diff --git a/.github/workflows/security-precommit.yml b/.github/workflows/security-precommit.yml
index 8e14f5b..9dda054 100644
--- a/.github/workflows/security-precommit.yml
+++ b/.github/workflows/security-precommit.yml
@@ -86,6 +86,40 @@ esac
           fi
           echo "IoC scan passed."
 
+      - name: Reject single lines > 1000 chars (Shai-Hulud minified-payload signal)
+        # Shai-Hulud-family payloads are always a single minified line >5000 chars.
+        # Legitimate source rarely exceeds 200. High-precision, near-zero-FP signal.
+        # Driven by: rival-review consensus (Gemini-3.1-pro, GPT-5.4) — see 2026-05-13.
+        run: |
+          set -uo pipefail
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          BAD_LINE=$(git diff "$BASE_SHA" "$HEAD_SHA" -- \
+              ':!*.lock' ':!**/package-lock.json' ':!**/yarn.lock' \
+              ':!**/pnpm-lock.yaml' ':!**/composer.lock' \
+              ':!.gitleaks.toml' \
+              ':!**/*.min.js' ':!**/*.min.css' ':!**/*.map' \
+              ':!**/dist/**' ':!**/build/**' ':!**/node_modules/**' \
+              ':!.github/workflows/security-*.yml' \
+              ':!docs/incident-*' ':!SECURITY-*.md' ':!MALWARE-*.md' \
+            | awk '/^\+[^+]/ {
+                line = substr($0, 2);
+                if (length(line) > 1000) {
+                  print length(line);
+                  exit
+                }
+              }')
+
+          if [ -n "$BAD_LINE" ]; then
+            echo "::error::A single added line exceeds 1000 characters ($BAD_LINE chars)."
+            echo "Shai-Hulud-family malware payloads are always a single minified line >5000 chars."
+            echo "If this is a legitimate long line (e.g. a generated config), exempt the file"
+            echo "in the workflow's git-diff pathspec list (':!path/to/file')."
+            exit 1
+          fi
+          echo "✅ All added lines under 1000 chars."
+
       - name: Suspicious-timezone fingerprint check
         run: |
           set -uo pipefail
diff --git a/.gitleaks.toml b/.gitleaks.toml
index 5cbd8d7..98af45f 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -84,7 +84,7 @@ tags = ["secret", "gcp"]
 [[rules]]
 id = "bb-malware-blockchain-loader-marker"
 description = "Marker strings from the 2026-04-30 blockchain-loader malware — block any PR that re-introduces them"
-regex = '''(?:_\$_1e42|sfL\(.wuqkt|api\.trongrid\.io|fullnode\.mainnet\.aptoslabs\.com|Tgw\(2509\)|global\["_V"\]\s*=\s*['"]A?9-3900)'''
+regex = '''(?:_\$_1e42|sfL\(.wuqkt|api\.trongrid\.io|fullnode\.mainnet\.aptoslabs\.com|Tgw\(2509\)|global\[['\"][^'\"]+['\"]\]\s*=\s*['\"][A-Z]?9-\d{4}(?:-\d+)?)'''
 keywords = ["_$_1e42", "trongrid", "aptoslabs", "Tgw(2509)"]
 tags = ["malware", "incident-2026-04-30"]