diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 5e2f87f..033121b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -32,3 +32,21 @@ jobs:
         # self-hosted infra; that's an unfixable architectural choice
         # for this project, not a bug.
         run: uvx --from zizmor==1.24.1 zizmor --persona pedantic --format github .github/workflows
+
+  gitleaks:
+    name: Gitleaks (secrets scan)
+    runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          # gitleaks scans the full git history for secrets; needs the
+          # repo's commit graph, not just the tip.
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Run gitleaks
+        # Binary, not gitleaks-action — the action gates on a paid license for org repos.
+        run: |
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \
+            | tar xz -C /tmp gitleaks
+          /tmp/gitleaks detect --source . --no-banner
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 66b0b1a..78bddfc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,9 @@
 repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e  # v8.30.1
+    hooks:
+      - id: gitleaks
+
   - repo: https://github.com/pycqa/isort
     rev: 8.0.1
     hooks:
diff --git a/AGENTS.md b/AGENTS.md
index 8475c64..0d16e1f 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -514,7 +514,7 @@ uv run scripts/dev/compile_protos.sh  # Regenerate proto stubs (only when proto
 uv run pre-commit run --all-files
 ```
 
-Hooks: isort, black, ruff, codespell, mypy, sync_requirements,
+Hooks: gitleaks, isort, black, ruff, codespell, mypy, sync_requirements,
 check_env_examples (via `scripts/dev/check_env_examples.py`).
 
 ### Tests
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index af6c8ea..94f2f34 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -51,7 +51,7 @@ uv run pre-commit install --install-hooks -t pre-commit -t prepare-commit-msg -t
 ```
 
 This installs three hook stages:
-- **pre-commit** — runs isort, black, ruff, mypy, and codespell on staged files.
+- **pre-commit** — runs gitleaks, isort, black, ruff, mypy, and codespell on staged files.
 - **prepare-commit-msg** — automatically appends a
   [DCO sign-off](#signing-off-commits-dco) line to your commit message.
 - **commit-msg** — verifies the sign-off is present (safety net).
@@ -60,6 +60,7 @@ This installs three hook stages:
 
 | Tool | Purpose | Config |
 |------|---------|--------|
+| [gitleaks](https://github.com/gitleaks/gitleaks) | Committed-secret detection | - |
 | [isort](https://pycqa.github.io/isort/) | Import sorting | `pyproject.toml` `[tool.isort]` |
 | [Black](https://black.readthedocs.io/) | Code formatting | `pyproject.toml` `[tool.black]` |
 | [Ruff](https://docs.astral.sh/ruff/) | Linting | `pyproject.toml` `[tool.ruff]` |