT-2026-04-25''',
+  '''ntn_REDACTED-AUDIT-2026-04-25''',
+  '''MORGEN-REDACTED-AUDIT-2026-04-25''',
+  '''gho_REDACTED-W2-FIX-OUTPUT''',
+  '''ntn_REDACTED-W2-FIX-OUTPUT''',
+  '''MORGEN-REDACTED-W2-FIX-OUTPUT''',
+]
+
+[[allowlists]]
+description = "Placeholder strings used in templates"
+regexes = [
+  '''REPLACE_WITH_GITHUB_TOKEN''',
+  '''REPLACE_WITH_NOTION_TOKEN''',
+  '''REPLACE_WITH_MORGEN_API_KEY''',
+  '''\{\{(NOTION_TOKEN|GITHUB_TOKEN|MORGEN_API_KEY|NOTION_DATABASE_ID|W[123]_WORKFLOW_ID)\}\}''',
+  '''\$\{?[A-Z_]+_(TOKEN|KEY|SECRET|PASSWORD)\}?''',
+]

README.md

@@ -346,3 +346,21 @@ The dual copyright reflects reality: ruv wrote the engine, I wrote the wrapper.
 > Credit to ruv is not a footer. It's load-bearing. Every release and every public surface should preserve the attribution block in the intro, the Built on Ruflo section, the License dual-copyright, and the Links list. If any of those go missing in a future edit, this fork stops being honest.
 
 [⤴ back to top](#top)
+
+## Security: gitleaks pre-commit hook
+
+This repo ships with a `.gitleaks.toml` config and a one-liner installer for a local
+pre-commit hook that scans staged content for secrets (GitHub tokens, API keys, JWTs,
+etc.) before every commit.
+
+```bash
+bash scripts/install-pre-commit-hook.sh
+```
+
+The hook runs `gitleaks protect --staged` and blocks commits that contain secrets.
+For emergencies you can bypass with `git commit --no-verify` — but DO NOT bypass for
+real secrets. Use env vars or a secret manager instead.
+
+If gitleaks isn't installed yet:
+- macOS: `brew install gitleaks`
+- Linux: https://github.com/gitleaks/gitleaks/releases

scripts/install-pre-commit-hook.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# install-pre-commit-hook.sh — wires up the local gitleaks pre-commit hook.
+# Idempotent: safe to re-run.
+set -euo pipefail
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+HOOK="$REPO_ROOT/.git/hooks/pre-commit"
+
+if ! command -v gitleaks &>/dev/null; then
+  echo "❌ gitleaks not found on PATH."
+  echo "   macOS:  brew install gitleaks"
+  echo "   Linux:  https://github.com/gitleaks/gitleaks/releases"
+  exit 1
+fi
+
+mkdir -p "$REPO_ROOT/.git/hooks"
+cat > "$HOOK" <<'HOOK_EOF'
+#!/usr/bin/env bash
+# pre-commit — gitleaks scan on staged content. Block if any secret detected.
+# Bypass for emergencies: git commit --no-verify
+set -euo pipefail
+
+if ! command -v gitleaks &>/dev/null; then
+  echo "⚠️  gitleaks missing — skipping pre-commit secret scan." >&2
+  exit 0
+fi
+
+if ! gitleaks protect --staged --no-banner --redact -v 2>&1; then
+  echo ""
+  echo "🚨 SECRETS DETECTED in staged content. Commit BLOCKED." >&2
+  echo "   1. Review the leak above (output is redacted — full content in your staged files)." >&2
+  echo "   2. Remove the secret from your changes (use env vars / .env / secret manager)." >&2
+  echo "   3. Re-stage cleaned files and commit again." >&2
+  echo "   4. Emergency bypass (DO NOT USE FOR REAL SECRETS): git commit --no-verify" >&2
+  exit 1
+fi
+HOOK_EOF
+chmod +x "$HOOK"
+
+echo "✅ Installed pre-commit hook → $HOOK"
+echo "   Test it: stage a file containing a fake gho_/ntn_ token, then try git commit."