From 0d933bc5d9fc2f6f9ac7ff3b03251e6cd7f29589 Mon Sep 17 00:00:00 2001
From: Stephen Belanger <stephenbelanger@s-belanger.localdomain>
Date: Thu, 7 May 2026 16:08:58 -0700
Subject: [PATCH] chore: add gitleaks secret scanning to pre-commit hook

Adds gitleaks to the pre-commit hook to catch API keys and secrets before
they are committed. Extends the default ruleset with a custom rule for
Braintrust API keys. Gracefully degrades if gitleaks is not installed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitleaks.toml    | 11 +++++++++++
 .husky/pre-commit |  7 +++++++
 2 files changed, 18 insertions(+)
 create mode 100644 .gitleaks.toml

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 000000000..e155b52e3
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,11 @@
+title = "Braintrust SDK gitleaks config"
+
+[extend]
+# Use the default gitleaks ruleset as the base
+useDefault = true
+
+[[rules]]
+id = "braintrust-api-key"
+description = "Braintrust API key"
+regex = '''\bsk-[a-zA-Z0-9]{40,}\b'''
+tags = ["key", "braintrust"]
diff --git a/.husky/pre-commit b/.husky/pre-commit
index 5ee7abd87..92a3d33ff 100644
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1 +1,8 @@
+# Check for secrets in staged files before committing
+if command -v gitleaks &> /dev/null; then
+  gitleaks protect --staged --redact --no-banner
+else
+  echo "WARNING: gitleaks not installed — skipping secret scan. Install via: brew install gitleaks"
+fi
+
 pnpm exec lint-staged