chore: add gitleaks allowlist + stop tracking local settings

The pre-push secret gate's full-branch scan (new branches) flags 13
long-standing false positives: illustrative example keys in skill docs
(security-ops, techdebt, testgen, review, security-patterns, commands/testgen)
and permission strings in the accidentally-tracked .claude/settings.local.json.

Adds a .gitleaksignore pinning each by exact commit:file:rule:line fingerprint
(so genuine secrets in those files are still caught — no path/dir masking),
untracks .claude/settings.local.json, and gitignores it plus .claude/launch.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.claude/settings.local.json

@@ -1,184 +0,0 @@
-{
-  "env": {
-    "ENABLE_TOOL_SEARCH": "true",
-    "ENABLE_LSP_TOOL": "true"
-  },
-  "permissions": {
-    "allow": [
-      "WebSearch",
-      "WebFetch(domain:*)",
-      "Skill(*)",
-      "SlashCommand(*)",
-      "mcp__vibe_kanban__*",
-      "mcp__claude-in-chrome__*",
-      "Bash(git:*)",
-      "Bash(gh:*)",
-      "Bash(lazygit:*)",
-      "Bash(rg:*)",
-      "Bash(fd:*)",
-      "Bash(fzf:*)",
-      "Bash(grep:*)",
-      "Bash(find:*)",
-      "Bash(which:*)",
-      "Bash(where:*)",
-      "Bash(command:*)",
-      "Bash(cat:*)",
-      "Bash(bat:*)",
-      "Bash(head:*)",
-      "Bash(tail:*)",
-      "Bash(less:*)",
-      "Bash(more:*)",
-      "Bash(ls:*)",
-      "Bash(eza:*)",
-      "Bash(dir:*)",
-      "Bash(tree:*)",
-      "Bash(broot:*)",
-      "Bash(br:*)",
-      "Bash(mkdir:*)",
-      "Bash(cp:*)",
-      "Bash(mv:*)",
-      "Bash(rm:*)",
-      "Bash(touch:*)",
-      "Bash(chmod:*)",
-      "Bash(echo:*)",
-      "Bash(printf:*)",
-      "Bash(wc:*)",
-      "Bash(sort:*)",
-      "Bash(uniq:*)",
-      "Bash(cut:*)",
-      "Bash(awk:*)",
-      "Bash(sed:*)",
-      "Bash(sd:*)",
-      "Bash(tr:*)",
-      "Bash(xargs:*)",
-      "Bash(tee:*)",
-      "Bash(jq:*)",
-      "Bash(yq:*)",
-      "Bash(curl:*)",
-      "Bash(wget:*)",
-      "Bash(http:*)",
-      "Bash(firecrawl:*)",
-      "Bash(markitdown:*)",
-      "Bash(python:*)",
-      "Bash(python3:*)",
-      "Bash(pip:*)",
-      "Bash(pip3:*)",
-      "Bash(uv:*)",
-      "Bash(pytest:*)",
-      "Bash(node:*)",
-      "Bash(npm:*)",
-      "Bash(npx:*)",
-      "Bash(pnpm:*)",
-      "Bash(yarn:*)",
-      "Bash(bun:*)",
-      "Bash(just:*)",
-      "Bash(make:*)",
-      "Bash(cargo:*)",
-      "Bash(go:*)",
-      "Bash(rustc:*)",
-      "Bash(docker:*)",
-      "Bash(docker-compose:*)",
-      "Bash(tokei:*)",
-      "Bash(hyperfine:*)",
-      "Bash(dust:*)",
-      "Bash(procs:*)",
-      "Bash(btm:*)",
-      "Bash(bottom:*)",
-      "Bash(delta:*)",
-      "Bash(difft:*)",
-      "Bash(diff:*)",
-      "Bash(ast-grep:*)",
-      "Bash(sg:*)",
-      "Bash(tldr:*)",
-      "Bash(man:*)",
-      "Bash(z:*)",
-      "Bash(zoxide:*)",
-      "Bash(cd:*)",
-      "Bash(pwd:*)",
-      "Bash(env:*)",
-      "Bash(export:*)",
-      "Bash(source:*)",
-      "Bash(set:*)",
-      "Bash(test:*)",
-      "Bash(ps:*)",
-      "Bash(kill:*)",
-      "Bash(pkill:*)",
-      "Bash(pgrep:*)",
-      "Bash(whoami:*)",
-      "Bash(hostname:*)",
-      "Bash(uname:*)",
-      "Bash(date:*)",
-      "Bash(time:*)",
-      "Bash(ping:*)",
-      "Bash(netstat:*)",
-      "Bash(ss:*)",
-      "Bash(ip:*)",
