From 2460ec10fde98bd2cf66fc09aa32a031f7cb3159 Mon Sep 17 00:00:00 2001
From: Zhengyuan Su <su.zhengyuan@u.nus.edu>
Date: Thu, 30 Apr 2026 13:24:19 +0000
Subject: [PATCH 1/3] chore: add gitleaks (CI job + pre-commit hook)

Adds a ``gitleaks`` job alongside the existing ``zizmor`` job in
``.github/workflows/security.yml``. The job uses
``gitleaks/gitleaks-action@v2.3.9`` (SHA-pinned) over the full git
history (``fetch-depth: 0``).

Adds the gitleaks pre-commit hook to ``.pre-commit-config.yaml``,
pinned to gitleaks v8.30.1 by SHA. Runs first in the hook chain so a
secret blocks the commit before the formatters touch the diff.

The two layers play different roles: the pre-commit hook catches
secrets before they reach a remote (history rewrites don't undo what
was already pulled), the CI job is the safety net for contributors
who don't have local pre-commit installed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Zhengyuan Su <su.zhengyuan@u.nus.edu>
---
 .github/workflows/security.yml | 21 +++++++++++++++++++++
 .pre-commit-config.yaml        |  5 +++++
 2 files changed, 26 insertions(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 5e2f87f..208256e 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -32,3 +32,24 @@ jobs:
         # self-hosted infra; that's an unfixable architectural choice
         # for this project, not a bug.
         run: uvx --from zizmor==1.24.1 zizmor --persona pedantic --format github .github/workflows
+
+  gitleaks:
+    name: Gitleaks (secrets scan)
+    runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          # gitleaks scans the full git history for secrets; needs the
+          # repo's commit graph, not just the tip.
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Run gitleaks
+        # Direct binary invocation rather than gitleaks-action: the
+        # action requires a paid GITLEAKS_LICENSE for org-owned repos
+        # (mlsys-io counts). The binary itself is freely available.
+        # Pinned to v8.30.1 to match the pre-commit hook.
+        run: |
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \
+            | tar xz -C /tmp gitleaks
+          /tmp/gitleaks detect --source . --no-banner
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 66b0b1a..78bddfc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,9 @@
 repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e  # v8.30.1
+    hooks:
+      - id: gitleaks
+
   - repo: https://github.com/pycqa/isort
     rev: 8.0.1
     hooks:

From 240029c41b5a2829134780abb6c305c96817aada Mon Sep 17 00:00:00 2001
From: Zhengyuan Su <su.zhengyuan@u.nus.edu>
Date: Thu, 30 Apr 2026 13:36:00 +0000
Subject: [PATCH 2/3] docs: list gitleaks alongside the other pre-commit hooks

CONTRIBUTING.md's "pre-commit hook stages" list and tools-table both
gain a gitleaks entry. AGENTS.md's "Hooks:" enumeration matches.

The hook is added to ``.pre-commit-config.yaml`` in the same PR; this
keeps the docs in sync with what ``pre-commit run --all-files``
actually runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Zhengyuan Su <su.zhengyuan@u.nus.edu>
---
 AGENTS.md       | 2 +-
 CONTRIBUTING.md | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 8475c64..0d16e1f 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -514,7 +514,7 @@ uv run scripts/dev/compile_protos.sh  # Regenerate proto stubs (only when proto
 uv run pre-commit run --all-files
 ```
 
-Hooks: isort, black, ruff, codespell, mypy, sync_requirements,
+Hooks: gitleaks, isort, black, ruff, codespell, mypy, sync_requirements,
 check_env_examples (via `scripts/dev/check_env_examples.py`).
 
 ### Tests
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index af6c8ea..1fbe92c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -51,7 +51,7 @@ uv run pre-commit install --install-hooks -t pre-commit -t prepare-commit-msg -t
 ```
 
 This installs three hook stages:
-- **pre-commit** — runs isort, black, ruff, mypy, and codespell on staged files.
+- **pre-commit** — runs gitleaks, isort, black, ruff, mypy, and codespell on staged files.
 - **prepare-commit-msg** — automatically appends a
   [DCO sign-off](#signing-off-commits-dco) line to your commit message.
 - **commit-msg** — verifies the sign-off is present (safety net).
@@ -60,6 +60,7 @@ This installs three hook stages:
 
 | Tool | Purpose | Config |
 |------|---------|--------|
+| [gitleaks](https://github.com/gitleaks/gitleaks) | Committed-secret detection | (built-in rules) |
 | [isort](https://pycqa.github.io/isort/) | Import sorting | `pyproject.toml` `[tool.isort]` |
 | [Black](https://black.readthedocs.io/) | Code formatting | `pyproject.toml` `[tool.black]` |
 | [Ruff](https://docs.astral.sh/ruff/) | Linting | `pyproject.toml` `[tool.ruff]` |

From a52a6dedb0909eae187c9922fc25bb3483d9fbc7 Mon Sep 17 00:00:00 2001
From: Zhengyuan Su <su.zhengyuan@u.nus.edu>
Date: Thu, 30 Apr 2026 14:00:44 +0000
Subject: [PATCH 3/3] =?UTF-8?q?chore:=20address=20PR=20feedback=20?=
 =?UTF-8?q?=E2=80=94=20trim=20gitleaks=20comment,=20dash=20for=20"no=20con?=
 =?UTF-8?q?fig"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ``security.yml`` — collapse the four-line comment above the gitleaks
  ``run:`` block into a single line.
* ``CONTRIBUTING.md`` — gitleaks's "Config" cell becomes ``-`` (the
  table convention for tools without a project-side config) instead of
  the parenthetical I'd written.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Zhengyuan Su <su.zhengyuan@u.nus.edu>
---
 .github/workflows/security.yml | 5 +----
 CONTRIBUTING.md                | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 208256e..033121b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -45,10 +45,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Run gitleaks
-        # Direct binary invocation rather than gitleaks-action: the
-        # action requires a paid GITLEAKS_LICENSE for org-owned repos
-        # (mlsys-io counts). The binary itself is freely available.
-        # Pinned to v8.30.1 to match the pre-commit hook.
+        # Binary, not gitleaks-action — the action gates on a paid license for org repos.
         run: |
           curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \
             | tar xz -C /tmp gitleaks
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 1fbe92c..94f2f34 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -60,7 +60,7 @@ This installs three hook stages:
 
 | Tool | Purpose | Config |
 |------|---------|--------|
-| [gitleaks](https://github.com/gitleaks/gitleaks) | Committed-secret detection | (built-in rules) |
+| [gitleaks](https://github.com/gitleaks/gitleaks) | Committed-secret detection | - |
 | [isort](https://pycqa.github.io/isort/) | Import sorting | `pyproject.toml` `[tool.isort]` |
 | [Black](https://black.readthedocs.io/) | Code formatting | `pyproject.toml` `[tool.black]` |
 | [Ruff](https://docs.astral.sh/ruff/) | Linting | `pyproject.toml` `[tool.ruff]` |