The previous planted SYNC_API_KEY used a sk_live_-prefixed value that
pattern-matches Stripe, so GitHub push protection blocked the public mirror push
before any of the module's own gates ran. Swap it for a generic high-entropy
value the secret-keyword detector still flags (var name is SYNC_API_KEY) without
matching any specific issuer pattern.
Add a "Gate 0: your hosted forge" note to M15 acknowledging that the forge's own
push protection is the earliest gate; teach learners to treat it that way rather
than papering over a bypass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT