chore: replace detect-secrets with gitleaks

[laurigates]

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[github-actions]

⚠️ Broken Links Detected

Summary

Status	Count
🔍 Total	132
✅ Successful	125
⏳ Timeouts	0
🔀 Redirected	0
👻 Excluded	5
❓ Unknown	0
🚫 Errors	2

Errors per input

Errors in exact_dot_claude/docs/blueprint-development/README.md

• [404] https://docs.claude.com/en/docs/claude-code/customization/skills | Failed: Network error: Not Found
• [404] https://docs.claude.com/en/docs/claude-code/customization/commands | Failed: Network error: Not Found
  Full Github Actions output

---

Please fix the broken links before merging.

[claude]

PR Review: Replace detect-secrets with gitleaks

Summary

This PR migrates from detect-secrets to gitleaks for secret scanning. While this is a reasonable modernization (gitleaks is actively maintained, fast, and widely adopted), the current implementation is incomplete and will likely cause issues.

---

⚠️ Critical Issues

1. Missing .gitleaks.toml configuration

The deleted .secrets.baseline had important file exclusion patterns:

private_dot_config/private_atuin/.*
macos-settings.toml
\.claude/commands/.*
\.claude/skills/.*/SKILL\.md
\.claude/skills/.*/REFERENCE\.md
\.claude/docs/.*
exact_dot_claude/docs/.*
lazy-lock\.json

Without a .gitleaks.toml to replicate these exclusions, gitleaks will likely flag false positives in these paths. Recommended fix: Create a .gitleaks.toml with equivalent [allowlist] rules.

2. 30+ documentation/config references still mention detect-secrets

The following files still reference detect-secrets or .secrets.baseline:

Category	Files Affected
Documentation	CLAUDE.md, scripts/README.md, docs/mise-migration-guide.md, docs/adr/0012-justfile-command-runner.md
Scripts	scripts/audit-secrets-baseline.py, scripts/audit-secrets-selective.py
Config	justfile, private_dot_config/mise/config.toml.tmpl, nixos/home/development.nix
Claude settings	exact_dot_claude/settings.json, .github/claude-tools-config.json
Labels	.github/labeler.yml

---

🔧 Required Changes

1. Create .gitleaks.toml with equivalent exclusions:

   [allowlist]
     paths = [
       '''private_dot_config/private_atuin/.*''',
       '''macos-settings\.toml''',
       '''\.claude/commands/.*''',
       '''\.claude/skills/.*/SKILL\.md''',
       '''\.claude/skills/.*/REFERENCE\.md''',
       '''\.claude/docs/.*''',
       '''exact_dot_claude/docs/.*''',
       '''lazy-lock\.json''',
       '''package-lock\.json''',  # was also excluded
     ]

2. Update documentation - At minimum update:

   • CLAUDE.md lines 240-242 (Secret Scanning section)
   • CLAUDE.md line 325 (references detect-secrets)

3. Decide on scripts - The scripts/audit-secrets-*.py scripts are detect-secrets specific. Either:

   • Delete them with this PR, or
   • Create a follow-up issue to remove them

4. Update justfile - The secrets recipe (lines 238-249) uses detect-secrets commands

5. Update mise config - private_dot_config/mise/config.toml.tmpl has detect-secrets tasks

---

💡 Recommendations

1. Test the pre-commit hook locally before merging:

   pre-commit run gitleaks --all-files

   This will reveal any false positives that need allowlisting.

2. Consider a phased approach: Split this into:

   • PR 1: Add .gitleaks.toml and update pre-commit (this PR, fixed)
   • PR 2: Clean up all documentation and scripts

3. Update nixos config if NixOS is actively used (nixos/home/development.nix:262-266)

---

✅ What's Good

• Clean removal of the baseline file
• gitleaks v8.30.0 is current and well-maintained
• Simpler pre-commit config (no baseline arg needed)

---

Verdict

Request changes: The PR needs a .gitleaks.toml configuration at minimum to prevent false positives. Documentation updates can be a follow-up but should be tracked.

---

🤖 Review by Claude Code