diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..391a873
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+title = "gitleaks config"
+
+[allowlist]
+  paths = [
+    '.*\.test\.ts',
+    '.*\.spec\.ts',
+    '.*__tests__.*',
+  ]
diff --git a/.husky/pre-commit b/.husky/pre-commit
index a693947..de77744 100755
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1 +1,6 @@
-bun run test && bun run lint
+# === Quality Gate: pre-commit ===
+# L1 + G1 + G2a (6DQ standard)
+bun run typecheck
+bun run lint
+bun run test
+gitleaks protect --staged --no-banner
diff --git a/.husky/pre-push b/.husky/pre-push
index dcd8ab7..1d3535f 100755
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1 +1,4 @@
 bun run build && bun run test && bun run lint && bun run test:e2e
+
+# G2b: dependency vulnerability scan
+osv-scanner scan --lockfile=bun.lock --config=osv-scanner.toml