-      "Bash(ifconfig:*)",
-      "Bash(systeminfo:*)",
-      "Bash(tar:*)",
-      "Bash(zip:*)",
-      "Bash(unzip:*)",
-      "Bash(gzip:*)",
-      "Bash(gunzip:*)",
-      "Bash(claude:*)",
-      "Bash(gemini:*)",
-      "Bash(codex:*)",
-      "Bash(perplexity:*)",
-      "Bash(grok:*)",
-      "Bash(glm:*)",
-      "Bash(droid:*)",
-      "Bash(opencode:*)",
-      "Bash(powershell:*)",
-      "Bash(pwsh:*)",
-      "Bash(cmd:*)",
-      "Bash(bash:*)",
-      "Bash(sh:*)",
-      "Bash(zsh:*)",
-      "Bash(canvas-tui:*)",
-      "Bash(brew:*)",
-      "Bash(apt:*)",
-      "Bash(apt-get:*)",
-      "Bash(choco:*)",
-      "Bash(scoop:*)",
-      "Bash(winget:*)",
-      "Bash(powershell -ExecutionPolicy Bypass -File \"./scripts/install.ps1\")",
-      "Bash(just.exe test:*)",
-      "Bash(Select-String \"Results:\")",
-      "Bash(for skill in atomise cli-patterns explain screenshot setperms skill-creator spawn techdebt)",
-      "Bash(do cp -r \"C:/Projects/claude-mods/skills/$skill\" \"C:/Users/<user>/.claude/skills/$skill\")",
-      "Bash(done)",
-      "Bash(do basename:*)",
-      "Bash(/tmp/skill_analysis.txt:*)",
-      "Read(//tmp/**)",
-      "Bash(do mkdir:*)",
-      "Bash(for skill in go-ops rust-ops typescript-ops docker-ops ci-cd-ops api-design-ops)",
-      "Bash(do echo \"=== $skill ===\")",
-      "Read(//x/Forge/claude-mods/skills/$skill/**)",
-      "Read(//x/Forge/claude-mods/**)",
-      "Bash(mv .git/info/exclude.tmp .git/info/exclude tail -5 .git/info/exclude echo \"\" echo \"=== Status ===\" git status --short)",
-      "PowerShell(Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -match '^\\(bash|sh|wsl|cmd|pwsh|powershell|conhost|node|python\\)$' } | Select-Object Id, ProcessName, StartTime, @{N='Path';E={$_.Path}} | Sort-Object StartTime -Descending | Select-Object -First 20 | Format-Table -AutoSize)",
-      "PowerShell(Get-WinEvent -LogName 'Microsoft-Windows-TaskScheduler/Operational' -MaxEvents 50 -ErrorAction SilentlyContinue | Where-Object { $_.Id -in 100, 200, 201 -and $_.TimeCreated -gt \\(Get-Date\\).AddMinutes\\(-30\\) } | Select-Object TimeCreated, Id, @{N='Task';E={$_.Properties[0].Value}}, @{N='Detail';E={$_.Properties[1].Value}} | Format-Table -AutoSize -Wrap)",
-      "PowerShell(Get-CimInstance *)",
-      "Bash(pm2-broker list *)",
-      "Bash(cygpath -w /tmp/cc-leveldb-probe)",
-      "Read(//c/Users/<user>/.claude/skills/github-ops/**)",
-      "Read(//c/Users/<user>/.claude/skills/github-ops/references/**)",
-      "Bash(cp \"C:/Projects/claude-mods/skills/github-ops/SKILL.md\" ~/.claude/skills/github-ops/SKILL.md)",
-      "Bash(cp \"C:/Projects/claude-mods/skills/github-ops/references/readme-description.md\" ~/.claude/skills/github-ops/references/readme-description.md)",
-      "Bash(cp \"C:/Projects/claude-mods/skills/github-ops/references/metadata-checklist.md\" ~/.claude/skills/github-ops/references/metadata-checklist.md)",
-      "Bash(pigeon read *)",
-      "Bash(/c/Users/<user>/AppData/Local/Programs/Python/Python313/python -)"
-    ],
-    "deny": [],
-    "ask": [
-      "Bash(rm -rf:*)",
-      "Bash(git reset --hard:*)",
-      "Bash(git clean -f:*)",
-      "Bash(git push --force:*)",
-      "Bash(git push -f:*)",
-      "Bash(git branch -D:*)"
-    ]
-  },
-  "hooks": {},
-  "outputStyle": "Vesper"
-}

