diff --git a/molecule_runtime/scripts/pre-commit-checks.sh b/molecule_runtime/scripts/pre-commit-checks.sh
index 1bc8248..ded07e6 100644
--- a/molecule_runtime/scripts/pre-commit-checks.sh
+++ b/molecule_runtime/scripts/pre-commit-checks.sh
@@ -66,6 +66,7 @@ SECRET_PATTERNS=(
     'sk-ant-[A-Za-z0-9_-]{40,}'      # Anthropic API key
     'sk-proj-[A-Za-z0-9_-]{40,}'     # OpenAI project key
     'sk-svcacct-[A-Za-z0-9_-]{40,}'  # OpenAI service-account key
+    'sk-cp-[A-Za-z0-9_-]{60,}'       # MiniMax API key (F1088 vector — caught only after the fact)
     'xox[baprs]-[A-Za-z0-9-]{20,}'   # Slack tokens (bot/app/user/refresh)
     'AKIA[0-9A-Z]{16}'               # AWS access key ID
     'ASIA[0-9A-Z]{16}'               # AWS STS temp access key ID
diff --git a/pyproject.toml b/pyproject.toml
index 018990c..6f73d59 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "molecule-ai-workspace-runtime"
 
-version = "0.1.16"
+version = "0.1.17"
 
 description = "Molecule AI workspace runtime — shared infrastructure for all agent adapters"
 requires-python = ">=3.11"
diff --git a/tests/test_precommit_hook.py b/tests/test_precommit_hook.py
index cf2750f..239db89 100644
--- a/tests/test_precommit_hook.py
+++ b/tests/test_precommit_hook.py
@@ -139,3 +139,25 @@ def test_secret_scan_runs_on_third_party_repos(repo: Path) -> None:
     )
     assert result.returncode != 0, "secret scan must fire even without a Molecule-AI remote"
     assert "sk-ant-" in result.stderr
+
+
+@pytest.mark.skipif(_BASH is None, reason="bash not on PATH")
+def test_secret_scan_catches_minimax_sk_cp_token(repo: Path) -> None:
+    """Lock for the F1088 incident — a MiniMax sk-cp-* token leaked in
+    plaintext, undetected by the original pattern set because sk-cp- was
+    never in it. Pattern added retroactively; this test guards against
+    accidental removal."""
+    leaky = repo / "config.yml"
+    # Fake-but-pattern-matching token: 65 chars after the sk-cp- prefix.
+    leaky.write_text(
+        "minimax_key: sk-cp-FAKE_DO_NOT_USE_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"
+    )
+    _run(["git", "add", "config.yml"], cwd=repo).check_returncode()
+
+    result = _run(
+        ["git", "commit", "-m", "config: minimax", "--no-gpg-sign"],
+        cwd=repo,
+        env={"GIT_AUTHOR_NAME": "test-agent", "GIT_COMMITTER_NAME": "test-agent"},
+    )
+    assert result.returncode != 0, "secret scan must catch sk-cp- MiniMax tokens"
+    assert "sk-cp-" in result.stderr