Add secret scanning guardrails — pre-commit hooks, CI workflow, expanded .gitignore

Prevents agents and contributors from accidentally committing secrets:
- .pre-commit-config.yaml: gitleaks + detect-private-key hooks (local)
- .github/workflows/secret-scan.yml: gitleaks action on PRs and pushes (CI)
- .gitignore: global patterns for .env, keys, certs, credentials, keystores

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: LightHeart

.github/workflows/secret-scan.yml

@@ -0,0 +1,23 @@
+name: Secret Scan
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: Scan for secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -23,8 +23,21 @@ config.yaml.bak
 *.tmp
 *.swp
 
+# Secrets and credentials (global)
+.env
+.env.*
+!.env.example
+*.key
+*.pem
+*.p12
+*.pfx
+*.crt
+credentials.*
+secrets.*
+secrets/
+*.keystore
+
 # Token Spy runtime
-token-spy/.env
 token-spy/data/
 token-spy/*.db
 token-spy/*.sqlite

.gitleaksignore

@@ -0,0 +1,5 @@
+# Gitleaks ignore file
+# Add fingerprints of known false positives here (one per line)
+# Get fingerprints from gitleaks output when a false positive is detected
+#
+# Example: abc123def456...

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+# Pre-commit hooks for secret scanning
+# Install: pip install pre-commit && pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.2
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: detect-private-key
+      - id: check-added-large-files
+        args: ['--maxkb=500']