diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 782fa23..bcc224d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -180,3 +180,22 @@ repos:
         entry: bash -c 'echo "❌ Decrypted JSON files (.plain.json) must not be committed." && exit 1'
         language: system
         files: \.plain\.json$
+
+  # ============================================================================
+  # Secret Detection - TruffleHog
+  # ============================================================================
+  # Advanced secret detection beyond detect-private-key.
+  # Detects API keys, tokens, credentials, and other secrets.
+  - repo: local
+    hooks:
+      - id: trufflehog
+        name: TruffleHog Secret Scanner
+        description: Detect secrets in your data before committing
+        # Scan staged files only. The git-history mode (--since-commit HEAD) also
+        # traverses fetched remote branches in the local object store, producing
+        # false positives from unmerged branches. Staged-file scanning is the
+        # correct scope for a pre-commit hook; git history scanning belongs in CI.
+        entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"'
+        language: system
+        pass_filenames: false
+        stages: [pre-commit]