feat(devshell): add gitleaks for secret scanning

Add gitleaks package to devshell and configure pre-commit hook to scan
staged changes for hardcoded secrets. This provides defense-in-depth
against accidental secret commits using open-source tooling without
external API dependencies.

- Add gitleaks to secrets management packages
- Configure gitleaks pre-commit hook via git-hooks.nix
- Hook runs on staged files with --redact flag to protect secret values

Author: cameronraysmith

nix/modules/devshell.nix

@@ -27,6 +27,7 @@
             age
             sops
             ssh-to-age
+            gitleaks
 
             # CI/CD tools
             gh

nix/modules/pre-commit.nix

@@ -16,6 +16,13 @@
         hooks = {
           nixfmt-rfc-style.enable = true;
           biome.enable = true;
+          gitleaks = {
+            enable = true;
+            name = "gitleaks";
+            entry = "${pkgs.gitleaks}/bin/gitleaks protect --staged --verbose --redact";
+            language = "system";
+            pass_filenames = false;
+          };
         };
       };
     };