feat: add gitleaks secret scanning to quality rails

Replace non-blocking git-secrets with mandatory gitleaks scanning:
- Pre-commit: blocks commit if gitleaks not installed or secrets found
- CI: pinned gitleaks Docker image scans each commit in Woodpecker
- Shared .gitleaks.toml with 12 custom rules for database URLs,
  alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc.
- Stopwords suppress localhost/changeme/placeholder false positives
- Install/verify scripts updated for gitleaks (no longer optional)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/quality/scripts/install.ps1

@@ -33,6 +33,10 @@ Copy-Item -Path "$TemplateDir\.eslintrc.strict.js" -Destination "$TargetDir\.esl
 Copy-Item -Path "$TemplateDir\tsconfig.strict.json" -Destination "$TargetDir\tsconfig.json" -Force -ErrorAction SilentlyContinue
 Copy-Item -Path "$TemplateDir\.woodpecker.yml" -Destination $TargetDir -Force -ErrorAction SilentlyContinue
 
+# Copy shared gitleaks config from templates root
+$SharedTemplates = Split-Path -Parent $TemplateDir
+Copy-Item -Path "$SharedTemplates\.gitleaks.toml" -Destination $TargetDir -Force -ErrorAction SilentlyContinue
+
 Write-Host "✓ Files copied"
 
 if (Test-Path "$TargetDir\package.json") {
@@ -50,4 +54,6 @@ Write-Host ""
 Write-Host "Next steps:"
 Write-Host "1. Install dependencies: npm install"
 Write-Host "2. Initialize husky: npx husky install"
-Write-Host "3. Run verification: ..\quality-rails\scripts\verify.ps1"
+Write-Host "3. Install gitleaks: winget install gitleaks"
+Write-Host "4. Run verification: ..\quality-rails\scripts\verify.ps1"
+Write-Host "5. (Optional) Scan full history: gitleaks git --redact --verbose"