Add automated secret scanning (make check-secrets, pre-commit hook)

Part of #24 (closed) (#24 (closed)).

Background

The bulk of issue #24 (closed) (redacting GitLab tokens accidentally committed into notes/ chat exports) was handled directly against main via a full git filter-repo --replace-text history rewrite - not something that can go through a normal branch/MR, since it rewrites main's own history. That part is done: every commit SHA changed, all tags were re-pushed pointing at the rewritten commits, and a follow-up gitleaks sweep of the rewritten history confirms zero remaining secrets.

This MR is the preventative half of the ticket (expanded per Danny's request beyond the originally-scoped manual redaction script): automated scanning so this can't recur silently.

Changes

  • make check-secrets: runs gitleaks git --log-opts="--all" (full-history sweep) and is now part of make lint, so both local runs and CI's existing lint job catch a committed secret with no .gitlab-ci.yml changes needed.
  • make install-git-hooks: installs scripts/pre-commit (gitleaks protect --staged - a fast, staged-diff-only scan) as an opt-in pre-commit hook, catching a secret before it's ever committed rather than only before it's merged. Not installed automatically, since git doesn't version .git/hooks - this is a one-time manual step per clone.
  • make setup installs gitleaks itself if missing, matching the existing pattern for goreleaser.
  • CLAUDE.md updated (Build & dev commands, Design notes, Known issues - including a note about the history rewrite itself, for future readers).

Testing

  • Manually verified the hook actually blocks a commit: staged a file containing a fake token shaped like a real GitLab PAT, confirmed git commit was rejected with the expected finding, then removed it.
  • This very commit went through the installed hook successfully (see the gitleaks output in the commit process).
  • make lint (now including check-secrets) is clean.

Merge request reports

Loading