* feat: add pre-commit secret scanner and CI secret detection
Add a comprehensive secret scanning system to prevent accidental
credential leaks in commits and pull requests:
- scripts/secret-scan.sh: ERE-based scanner (macOS/Linux compatible)
that detects AWS keys, API tokens, private keys, database URLs,
GitHub/GitLab/Slack/Stripe/Google/npm tokens, and hardcoded passwords
- scripts/install-hooks.sh: one-command git pre-commit hook installer
- .secretscanignore: allowlist for known false positives (test fixtures,
env var references, placeholder values)
- CI job: secret-scan step in ci.yml scans PR diffs against origin/main
- npm scripts: test:secret-scan, secret-scan, secret-scan:install-hook
- 17 tests covering detection, non-detection, binary skipping, CI mode
* fix: exclude secret-scan test file from CI scanning
The test file contains intentional fake secrets as test inputs.
Add it to .secretscanignore so CI doesn't flag them.
* fix: skip secret-scan tests on Windows (requires bash/POSIX grep)
d24095971c