diff --git a/ai-development/ai-assistant-instructions.mdx b/ai-development/ai-assistant-instructions.mdx
index 2960b9e..1f7f946 100644
--- a/ai-development/ai-assistant-instructions.mdx
+++ b/ai-development/ai-assistant-instructions.mdx
@@ -18,6 +18,7 @@ import { RepoMeta, RepoFit } from "/snippets/repo-summary.mdx";
 - Owns the **model-routing policy** — when to reach for Claude vs Gemini vs Copilot vs local MLX
 - Owns the **tool-use rules** — Read over `cat`, Edit over `sed`, Bash for shell-only
 - Owns AI-runtime concerns: skill execution semantics, subagent typing, Nix tool policy, Bifrost-routing details
+- Owns the **secret-scanning rule** — the `SENSITIVE_DENYLIST` contract and the multi-layer gate that keeps real homelab values (domains, internal IPs, node and pool names) out of public repos
 - Symlinks the canonical files into every consuming repo via Nix or a `direnv` hook
 
 Cross-repo writing standards that humans also need to read — commit conventions, no-scripts, diagramming, CI/CD policy, Terraform check placement, Nix package placement, scrubbed values — live on this docs site. See [Conventions](/conventions/overview) for the full set.
diff --git a/ai-development/claude-code-plugins.mdx b/ai-development/claude-code-plugins.mdx
index c665fe3..d26ebaa 100644
--- a/ai-development/claude-code-plugins.mdx
+++ b/ai-development/claude-code-plugins.mdx
@@ -27,7 +27,7 @@ import { RepoMeta, RepoFit } from "/snippets/repo-summary.mdx";
 | **Commands** | `/ship`, `/finalize-pr`, `/wrap-up`, `/retrospecting` |
 | **Skills** | `receiving-code-review`, `resolve-pr-threads`, `finalize-pr` |
 | **Agents** | Explore, Plan, code-reviewer |
-| **Hooks** | Style guards, permission gates |
+| **Hooks** | Style guards, permission gates, secret guards |
 
 Reads rules from [Assistant rules](/ai-development/ai-assistant-instructions); installs into Claude Code via its plugin loader.