diff --git a/.husky/pre-commit b/.husky/pre-commit
index 105575b6..a6bbb5fd 100755
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,13 +1,20 @@
 . "$HOME/.nvm/nvm.sh" 2>/dev/null
 
-# 1. Svenska tecken-check (snabb, ~0.5s)
+# 1. Secret-scan på staged innehåll (snabb, ~0.1s)
+echo "Söker efter läckta hemligheter..."
+bash scripts/check-no-secrets.sh || {
+  echo "Hemlighet hittad i staged innehåll! Flytta värdet till .env."
+  exit 1
+}
+
+# 2. Svenska tecken-check (snabb, ~0.5s)
 echo "Kontrollerar svenska tecken..."
 npm run check:swedish --silent || {
   echo "Svenska tecken-problem hittade! Fix innan commit."
   exit 1
 }
 
-# 2. TypeScript-check BARA om .ts/.tsx-filer är staged
+# 3. TypeScript-check BARA om .ts/.tsx-filer är staged
 STAGED=$(git diff --cached --name-only --diff-filter=d | grep -E '\.(ts|tsx)$' || true)
 if [ -n "$STAGED" ]; then
   echo "TypeScript-check (staged .ts/.tsx hittade)..."
@@ -17,5 +24,5 @@ if [ -n "$STAGED" ]; then
   }
 fi
 
-# 3. Branch-check (BLOCKER om kod-commit på main under aktiv story)
+# 4. Branch-check (BLOCKER om kod-commit på main under aktiv story)
 bash scripts/check-branch-for-story.sh || exit 1
diff --git a/prisma/seed-guard.test.ts b/prisma/seed-guard.test.ts
new file mode 100644
index 00000000..f220e94b
--- /dev/null
+++ b/prisma/seed-guard.test.ts
@@ -0,0 +1,52 @@
+import { describe, it, expect } from "vitest"
+import { assertSeedSafe } from "./seed-guard"
+
+describe("assertSeedSafe", () => {
+  it("allows local Supabase URL (127.0.0.1)", () => {
+    expect(() =>
+      assertSeedSafe({ supabaseUrl: "http://127.0.0.1:54321", allowProd: false })
+    ).not.toThrow()
+  })
+
+  it("allows local Supabase URL (localhost)", () => {
+    expect(() =>
+      assertSeedSafe({ supabaseUrl: "http://localhost:54321", allowProd: false })
+    ).not.toThrow()
+  })
+
+  it("rejects hosted Supabase URL by default", () => {
+    expect(() =>
+      assertSeedSafe({
+        supabaseUrl: "https://xybyzflfxnqqyxnvjklv.supabase.co",
+        allowProd: false,
+      })
+    ).toThrow(/refusing to seed against hosted Supabase/i)
+  })
+
+  it("rejects Supabase pooler URL by default", () => {
+    expect(() =>
+      assertSeedSafe({
+        supabaseUrl: "https://pooler.supabase.com:5432",
+        allowProd: false,
+      })
+    ).toThrow(/refusing to seed/i)
+  })
+
+  it("allows hosted URL when ALLOW_SEED_PROD is true", () => {
+    expect(() =>
+      assertSeedSafe({
+        supabaseUrl: "https://zzdamokfeenencuggjjp.supabase.co",
+        allowProd: true,
+      })
+    ).not.toThrow()
+  })
+
+  it("includes the target URL in the error message", () => {
+    expect(() =>
+      assertSeedSafe({
+        supabaseUrl: "https://xybyzflfxnqqyxnvjklv.supabase.co",
+        allowProd: false,
+      })
+    ).toThrow(/xybyzflfxnqqyxnvjklv\.supabase\.co/)
+  })
+})
diff --git a/prisma/seed-guard.ts b/prisma/seed-guard.ts
new file mode 100644
index 00000000..1f7f611d
--- /dev/null
+++ b/prisma/seed-guard.ts
@@ -0,0 +1,28 @@
+/**
+ * Guard against accidentally seeding a hosted (staging/production) Supabase
+ * project. The seed script creates users with a hardcoded test password —
+ * running it against prod would set real accounts to that password.
+ *
+ * Override with ALLOW_SEED_PROD=true if you genuinely need to seed a hosted
+ * environment (e.g. demo provisioning).
