chore: add gitleaks secret scanning (CI workflow + husky pre-commit)

Why: prevent accidental secret commits from a single, well-known scanner
(gitleaks). Two layers — server-side via GitHub Action so nothing slips
past `git commit --no-verify`, and local via husky pre-commit hook so devs
get fast feedback before pushing.

Lessons learnt: husky's pre-commit hook gracefully no-ops with a warning if
gitleaks isn't installed locally; CI is still the source of truth. The
.gitleaks.toml allowlist covers .env.example, CHANGELOG.md, and
pnpm-lock.yaml to avoid false positives.

Summary:
- Add .github/workflows/secret-scan.yml running gitleaks/gitleaks-action@v2
  on every PR and push to main.
- Add .gitleaks.toml extending default rules with project-specific
  allowlist paths.
- Add husky as a devDependency, .husky/pre-commit running
  `gitleaks protect --staged`, and update prepare script.
- Document setup in README and CHANGELOG.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Ubuntu

.github/workflows/secret-scan.yml

@@ -0,0 +1,29 @@
+name: Secret scan
+
+# Server-side secret scan. Runs on every PR and every push to main, so it
+# cannot be bypassed by `git commit --no-verify`. The husky pre-commit hook
+# (.husky/pre-commit) provides the same check locally for faster feedback.
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # gitleaks needs full history so it can scan every commit on the
+          # branch, not just the latest one.
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitleaks.toml

@@ -0,0 +1,23 @@
+# gitleaks configuration — extends the default ruleset with project-specific
+# allowlist entries. See https://github.com/gitleaks/gitleaks#configuration
+# for the full reference.
+
+[extend]
+# Inherit gitleaks' built-in rules (AWS keys, GitHub tokens, generic
+# high-entropy strings, etc.). We only add allowlists below.
+useDefault = true
+
+[allowlist]
+description = "Project-wide allowlist for files that legitimately contain pattern matches"
+
+paths = [
+    # .env.example only contains keys (no values) — safe to commit, used as
+    # a template for local .env files.
+    '''\.env\.example''',
+    # CHANGELOG references commit hashes which can match the
+    # "generic-api-key" pattern at high entropy.
+    '''CHANGELOG\.md''',
+    # pnpm-lock.yaml contains content-addressed package hashes that can trip
+    # entropy-based detection.
+    '''pnpm-lock\.yaml''',
+]

.husky/pre-commit

@@ -0,0 +1,28 @@
+#!/usr/bin/env sh
+# Pre-commit hook: scan staged changes for secrets via gitleaks.
+#
+# Skipped (with a warning) if gitleaks is not installed locally — the CI
+# secret-scan workflow still runs on every push to enforce coverage. Local
+# enforcement just gives faster feedback before the push.
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+    echo ""
+    echo "  gitleaks not installed locally — skipping pre-commit secret scan."
+    echo "  Install for local enforcement:"
+    echo "    macOS:  brew install gitleaks"
+    echo "    other:  https://github.com/gitleaks/gitleaks#installing"
+    echo "  CI runs the same scan on every push, so missed catches still fail builds."
+    echo ""
+    exit 0
+fi
+
+if ! gitleaks protect --staged --no-banner --redact; then
+    echo ""
+    echo "  gitleaks detected potential secrets in your staged changes."
+    echo "  Resolve the finding above (or add a path to .gitleaks.toml allowlist)"
+    echo "  before committing. To bypass for a known false positive:"
+    echo "    git commit --no-verify"
+    echo "  …but the CI scan will still run, so prefer fixing the allowlist."
+    echo ""
+    exit 1
+fi

CHANGELOG.md

@@ -3,3 +3,4 @@
 ## Unreleased
 
 - Add WalletConnect support so signers can pair mobile wallets via QR (2026-04-27).
+- Add gitleaks-based secret scanning: server-side via GitHub Action and local via husky pre-commit hook (2026-04-27).

README.md

@@ -75,6 +75,19 @@ TODO
 
 - Built with Svelte and Viem
 
+# Secret scanning
+
+This repo runs [gitleaks](https://github.com/gitleaks/gitleaks) on every PR and push to `main` ([.github/workflows/secret-scan.yml](.github/workflows/secret-scan.yml)) — that check is the source of truth and cannot be bypassed by `git commit --no-verify`.
+
+For faster local feedback, [husky](https://typicode.github.io/husky) wires the same scan into a pre-commit hook ([.husky/pre-commit](.husky/pre-commit)). It runs automatically after `pnpm install` if `gitleaks` is present on your `PATH`. Install locally with:
+
+```shell
+brew install gitleaks   # macOS
+# or see https://github.com/gitleaks/gitleaks#installing
+```
+
+If gitleaks isn't installed, the hook prints a warning and exits cleanly — the CI scan still catches anything missed locally. Project-specific allowlist entries live in [.gitleaks.toml](.gitleaks.toml).
+
 # Support
 
 - [Join Discord for any questions](https://tradingstrategy.ai/community).

package.json

@@ -8,7 +8,7 @@
 		"dev": "vite dev",
 		"build": "vite build",
 		"preview": "vite preview",
-		"prepare": "svelte-kit sync || echo ''",
+		"prepare": "svelte-kit sync || echo '' && husky || echo ''",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch"
 	},
@@ -20,6 +20,7 @@
 		"@tailwindcss/vite": "^4.2.2",
 		"bits-ui": "^2.17.3",
 		"clsx": "^2.1.1",
+		"husky": "^9.1.7",
 		"svelte": "^5.55.2",
 		"svelte-check": "^4.4.6",
 		"tailwind-merge": "^3.5.0",