diff --git a/.githooks/pre-commit b/.githooks/pre-commit
new file mode 100755
index 00000000..035ce17b
--- /dev/null
+++ b/.githooks/pre-commit
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Pre-commit hook: block large files from being committed.
+# Install: git config core.hooksPath .githooks
+#
+# Max allowed file size (bytes). Override with GIT_MAX_FILE_SIZE env var.
+MAX_SIZE="${GIT_MAX_FILE_SIZE:-2097152}"  # 2 MB default
+
+errors=0
+
+while IFS= read -r line; do
+  # Format: :old_mode new_mode old_sha new_sha status\tpath
+  status=$(echo "$line" | awk '{print $5}' | cut -c1)
+  file=$(echo "$line" | awk '{print $6}')
+
+  # Skip deleted files
+  [ "$status" = "D" ] && continue
+
+  sha=$(echo "$line" | awk '{print $4}')
+  size=$(git cat-file -s "$sha" 2>/dev/null || echo 0)
+
+  if [ "$size" -gt "$MAX_SIZE" ]; then
+    printf "BLOCKED: %s is %s bytes (max %s)\n" "$file" "$size" "$MAX_SIZE" >&2
+    errors=$((errors + 1))
+  fi
+done < <(git diff --cached --raw)
+
+if [ "$errors" -gt 0 ]; then
+  echo >&2
+  echo "Commit blocked: $errors file(s) exceed the ${MAX_SIZE}-byte limit." >&2
+  echo "If intentional, bypass with: git commit --no-verify" >&2
+  exit 1
+fi
diff --git a/.gitignore b/.gitignore
index 81e06198..759ff6f6 100755
--- a/.gitignore
+++ b/.gitignore
@@ -87,3 +87,14 @@ cli/cli
 cli/infra_cli
 stacks/terminal/clipboard-upload/clipboard-upload
 *.zip
+*.tar.gz
+*.tgz
+*.iso
+*.img
+*.bin
+*.exe
+*.dmg
+
+# Plaintext terraform state — NEVER commit (use SOPS-encrypted .tfstate.enc only)
+terraform.tfstate
+terraform.tfstate.backup
diff --git a/stacks/platform/redis-25.3.2.tgz b/stacks/platform/redis-25.3.2.tgz
deleted file mode 100644
index 4e34e7a1..00000000
Binary files a/stacks/platform/redis-25.3.2.tgz and /dev/null differ