#!/usr/bin/env bash
# Block pushes that would fail the CI leak guard. Mirrors the guard yaml via
# tools/audit/leak_check.sh (single source of truth -- patterns read from the
# yaml itself, so this can never drift from CI).
#
# Enable once per clone:
#   git config core.hooksPath .githooks
exec "$(git rev-parse --show-toplevel)/tools/audit/leak_check.sh"