+ */
+export interface AssertSeedSafeOptions {
+  supabaseUrl: string
+  allowProd: boolean
+}
+
+export function assertSeedSafe(options: AssertSeedSafeOptions): void {
+  const { supabaseUrl, allowProd } = options
+
+  if (allowProd) return
+
+  const lower = supabaseUrl.toLowerCase()
+  const isHosted = lower.includes("supabase.co") || lower.includes("supabase.com")
+
+  if (isHosted) {
+    throw new Error(
+      `Refusing to seed against hosted Supabase (target: ${supabaseUrl}). ` +
+        `Set ALLOW_SEED_PROD=true to override (only for demo provisioning).`
+    )
+  }
+}
diff --git a/prisma/seed.ts b/prisma/seed.ts
index 53b4183e..37c0788a 100644
--- a/prisma/seed.ts
+++ b/prisma/seed.ts
@@ -13,6 +13,7 @@
 import { createClient } from "@supabase/supabase-js"
 import { PrismaClient } from "@prisma/client"
 import { config } from "dotenv"
+import { assertSeedSafe } from "./seed-guard"
 
 // Load env files (Next.js priority: .env.local > .env)
 config({ path: ".env.local" })
@@ -31,6 +32,11 @@ if (!SUPABASE_URL || !SERVICE_ROLE_KEY) {
   process.exit(1)
 }
 
+assertSeedSafe({
+  supabaseUrl: SUPABASE_URL,
+  allowProd: process.env.ALLOW_SEED_PROD === "true",
+})
+
 const supabase = createClient(SUPABASE_URL, SERVICE_ROLE_KEY, {
   auth: { autoRefreshToken: false, persistSession: false },
 })
diff --git a/scripts/check-no-secrets.sh b/scripts/check-no-secrets.sh
new file mode 100755
index 00000000..bc5bb4a2
--- /dev/null
+++ b/scripts/check-no-secrets.sh
@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+#
+# check-no-secrets.sh
+#
+# Scans STAGED file content for known secret patterns before commit.
+# Exits non-zero if a likely secret is found.
+#
+# Patterns chosen to be high-signal / low-noise:
+#   - Provider-specific prefixes (sk-ant-, sk-proj-, sk_live_, whsec_, AIza..., AKIA..., ghp_/gho_/ghs_/ghu_, xox[b-s]-)
+#   - Private keys (BEGIN ... PRIVATE KEY)
+#   - JWT tokens carrying role: service_role
+#   - DB connection strings with embedded credentials, except local dev
+#
+# Files known to be safe by design are skipped:
+#   - .env.example, *.example, *.template, *.sample
+#   - prisma/seed-guard.test.ts (contains pattern-shaped strings for tests)
+#   - this script itself + the pre-commit hook
+#   - docs and retro files reference patterns by name
+#
+# Override an unavoidable match by adding the literal string "secret-scan:allow"
+# on the same line in the diff. Use sparingly.
+
+set -uo pipefail
+
+STAGED=$(git diff --cached --name-only --diff-filter=AM)
+if [ -z "$STAGED" ]; then
+  exit 0
+fi
+
+# Skip files where pattern-shaped strings are expected.
+SKIP_REGEX='(^|/)(\.env\.example|.+\.example|.+\.template|.+\.sample)$|(^|/)scripts/check-no-secrets\.(sh|test\.ts)$|(^|/)\.husky/pre-commit$|(^|/)prisma/seed-guard\.test\.ts$|(^|/)docs/.+\.md$|(^|/)\.claude/.+\.md$'
+
+FILES=()
+while IFS= read -r f; do
+  [ -z "$f" ] && continue
+  if echo "$f" | grep -qE "$SKIP_REGEX"; then
+    continue
+  fi
+  FILES+=("$f")
+done <<< "$STAGED"
+
+if [ ${#FILES[@]} -eq 0 ]; then
+  exit 0
+fi
+
+# Patterns. Each line: <label>::<extended-regex>
+PATTERNS=(
+  'Anthropic API key::sk-ant-[A-Za-z0-9_-]{20,}'
+  'OpenAI project key::sk-proj-[A-Za-z0-9_-]{20,}'
+  'OpenAI legacy key::sk-[A-Za-z0-9]{40,}'
+  'Google API key::AIza[0-9A-Za-z_-]{35}'
+  'AWS access key::AKIA[0-9A-Z]{16}'
+  'GitHub token::gh[pousr]_[A-Za-z0-9]{36,}'
+  'GitHub fine-grained PAT::github_pat_[A-Za-z0-9_]{80,}'
+  'Slack token::xox[baprs]-[A-Za-z0-9-]{10,}'
+  'Stripe live secret::sk_live_[A-Za-z0-9]{20,}'
+  'Stripe restricted::rk_live_[A-Za-z0-9]{20,}'
+  'Stripe webhook secret::whsec_[A-Za-z0-9]{20,}'
+  'Stripe test secret::sk_test_[A-Za-z0-9]{20,}'
+  'RSA private key::BEGIN RSA PRIVATE KEY'
+  'OpenSSH private key::BEGIN OPENSSH PRIVATE KEY'
+  'PEM private key::BEGIN PRIVATE KEY'
+  'EC private key::BEGIN EC PRIVATE KEY'
+  'PGP private key::BEGIN PGP PRIVATE KEY'
+)
+
+HITS=0
+
+scan_file() {
+  local file="$1"
+  local diff
+  diff=$(git diff --cached --no-color -U0 -- "$file")
+  [ -z "$diff" ] && return 0
+
+  # Only look at added lines (start with + but not the +++ header).
