Update: moving secret remediation out of CI — pre-commit seems to be the only acceptable boundary

I posted about this a few weeks ago and got strong feedback against CI auto-fix. The original idea was to automatically fix hardcoded secrets inside CI pipelines. The feedback was pretty clear: people don’t trust CI modifying code — even if the change is technically safe. After thinking about it, I agree. So I changed direction. Instead of CI auto-fix: - remediation runs locally (pre-commit / manual) - CI stays dete