diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
new file mode 100644
index 0000000..43f3a87
--- /dev/null
+++ b/.github/workflows/secret-scan.yml
@@ -0,0 +1,27 @@
+# Secret Scanning — Protocolo Soberanía V10
+# Detecta credenciales y tokens filtrados antes de que lleguen a main.
+# Si se filtra un token: REVÓCALO en el servicio (BotFather, Stripe, Firebase…) de inmediato.
+name: Secret Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  gitleaks:
+    name: Detect secrets (gitleaks)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..0c249b1
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,26 @@
+# Gitleaks configuration — TryOnYou Protocolo Soberanía V10
+# Docs: https://github.com/gitleaks/gitleaks#configuration
+# Si un token real se filtra: REVÓCALO en el servicio origen de inmediato
+# (BotFather para Telegram, Dashboard para Stripe/Firebase/Vercel).
+
+title = "TryOnYou gitleaks config"
+
+[extend]
+# Use the default ruleset shipped with gitleaks
+useDefault = true
+
+[allowlist]
+description = "Allowlist for test fixtures and example files"
+
+# Test files use obviously fake keys (sk_test_fake123, sk_live_test, etc.)
+paths = [
+  '''tests/''',
+  '''\.env\.example$''',
+  '''ABVETOS_INTELLIGENCE_SYSTEM\.env\.example$''',
+]
+
+# Suppress placeholder/example patterns that are not real secrets
+regexes = [
+  # Generic placeholder values
+  '''(?i)(your[_-]?token|example|placeholder|<token>|xxxx|fake|dummy|test123|abc123)''',
+]