Secret scanning often starts at Git. AI coding agents can make that too late. They can read local files, summarize logs, run commands, and transform sensitive context before anything is committed. shk is a local-first CLI for that messy pre-commit space: scan secrets and PII, mask prompts, and install managed hooks for Claude Code, Cursor, and Codex. The problem is no longer just "secret reaches Git" Most secret-scanning workflows are built around a familiar boundary: stop credentials before they land in Git, CI logs, or a release artifact. AI coding agents move that boundary earlier. An agent might read a file while following an import chain. It might summarize a pasted error log. It might run a shell command that prints .env contents. It might create a new file that quietly contains a token from earlier context. None of that requires a commit. That is the gap shk is trying to cover: the local, messy, pre-commit space where AI tools actually operate.…