+  local added
+  added=$(echo "$diff" | grep -E '^\+[^+]' || true)
+  [ -z "$added" ] && return 0
+
+  for entry in "${PATTERNS[@]}"; do
+    local label="${entry%%::*}"
+    local regex="${entry#*::}"
+    local matches
+    matches=$(echo "$added" | grep -E "$regex" || true)
+    # Drop lines explicitly allowlisted.
+    matches=$(echo "$matches" | grep -v 'secret-scan:allow' || true)
+    if [ -n "$matches" ]; then
+      echo ""
+      echo "  [$label] in $file"
+      echo "$matches" | sed 's/^/    /'
+      HITS=$((HITS + 1))
+    fi
+  done
+
+  # Service_role JWTs: decode payload and check role claim.
+  # Only flags tokens whose payload literally contains "role":"service_role".
+  local jwt_matches
+  jwt_matches=$(echo "$added" | grep -oE 'eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}' || true)
+  if [ -n "$jwt_matches" ]; then
+    while IFS= read -r token; do
+      [ -z "$token" ] && continue
+      local payload
+      payload=$(echo "$token" | cut -d. -f2)
+      # base64url -> base64 + padding
+      local pad=$(( 4 - ${#payload} % 4 ))
+      [ $pad -eq 4 ] && pad=0
+      local padded="$payload"
+      for _ in $(seq 1 $pad); do padded="${padded}="; done
+      local decoded
+      decoded=$(echo "$padded" | tr '_-' '/+' | base64 -d 2>/dev/null || true)
+      if echo "$decoded" | grep -q '"role":"service_role"'; then
+        echo ""
+        echo "  [Supabase service_role JWT] in $file"
+        echo "    $token" | cut -c 1-120
+        HITS=$((HITS + 1))
+      fi
+    done <<< "$jwt_matches"
+  fi
+
+  # DB connection strings with embedded credentials.
+  # Allow local dev (localhost / 127.0.0.1 with postgres:postgres).
+  local db_matches
+  db_matches=$(echo "$added" | grep -oE '(postgres(ql)?|mysql|mongodb(\+srv)?|redis)://[^:[:space:]"]+:[^@[:space:]"]+@[^/[:space:]"]+' || true)
+  if [ -n "$db_matches" ]; then
+    while IFS= read -r url; do
+      [ -z "$url" ] && continue
+      if echo "$url" | grep -qE '@(localhost|127\.0\.0\.1)([:/]|$)'; then
+        continue
+      fi
+      if echo "$url" | grep -qE 'postgres:postgres@(localhost|127\.0\.0\.1)'; then
+        continue
+      fi
+      echo ""
+      echo "  [DB connection string with credentials] in $file"
+      echo "    $url"
+      HITS=$((HITS + 1))
+    done <<< "$db_matches"
+  fi
+}
+
+for f in "${FILES[@]}"; do
+  scan_file "$f"
+done
+
+if [ "$HITS" -gt 0 ]; then
+  echo ""
+  echo "=========================================="
+  echo "  $HITS likely secret(s) found in staged content."
+  echo "=========================================="
+  echo "  Move the value to .env (gitignored) or"
+  echo "  add 'secret-scan:allow' on the line if it is a false positive."
+  echo "=========================================="
+  exit 1
+fi
+
+exit 0
diff --git a/scripts/check-no-secrets.test.ts b/scripts/check-no-secrets.test.ts
new file mode 100644
index 00000000..9d1d932e
--- /dev/null
+++ b/scripts/check-no-secrets.test.ts
@@ -0,0 +1,183 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest"
+import { execSync } from "node:child_process"
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs"
+import { tmpdir } from "node:os"
+import { join, resolve } from "node:path"
+
+/**
+ * Integration tests for scripts/check-no-secrets.sh.
+ *
+ * Each test creates a fresh temporary git repo, stages a file with crafted
+ * content, runs the script against that repo, and asserts on exit code +
+ * output.
