docs: update quality rails docs for gitleaks migration

- TYPESCRIPT-SETUP.md: replace stale git-secrets ref with gitleaks,
  add .gitleaks.toml to copied files list, update expected verify output
- CI-SETUP.md: add secret-scan as first pipeline stage
- README.md: clarify gitleaks in "What You Get" and CI section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/quality/docs/CI-SETUP.md

@@ -8,12 +8,13 @@ Quality Rails includes `.woodpecker.yml` template.
 
 ### Pipeline Stages
 
-1. **Install** - Dependencies
-2. **Security Audit** - npm audit for CVEs
-3. **Lint** - ESLint checks
-4. **Type Check** - TypeScript compilation
-5. **Test** - Jest with coverage thresholds
-6. **Build** - Production build
+1. **Secret Scan** - gitleaks scans latest commit for hardcoded secrets (runs in parallel, no deps)
+2. **Install** - Dependencies
+3. **Security Audit** - npm audit for CVEs
+4. **Lint** - ESLint checks
+5. **Type Check** - TypeScript compilation
+6. **Test** - Jest with coverage thresholds
+7. **Build** - Production build (gates on all above)
 
 ### Configuration
 

tools/quality/docs/TYPESCRIPT-SETUP.md

@@ -24,11 +24,12 @@ git clone git@git.mosaicstack.dev:mosaic/quality-rails.git
 ```
 
 This copies:
-- `.husky/pre-commit` - Git hooks
+- `.husky/pre-commit` - Git hooks (lint-staged + gitleaks)
 - `.lintstagedrc.js` - Pre-commit checks
 - `.eslintrc.js` - Strict ESLint rules
 - `tsconfig.json` - TypeScript strict mode
 - `.woodpecker.yml` - CI pipeline
+- `.gitleaks.toml` - Secret scanning config
 
 ### 3. Install Dependencies
 
@@ -75,6 +76,8 @@ Should output:
 ```
 ✅ PASS: Type errors blocked
 ✅ PASS: 'any' types blocked
+✅ PASS: gitleaks found (8.24.0)
+✅ PASS: gitleaks detected planted secret
 ✅ PASS: Lint errors blocked
 ```
 
@@ -125,7 +128,7 @@ On every `git commit`, runs:
 1. ESLint with --max-warnings=0
 2. TypeScript type check
 3. Prettier formatting
-4. Secret scanning (if git-secrets installed)
+4. Secret scanning via gitleaks (required)
 
 If any fail → **commit blocked**.