.gitignore

@@ -15,6 +15,8 @@
 # Runtime artefacts (must never be tracked)
 .claude/scheduled_tasks.lock
 .claude/worktrees/
+.claude/settings.local.json
+.claude/launch.json
 
 # Backup files
 *.bak

.gitleaksignore

@@ -0,0 +1,22 @@
+# gitleaks false-positive allowlist (exact fingerprints).
+# All entries are illustrative/example keys in skill documentation, or
+# machine-local permission strings — confirmed non-secret. Listed by exact
+# commit:file:rule:line fingerprint so real secrets in these files are still
+# caught. See references/push-safety.md.
+
+# Documentation example keys (anti-pattern illustrations, sample tokens)
+194934a1e3c4d11edad042a76d4eebd32b7b2daf:skills/review/framework-checks.md:generic-api-key:793
+194934a1e3c4d11edad042a76d4eebd32b7b2daf:skills/testgen/frameworks.md:generic-api-key:128
+194934a1e3c4d11edad042a76d4eebd32b7b2daf:skills/testgen/frameworks.md:generic-api-key:20
+194934a1e3c4d11edad042a76d4eebd32b7b2daf:skills/testgen/frameworks.md:generic-api-key:212
+2c603fdb1f9f757408be3e47e4d90dff2e2d8b01:commands/testgen.md:generic-api-key:291
+2c603fdb1f9f757408be3e47e4d90dff2e2d8b01:commands/testgen.md:generic-api-key:395
+9f26d955c49a83b45d23cd6f6f5ba0efc6df8533:skills/security-patterns/SKILL.md:generic-api-key:121
+abe6bce3b9a1277bf40a08db1dd2be8dc3bdb115:skills/techdebt/references/patterns.md:generic-api-key:37
+abe6bce3b9a1277bf40a08db1dd2be8dc3bdb115:skills/techdebt/references/severity-guide.md:generic-api-key:351
+cb575e7888f19eef36ec279169d2267f9aa50dad:skills/security-ops/SKILL.md:generic-api-key:181
+cb575e7888f19eef36ec279169d2267f9aa50dad:skills/security-ops/references/audit-quickref.md:generic-api-key:114
+
+# Local permission strings (settings.local.json — now untracked, retained for history scan)
+0ade4e6405798e5b8dd9a4e7f668add5e0a3c6e9:.claude/settings.local.json:generic-api-key:44
+0ade4e6405798e5b8dd9a4e7f668add5e0a3c6e9:.claude/settings.local.json:generic-api-key:45