diff --git a/.github/workflows/ci.yml.disabled b/.github/workflows/ci.yml.disabled
deleted file mode 100644
index 9fe64b5..0000000
--- a/.github/workflows/ci.yml.disabled
+++ /dev/null
@@ -1,73 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-env:
-  IMAGE_NAME: claude-memory-mcp
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install -e ".[api,dev]"
-      - run: ruff check src/ tests/
-      - run: mypy src/claude_memory/
-      - run: pytest tests/ -v --tb=short
-
-  build:
-    runs-on: ubuntu-latest
-    needs: test
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    outputs:
-      image_tag: ${{ steps.meta.outputs.sha }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - id: meta
-        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-8)" >> $GITHUB_OUTPUT
-      - uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/Dockerfile
-          push: true
-          platforms: linux/amd64
-          tags: |
-            viktorbarzin/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.sha }}
-            viktorbarzin/${{ env.IMAGE_NAME }}:latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-  deploy:
-    needs: build
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Trigger Woodpecker deploy
-        run: |
-          for attempt in 1 2 3; do
-            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
-              "https://ci.viktorbarzin.me/api/repos/78/pipelines" \
-              -H "Authorization: Bearer ${{ secrets.WOODPECKER_TOKEN }}" \
-              -H "Content-Type: application/json" \
-              -d '{"branch":"main","variables":{"IMAGE_TAG":"${{ needs.build.outputs.image_tag }}","IMAGE_NAME":"viktorbarzin/${{ env.IMAGE_NAME }}"}}')
-            if [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 300 ]; then
-              echo "Woodpecker deploy triggered (HTTP $STATUS)"
-              exit 0
-            fi
-            echo "Attempt $attempt failed (HTTP $STATUS), retrying in 30s..."
-            sleep 30
-          done
-          echo "Failed to trigger Woodpecker deploy after 3 attempts"
-          exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b392950..6e67ef5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,7 @@
 name: Release
 
 on:
-  push:
-    tags: ["v*"]
+  workflow_dispatch: {}
 
 jobs:
   docker:
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..42c1c95
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,5 @@
+# Synthetic test fixtures (credential-detector + crypto tests) — ruled false
+# positives during the ADR-0002 public flip (infra#20). gitleaks skips these.
+0ed5e1e016901abedae2c33049748e938bdfcf67:tests/test_crypto.py:generic-api-key:18
+0ed5e1e016901abedae2c33049748e938bdfcf67:tests/test_credential_detector.py:generic-api-key:113
+0ed5e1e016901abedae2c33049748e938bdfcf67:tests/test_credential_detector.py:private-key:37