+ */
+const SCRIPT = resolve(__dirname, "check-no-secrets.sh")
+
+function setupRepo(): string {
+  const dir = mkdtempSync(join(tmpdir(), "secret-scan-"))
+  execSync("git init -q", { cwd: dir })
+  execSync("git config user.email test@example.com", { cwd: dir })
+  execSync("git config user.name Test", { cwd: dir })
+  return dir
+}
+
+function stageFile(dir: string, file: string, content: string): void {
+  writeFileSync(join(dir, file), content)
+  execSync(`git add ${file}`, { cwd: dir })
+}
+
+function runScript(dir: string): { code: number; stdout: string; stderr: string } {
+  try {
+    const stdout = execSync(`bash ${SCRIPT}`, { cwd: dir, encoding: "utf-8" })
+    return { code: 0, stdout, stderr: "" }
+  } catch (err: unknown) {
+    const e = err as { status?: number; stdout?: string; stderr?: string }
+    return {
+      code: e.status ?? 1,
+      stdout: e.stdout?.toString() ?? "",
+      stderr: e.stderr?.toString() ?? "",
+    }
+  }
+}
+
+describe("check-no-secrets.sh", () => {
+  const repos: string[] = []
+
+  afterAll(() => {
+    for (const r of repos) rmSync(r, { recursive: true, force: true })
+  })
+
+  function makeRepo(): string {
+    const r = setupRepo()
+    repos.push(r)
+    return r
+  }
+
+  it("passes when no files are staged", () => {
+    const r = makeRepo()
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+
+  it("passes for ordinary source code", () => {
+    const r = makeRepo()
+    stageFile(
+      r,
+      "ok.ts",
+      "const greet = (n: string) => `Hello, ${n}`\nexport default greet\n"
+    )
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+
+  it("blocks Anthropic API keys", () => {
+    const r = makeRepo()
+    // Prefix split avoids GitHub push-protection matching in this source file
+    stageFile(r, "bad.ts", 'const k = "sk-' + 'ant-api03-AAAAAAAAAAAAAAAAAAAAAAAA"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/Anthropic/)
+  })
+
+  it("blocks Stripe live secret keys", () => {
+    const r = makeRepo()
+    stageFile(r, "bad.ts", 'const k = "sk_' + 'live_AAAAAAAAAAAAAAAAAAAAAAAA"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/Stripe/)
+  })
+
+  it("blocks Stripe webhook secrets", () => {
+    const r = makeRepo()
+    stageFile(r, "bad.ts", 'const k = "whs' + 'ec_AAAAAAAAAAAAAAAAAAAAAAAA"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/Stripe webhook/)
+  })
+
+  it("blocks AWS access keys", () => {
+    const r = makeRepo()
+    stageFile(r, "bad.ts", 'const k = "AKI' + 'AIOSFODNN7EXAMPLE"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/AWS/)
+  })
+
+  it("blocks GitHub personal access tokens", () => {
+    const r = makeRepo()
+    stageFile(r, "bad.ts", 'const k = "gh' + 'p_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/GitHub/)
+  })
+
+  it("blocks RSA private keys", () => {
+    const r = makeRepo()
+    stageFile(r, "bad.pem", "-----BEGIN RSA PRIVATE KEY-----\nfoo\n")
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/RSA private key/)
+  })
+
+  it("blocks Supabase service_role JWTs", () => {
+    const r = makeRepo()
+    // Demo service_role JWT from Supabase CLI — payload literally contains
+    // "role":"service_role".
+    const jwt =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU"
+    stageFile(r, "bad.ts", `const k = "${jwt}"\n`)
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/service_role/)
+  })
+
+  it("does not block Supabase anon JWTs", () => {
+    const r = makeRepo()
+    const jwt =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0"
+    stageFile(r, "ok.ts", `const k = "${jwt}"\n`)
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+
+  it("blocks Postgres connection strings with credentials", () => {
+    const r = makeRepo()
+    stageFile(
+      r,
+      "bad.ts",
+      'const url = "postgresql://user:p4ssw0rd@db.example.com:5432/app"\n'
+    )
+    const result = runScript(r)
+    expect(result.code).toBe(1)
+    expect(result.stdout).toMatch(/DB connection/)
+  })
+
+  it("does not block local Postgres dev connection strings", () => {
+    const r = makeRepo()
+    stageFile(
+      r,
+      "ok.ts",
+      'const url = "postgresql://postgres:postgres@127.0.0.1:54322/postgres"\n'
+    )
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+
+  it("skips .env.example files", () => {
+    const r = makeRepo()
+    stageFile(r, ".env.example", 'STRIPE_SECRET_KEY="sk_' + 'live_AAAAAAAAAAAAAAAAAAAAAAAA"\n')
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+
+  it("honours secret-scan:allow override on the same line", () => {
+    const r = makeRepo()
+    stageFile(
+      r,
+      "bad.ts",
+      'const k = "sk_' + 'live_AAAAAAAAAAAAAAAAAAAAAAAA" // secret-scan:allow test fixture\n'
+    )
+    const result = runScript(r)
+    expect(result.code).toBe(0)
+  })
+})