diff --git a/.gitleaks.toml b/.gitleaks.toml
index 11864819e5..c62b17917b 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -9,7 +9,10 @@
 #    this as public-by-design (all real auth goes through FirebaseAuth)
 #  - Segment readKey: client-side write key
 #  - user_signing_key in KDoc comments: example values in doc-strings
-#  - docs/ + *Test.kt files: scratch + test fixtures, never live credentials
+#  - docs/maps.md + *Test.kt: public MapTiler client-token fixtures
+#  - docs/build-logs/ssss-roundtrip-result.md: a DEAD test SSSS key (testbot
+#    @testbot-elementx locked 2026-06-27); the broad docs/.* glob was REMOVED
+#    because it had hidden this fork-added scratch doc from CI
 
 [extend]
 useDefault = true
@@ -17,7 +20,8 @@ useDefault = true
 [allowlist]
 description = "Public client keys (PostHog, MapTiler, Firebase, Segment) + docs + test fixtures"
 paths = [
-    '''docs/.*''',
+    '''docs/maps\.md''',
+    '''docs/build-logs/ssss-roundtrip-result\.md''',
     '''.*/google-services\.json''',
     '''.*Test\.kt''',
     '''localazy\.json''',