feat: add gitleaks secret scanning to quality rails (#5)

tools/quality/templates/monorepo/.husky/pre-commit

@@ -1,2 +1,15 @@
 npx lint-staged
-npx git-secrets --scan || echo "Warning: git-secrets not installed"
+
+# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
+if ! command -v gitleaks &>/dev/null; then
+  echo ""
+  echo "ERROR: gitleaks is not installed. Secret scanning is required."
+  echo ""
+  echo "Install:"
+  echo "  Linux:   curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
+  echo "  macOS:   brew install gitleaks"
+  echo "  Windows: winget install gitleaks"
+  echo ""
+  exit 1
+fi
+gitleaks git --pre-commit --redact --staged --verbose

tools/quality/templates/monorepo/.woodpecker.yml

@@ -4,11 +4,19 @@ when:
 
 variables:
   - &node_image "node:20-alpine"
+  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
   - &install_deps |
       corepack enable
       npm ci --ignore-scripts
 
 steps:
+  # Secret scanning (runs in parallel with install, no deps)
+  secret-scan:
+    image: *gitleaks_image
+    commands:
+      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
+    depends_on: []
+
   install:
     image: *node_image
     commands:
@@ -65,3 +73,4 @@ steps:
       - typecheck
       - test
       - security-audit
+      - secret-scan