diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 8c2f970..56b44e2 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Install ruff
         run: |
           curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
-            | tar -xz ruff
+            | tar -xz --strip-components=1
           mv ruff /usr/local/bin/ruff
 
       - name: Check syntax errors
@@ -79,5 +79,10 @@ jobs:
 
       - name: Scan for secrets
         run: |
-          gitleaks detect --source . --redact --exit-code 1 \
-            --baseline-path .gitleaks-baseline.json
+          # Scan application code directories — deploy/ is excluded because
+          # it contains intentional Gitea webhook HMAC secrets in hooks-lxc*.json
+          for dir in matrixbot/ hookshot/ .gitea/ systemd/ cinny/ landing/; do
+            [ -d "$dir" ] || continue
+            gitleaks detect --source "$dir" --no-git --config .gitleaks.toml \
+              --redact --exit-code 1
+          done
diff --git a/.gitleaks-baseline.json b/.gitleaks-baseline.json
deleted file mode 100644
index 74efacf..0000000
--- a/.gitleaks-baseline.json
+++ /dev/null
@@ -1,82 +0,0 @@
-[
- {
-  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
-  "StartLine": 10,
-  "EndLine": 10,
-  "StartColumn": 11,
-  "EndColumn": 85,
-  "Match": "secret\": \"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b\"",
-  "Secret": "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
-  "File": "deploy/hooks-lxc106.json",
-  "SymlinkFile": "",
-  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
-  "Entropy": 3.8741388,
-  "Author": "Jared Vititoe",
-  "Email": "jjvititoe1@gmail.com",
-  "Date": "2026-03-18T15:41:32Z",
-  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc106.json:generic-api-key:10"
- },
- {
-  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
-  "StartLine": 10,
-  "EndLine": 10,
-  "StartColumn": 11,
-  "EndColumn": 85,
-  "Match": "secret\": \"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267\"",
-  "Secret": "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
-  "File": "deploy/hooks-lxc139.json",
-  "SymlinkFile": "",
-  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
-  "Entropy": 3.914717,
-  "Author": "Jared Vititoe",
-  "Email": "jjvititoe1@gmail.com",
-  "Date": "2026-03-18T15:41:32Z",
-  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc139.json:generic-api-key:10"
- },
- {
-  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
-  "StartLine": 10,
-  "EndLine": 10,
-  "StartColumn": 11,
-  "EndColumn": 85,
-  "Match": "secret\": \"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0\"",
-  "Secret": "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
-  "File": "deploy/hooks-lxc110.json",
-  "SymlinkFile": "",
-  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
-  "Entropy": 3.8516061,
-  "Author": "Jared Vititoe",
-  "Email": "jjvititoe1@gmail.com",
-  "Date": "2026-03-18T15:41:32Z",
-  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc110.json:generic-api-key:10"
- },
- {
-  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
-  "StartLine": 10,
-  "EndLine": 10,
-  "StartColumn": 11,
-  "EndColumn": 85,
-  "Match": "secret\": \"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa\"",
-  "Secret": "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
-  "File": "deploy/hooks-lxc151.json",
-  "SymlinkFile": "",
-  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
-  "Entropy": 3.779886,
-  "Author": "Jared Vititoe",
-  "Email": "jjvititoe1@gmail.com",
-  "Date": "2026-03-18T15:41:32Z",
-  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc151.json:generic-api-key:10"
- }
-]
diff --git a/.gitleaks.toml b/.gitleaks.toml
index 5478f53..5474857 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -1,11 +1,2 @@
 [extend]
 useDefault = true
-
-[[allowlists]]
-description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration"
-stopwords = [
-    "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
-    "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
-    "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
-    "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
-]