diff --git a/.githooks/pre-commit b/.githooks/pre-commit
new file mode 100644
index 0000000..eacc6bd
--- /dev/null
+++ b/.githooks/pre-commit
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Block commits that add/modify plaintext files under secrets/
+set -euo pipefail
+
+# Find added/modified paths under secrets/ in the index
+changed_files=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '^secrets/' || true)
+
+[ -z "$changed_files" ] && exit 0  # nothing to check
+
+fail=0
+msg="❌ Commit blocked: Unencrypted file(s) detected under secrets/.
+Each file in secrets/ must be SOPS-encrypted (contain a top-level 'sops:' block).
+Use 'sops <file>' to edit or 'sops --encrypt --in-place <file>' to encrypt."
+
+while IFS= read -r f; do
+  if ! git cat-file -e ":$f" 2>/dev/null; then
+    continue
+  fi
+  if [ -d "$f" ]; then
+    continue
+  fi
+  content="$(git show ":$f" || true)"
+  if [ -z "$content" ]; then
+    echo " - $f (empty)"; fail=1; continue
+  fi
+  if echo "$content" | grep -qE '^[[:space:]]*sops:[[:space:]]*$|"sops"[[:space:]]*:'; then
+    continue
+  fi
+  case "$f" in
+    *.age|*.gpg) continue ;;
+  esac
+  echo " - $f"
+  fail=1
+done <<< "$changed_files"
+
+if [ "$fail" -ne 0 ]; then
+  echo ""
+  echo "$msg"
+  echo ""
+  echo "Tips:"
+  echo "  • Edit with SOPS:   sops secrets/<file>.yaml"
+  echo "  • Encrypt in place: sops --encrypt --in-place secrets/<file>.yaml"
+  exit 1
+fi
+
+exit 0