feat: add gitleaks secret scanning to quality rails

Replace non-blocking git-secrets with mandatory gitleaks scanning:
- Pre-commit: blocks commit if gitleaks not installed or secrets found
- CI: pinned gitleaks Docker image scans each commit in Woodpecker
- Shared .gitleaks.toml with 12 custom rules for database URLs,
  alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc.
- Stopwords suppress localhost/changeme/placeholder false positives
- Install/verify scripts updated for gitleaks (no longer optional)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/quality/templates/monorepo/.husky/pre-commit

@@ -1,2 +1,15 @@
 npx lint-staged
-npx git-secrets --scan || echo "Warning: git-secrets not installed"
+
+# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
+if ! command -v gitleaks &>/dev/null; then
+  echo ""
+  echo "ERROR: gitleaks is not installed. Secret scanning is required."
+  echo ""
+  echo "Install:"
+  echo "  Linux:   curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
+  echo "  macOS:   brew install gitleaks"
+  echo "  Windows: winget install gitleaks"
+  echo ""
+  exit 1
+fi
+gitleaks git --pre-commit --redact --staged --verbose