docs: update quality rails docs for gitleaks migration

- TYPESCRIPT-SETUP.md: replace stale git-secrets ref with gitleaks,
  add .gitleaks.toml to copied files list, update expected verify output
- CI-SETUP.md: add secret-scan as first pipeline stage
- README.md: clarify gitleaks in "What You Get" and CI section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/quality/README.md

@@ -43,7 +43,7 @@ npx husky install
 ✅ **TypeScript strict mode** - All type checks enabled
 ✅ **ESLint blocking `any` types** - no-explicit-any: error
 ✅ **Pre-commit hooks** - Type check + lint + format before commit
-✅ **Secret scanning** - Block hardcoded passwords/API keys
+✅ **Secret scanning (gitleaks)** - Block hardcoded passwords/API keys (pre-commit + CI)
 ✅ **CI/CD templates** - Woodpecker, GitHub Actions, GitLab
 ✅ **Test coverage enforcement** - 80% threshold
 ✅ **Security scanning** - npm audit, OWASP checks
@@ -96,11 +96,12 @@ git commit -m "Add feature"
 ### CI/CD (Remote Enforcement)
 ```yaml
 # Woodpecker pipeline runs:
+✓ gitleaks (secret scanning — parallel, no deps)
 ✓ npm audit (dependency security)
 ✓ eslint (code quality)
 ✓ tsc --noEmit (type checking)
 ✓ jest --coverage (tests + coverage)
-✓ npm run build (compilation)
+✓ npm run build (compilation — gates on all above)
 
 # If any step fails, merge is blocked
 ```