feat: add gitleaks secret scanning to quality rails (#5)

tools/quality/scripts/install.ps1

@@ -33,6 +33,10 @@ Copy-Item -Path "$TemplateDir\.eslintrc.strict.js" -Destination "$TargetDir\.esl
 Copy-Item -Path "$TemplateDir\tsconfig.strict.json" -Destination "$TargetDir\tsconfig.json" -Force -ErrorAction SilentlyContinue
 Copy-Item -Path "$TemplateDir\.woodpecker.yml" -Destination $TargetDir -Force -ErrorAction SilentlyContinue
 
+# Copy shared gitleaks config from templates root
+$SharedTemplates = Split-Path -Parent $TemplateDir
+Copy-Item -Path "$SharedTemplates\.gitleaks.toml" -Destination $TargetDir -Force -ErrorAction SilentlyContinue
+
 Write-Host "✓ Files copied"
 
 if (Test-Path "$TargetDir\package.json") {
@@ -50,4 +54,6 @@ Write-Host ""
 Write-Host "Next steps:"
 Write-Host "1. Install dependencies: npm install"
 Write-Host "2. Initialize husky: npx husky install"
-Write-Host "3. Run verification: ..\quality-rails\scripts\verify.ps1"
+Write-Host "3. Install gitleaks: winget install gitleaks"
+Write-Host "4. Run verification: ..\quality-rails\scripts\verify.ps1"
+Write-Host "5. (Optional) Scan full history: gitleaks git --redact --verbose"

tools/quality/scripts/install.sh

@@ -53,6 +53,10 @@ cp "$TEMPLATE_DIR/.eslintrc.strict.js" "$TARGET_DIR/.eslintrc.js" 2>/dev/null ||
 cp "$TEMPLATE_DIR/tsconfig.strict.json" "$TARGET_DIR/tsconfig.json" 2>/dev/null || true
 cp "$TEMPLATE_DIR/.woodpecker.yml" "$TARGET_DIR/" 2>/dev/null || true
 
+# Copy shared gitleaks config from templates root
+SHARED_TEMPLATES="$(dirname "$TEMPLATE_DIR")"
+cp "$SHARED_TEMPLATES/.gitleaks.toml" "$TARGET_DIR/" 2>/dev/null || true
+
 echo "✓ Files copied"
 
 # Check if package.json exists
@@ -71,5 +75,7 @@ echo ""
 echo "Next steps:"
 echo "1. Install dependencies: npm install"
 echo "2. Initialize husky: npx husky install"
-echo "3. Run verification: ~/.config/mosaic/bin/mosaic-quality-verify --target $TARGET_DIR"
+echo "3. Install gitleaks: https://github.com/gitleaks/gitleaks#installing"
+echo "4. Run verification: ~/.config/mosaic/bin/mosaic-quality-verify --target $TARGET_DIR"
+echo "5. (Optional) Scan full history: gitleaks git --redact --verbose"
 echo ""

tools/quality/scripts/verify.ps1

@@ -39,6 +39,40 @@ if ($output -match "no-explicit-any") {
 git reset HEAD test-file.ts 2>$null
 Remove-Item test-file.ts -ErrorAction SilentlyContinue
 
+# Test 3a: gitleaks binary must be present
+Write-Host ""
+Write-Host "Test 3a: gitleaks must be installed..."
+$gitleaksPath = Get-Command gitleaks -ErrorAction SilentlyContinue
+if ($gitleaksPath) {
+    $gitleaksVer = & gitleaks version 2>&1 | Out-String
+    Write-Host "✅ PASS: gitleaks found ($($gitleaksVer.Trim()))" -ForegroundColor Green
+    $Passed++
+} else {
+    Write-Host "❌ FAIL: gitleaks is NOT installed — secret scanning will not work" -ForegroundColor Red
+    Write-Host "  Install: winget install gitleaks"
+    $Failed++
+}
+
+# Test 3b: gitleaks detects a planted AWS key
+Write-Host ""
+Write-Host "Test 3b: gitleaks should detect planted AWS key..."
+if ($gitleaksPath) {
+    "aws_access_key_id = AKIAIOSFODNN7REALKEY" | Out-File -FilePath gitleaks-test-secret.txt -Encoding utf8
+    git add gitleaks-test-secret.txt 2>$null
+    $output = & gitleaks git --pre-commit --staged --redact 2>&1 | Out-String
+    if ($output -match "leak|finding") {
+        Write-Host "✅ PASS: gitleaks detected planted secret" -ForegroundColor Green
+        $Passed++
+    } else {
+        Write-Host "❌ FAIL: gitleaks did NOT detect planted secret" -ForegroundColor Red
+        $Failed++
+    }
+    git reset HEAD gitleaks-test-secret.txt 2>$null
+    Remove-Item gitleaks-test-secret.txt -ErrorAction SilentlyContinue
+} else {
+    Write-Host "⚠ SKIP: gitleaks not installed (Test 3a already failed)"
+}
+
 # Summary
 Write-Host ""
 Write-Host "═══════════════════════════════════════════"

tools/quality/scripts/verify.sh

@@ -40,23 +40,35 @@ fi
 git reset HEAD test-file.ts 2>/dev/null
 rm test-file.ts 2>/dev/null
 
-# Test 3: Hardcoded secret blocked (if git-secrets installed)
+# Test 3a: gitleaks binary must be present
 echo ""
-echo "Test 3: Hardcoded secrets should be blocked..."
-if command -v git-secrets &> /dev/null; then
-  echo "const password = 'SuperSecret123!';" > test-file.ts
-  git add test-file.ts 2>/dev/null
-  if git commit -m "Test commit" 2>&1 | grep -q -i "secret\|password"; then
-    echo "✅ PASS: Secrets blocked"
-    ((PASSED++))
-  else
-    echo "⚠ WARN: Secrets NOT blocked (git-secrets may need configuration)"
-    ((FAILED++))
-  fi
-  git reset HEAD test-file.ts 2>/dev/null
-  rm test-file.ts 2>/dev/null
+echo "Test 3a: gitleaks must be installed..."
+if command -v gitleaks &> /dev/null; then
+  echo "✅ PASS: gitleaks found ($(gitleaks version 2>/dev/null || echo 'unknown version'))"
+  PASSED=$((PASSED + 1))
 else
-  echo "⚠ SKIP: git-secrets not installed"
+  echo "❌ FAIL: gitleaks is NOT installed — secret scanning will not work"
+  echo "  Install: https://github.com/gitleaks/gitleaks#installing"
+  FAILED=$((FAILED + 1))
+fi
+
+# Test 3b: gitleaks detects a planted AWS key
+echo ""
+echo "Test 3b: gitleaks should detect planted AWS key..."
+if command -v gitleaks &> /dev/null; then
+  echo 'aws_access_key_id = AKIAIOSFODNN7REALKEY' > gitleaks-test-secret.txt
+  git add gitleaks-test-secret.txt 2>/dev/null
+  if gitleaks git --pre-commit --staged --redact 2>&1 | grep -q -i "leak\|finding"; then
+    echo "✅ PASS: gitleaks detected planted secret"
+    PASSED=$((PASSED + 1))
+  else
+    echo "❌ FAIL: gitleaks did NOT detect planted secret"
+    FAILED=$((FAILED + 1))
+  fi
+  git reset HEAD gitleaks-test-secret.txt 2>/dev/null
+  rm gitleaks-test-secret.txt 2>/dev/null
+else
+  echo "⚠ SKIP: gitleaks not installed (Test 3a already failed)"
 fi
 
 # Test 4: Lint error blocked