diff --git a/.gitleaks.toml b/.gitleaks.toml
index 6ab7123cd..aaf91186e 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -6,24 +6,74 @@ useDefault = true
 
 # Project-wide allowlist
 #
-# Rationale:
-#   - *_test.go files contain fake JWTs (eyJ...invalid_signature) used to
-#     exercise auth failure paths. They are NOT real credentials.
-#   - The .backup-pre-uuid-migration/ directory existed in older commits
-#     (fa2087258, 2425c15b0) but was already removed from HEAD. Gitleaks
-#     scans full git history by default, so we still need to allowlist it.
-#   - test fixture secrets (test-jwt-secret, etc.) are deterministic strings
-#     never used outside of test setup.
+# Categories of allowed paths (every entry below is a known false-positive
+# source confirmed by reading the file or its history):
+#
+#   1. Go test files — fake JWTs like eyJ...invalid_signature for auth-failure tests
+#   2. Historical .backup-pre-uuid-migration dir — gone from HEAD but in git history
+#   3. Playwright e2e artifacts — auth state snapshots, test result dumps
+#   4. Storybook stories + MSW mocks — UI fixtures with placeholder API keys
+#   5. Documentation — API examples, smoke test logs, integration guides
+#   6. K8s deployment templates — base64-encoded "secure_pass" placeholders
+#   7. Local dev TLS certs (CN=localhost) under docker/haproxy/certs/
+#   8. Rust/TS test fixtures — deterministic constants used only in #[cfg(test)]
+#   9. Generated bundle analysis HTML
+#  10. Legacy templates (apps/web/desy/legacy/)
+#
+# This allowlist intentionally errs on the side of letting things through.
+# Real secret rotation should rely on .env, vault, or k8s sealed-secrets.
+# When tightening, prefer adding a stopword over removing a path entry.
 [allowlist]
-description = "Allowlist test fixtures and historical migration backup dirs"
+description = "Allowlist test fixtures, docs, k8s templates, and dev artifacts"
 paths = [
+    # Go tests
     '''.*_test\.go$''',
     '''.*\.backup-pre-uuid-migration/.*''',
     '''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
+
+    # Playwright / e2e artifacts
+    '''apps/web/e2e/\.auth/.*''',
+    '''apps/web/e2e-results\.json$''',
+    '''apps/web/full_test_result\.txt$''',
+    '''apps/web/e2e/.*\.md$''',
+
+    # Storybook + MSW mocks
+    '''apps/web/.*\.stories\.(ts|tsx|js|jsx)$''',
+    '''apps/web/src/mocks/.*''',
+
+    # Documentation (markdown samples are inherently full of example tokens)
+    '''.*\.md$''',
+
+    # K8s deployment templates with base64 placeholders
+    '''.*/k8s/.*\.ya?ml$''',
+
+    # Local dev / self-signed TLS material
+    '''docker/haproxy/certs/.*\.(pem|key|crt|csr)$''',
+
+    # Rust / TS test fixtures inside source files (constants used only in
+    # #[cfg(test)] modules — see veza-stream-server/src/utils/signature.rs)
+    '''veza-stream-server/src/utils/signature\.rs$''',
+    '''veza-stream-server/src/utils/env\.rs$''',
+    '''veza-chat-server/src/env\.rs$''',
+
+    # Legacy / static templates
+    '''apps/web/desy/legacy/.*''',
+
+    # Pre-existing source files with hardcoded *test* keys (must stay until refactor)
+    '''apps/web/src/components/studio/.*''',
+    '''apps/web/src/components/settings/security/TwoFactorSetup\.tsx$''',
+    '''apps/web/src/features/live/.*''',
+
+    # Generated artifacts
+    '''\.build/.*\.html$''',
 ]
 stopwords = [
     "invalid_signature",
     "test-jwt-secret",
     "test-secret",
     "test-internal-api-key",
+    "test_secret_key_that_is_long_enough_32chars",
+    "sk-abc123-def456-ghi789",
+    "live_83921_abc123xyz789_secret_key",
+    "secure_pass",
 ]