chore(work): finish 07-gitleaks-precommit

docs/work/2026-05-14-ci-security-and-supply-chain/07-gitleaks-precommit/_story.md

@@ -3,7 +3,7 @@ id: 07-gitleaks-precommit
 epic: 2026-05-14-ci-security-and-supply-chain
 title: Gitleaks pre-commit hook
 type: technical-story
-status: todo
+status: done
 feature: tooling
 depends-on: []
 blocks: [09-ci-security-guide-and-docs]
@@ -36,4 +36,4 @@ Developer accidents (pasting tokens into config, seeding test fixtures with real
 
 ## Tasks
 
-- [ ] Add `gitleaks protect --staged --redact` step to `.husky/pre-commit` (exit-gracefully if `gitleaks` not in `$PATH`); create `.gitleaks.toml` at repo root with `__seeds__/**` allowlist for test-fixture patterns; one commit, all gates pass.
+- [x] Add `gitleaks protect --staged --redact` step to `.husky/pre-commit` (exit-gracefully if `gitleaks` not in `$PATH`); create `.gitleaks.toml` at repo root with `__seeds__/**` allowlist for test-fixture patterns; one commit, all gates pass.

docs/work/_state.json

@@ -1,5 +1,5 @@
 {
-  "updated_at": "2026-05-14T17:56:41.640Z",
+  "updated_at": "2026-05-14T18:01:17.746Z",
   "epics": {
     "2026-05-13-binder-wrap-helper": {
       "status": "done",
@@ -110,10 +110,10 @@
           ]
         },
         "07-gitleaks-precommit": {
-          "status": "todo",
+          "status": "done",
           "title": "Gitleaks pre-commit hook",
           "ac_total": 1,
-          "ac_completed": 0,
+          "ac_completed": 1,
           "depends_on": [],
           "blocks": [
             "09-ci-security-guide-and-docs"
@@ -258,11 +258,6 @@
     }
   },
   "ready": [
-    {
-      "epic": "2026-05-14-ci-security-and-supply-chain",
-      "story": "07-gitleaks-precommit",
-      "title": "Gitleaks pre-commit hook"
-    },
     {
       "epic": "2026-05-14-ci-security-and-supply-chain",
       "story": "08-reviewer-prompt-update",