A key got pasted into a Telegram message it should never have touched. From there it took one careless sync to end up somewhere GitHub's secret scanner could see it.
Fourteen minutes between exposure and the scanner flagging it. We rotated everything in that window, Sable locked the gateway, and we got lucky.
The fix wasn't "be more careful." Careful fails. The fix was the Vault: secrets never live in messages, files or commits — they're resolved on demand, used, and never printed. Every leak is a process that allowed the leak. We changed the process.