diff --git a/.agent/scripts/linters-local.sh b/.agent/scripts/linters-local.sh
index a21033512..7c6384e11 100755
--- a/.agent/scripts/linters-local.sh
+++ b/.agent/scripts/linters-local.sh
@@ -307,13 +307,14 @@ check_secrets() {
             print_info "Run: bash $secretlint_script init"
         fi
     elif command -v docker &> /dev/null; then
-        print_info "Secretlint: Using Docker for scan (30s timeout)..."
+        local secretlint_timeout=60
+        print_info "Secretlint: Using Docker for scan (${secretlint_timeout}s timeout)..."
         # Use gtimeout (macOS) or timeout (Linux) to prevent Docker from hanging
         local timeout_cmd=""
         if command -v gtimeout &> /dev/null; then
-            timeout_cmd="gtimeout 30"
+            timeout_cmd="gtimeout ${secretlint_timeout}"
         elif command -v timeout &> /dev/null; then
-            timeout_cmd="timeout 30"
+            timeout_cmd="timeout ${secretlint_timeout}"
         fi
         
         local docker_result
diff --git a/.gitignore b/.gitignore
index fb97d4056..a19a0c373 100644
--- a/.gitignore
+++ b/.gitignore
@@ -90,6 +90,7 @@ node_modules/
 package-lock.json
 pnpm-lock.yaml
 yarn.lock
+bun.lock
 
 # OS generated files
 .DS_Store
diff --git a/.secretlintignore b/.secretlintignore
index fbb3b1b5d..d58022a6b 100644
--- a/.secretlintignore
+++ b/.secretlintignore
@@ -105,3 +105,14 @@
 
 # Template files (contain example configurations)
 **/templates/**
+
+# Python virtual environments (mirror .gitignore)
+**/python-env/**
+**/env/**
+
+# Tool caches and indexes (mirror .gitignore)
+**/.osgrep/**
+**/.scannerwork/**
+
+# Lock files
+**/bun.lock
diff --git a/TODO.md b/TODO.md
index 83129d278..26831822c 100644
--- a/TODO.md
+++ b/TODO.md
@@ -135,6 +135,8 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis
   - Notes: Inspired by opengraphdebug.com. Two subagents: 1) debug-opengraph.md - validate Open Graph meta tags (og:title, og:description, og:image, og:url, twitter:card), preview social sharing appearance, check image dimensions/accessibility. 2) debug-favicon.md - validate favicon setup across platforms (favicon.ico, apple-touch-icon, manifest icons), check sizes/formats, verify PWA manifest. Could use browser automation (Stagehand/Playwright) or direct HTML parsing. Add to tools/seo/ or tools/browser/.
 - [ ] t062 Research vercel-labs/agent-skills for inclusion in aidevops #research #tools #deployment ~2h (ai:1h read:1h) logged:2026-01-14 ref:https://github.com/vercel-labs/agent-skills
   - Notes: Vercel's Agent Skills collection (332 stars, MIT). Currently includes vercel-deploy skill for instant deployment without auth. Auto-detects 40+ frameworks, returns preview URL + claim URL. Follows agentskills.io format (SKILL.md structure). Evaluate: 1) Add vercel-deploy as aidevops skill 2) Adopt Agent Skills format for aidevops skills 3) Contribute aidevops skills back to ecosystem.
+- [x] t063 Fix secretlint scanning performance #bugfix #secretlint #performance ~30m (ai:15m test:10m read:5m) logged:2026-01-14 completed:2026-01-14
+  - Notes: Added python-env, .osgrep, .scannerwork to .secretlintignore. Added bun.lock to .gitignore to maintain subset rule. Increased Docker timeout 30s→60s. Optional: glob whitelist in linters-local.sh for further optimization.
 
 <!--TOON:backlog[40]{id,desc,owner,tags,est,est_ai,est_test,est_read,logged,status,blocked_by,blocks,parent}:
 t010,Evaluate Merging build-agent and build-mcp into aidevops,,plan|architecture|agents,4h,2h,1h,1h,2025-12-21T14:00Z,pending,,,
@@ -278,5 +280,5 @@ t019.3.4,Update AGENTS.md with Beads integration docs,,beads,1h,45m,2025-12-21T1
 -->
 
 <!--TOON:summary{total,pending,in_progress,in_review,done,declined,total_est,total_actual,blocked_count,ready_count}:
-56,45,0,0,26,0,28d3h,16h50m,0,45
+57,44,0,0,27,0,28d3h30m,16h50m,0,44
 -->