fix: security issues and use gitleaks (#163)

* fix(tests): remove unused test constants and helpers

Delete dead test code that caused 41 staticcheck U1000 violations:
- cli/test_constants.go (25 unused constants)
- cli/terminal_test_helpers.go (unused type, method, 7 variables)
- fileproc/test_constants.go (5 unused constants)
- fileproc/processor_test.go (2 unused helper functions)

* fix(security): replace custom secret detection with gitleaks

The hand-rolled check_secrets regex patterns produced false positives
on configKey test values, causing make security-full to fail.

Replace with gitleaks via go run for proper secret detection with
built-in rules and allowlist support for generated report files.

* chore(deps): update dependencies and fix install-tools

Update Go module dependencies to latest versions.
Fix checkmake install path and remove yamllint go install
(yamllint is a Python tool, not installable via go install).

* docs: add design document for gitleaks integration

* feat: update go to 1.25.6

scripts/install-tools.sh

@@ -86,7 +86,7 @@ check_dependencies() {
 
   if ! command -v checkmake &>/dev/null; then
     print_warning "checkmake not found, installing..."
-    go install github.com/checkmake/checkmake/cmd/checkmake@v0.2.2
+    go install github.com/mrtazz/checkmake/cmd/checkmake@v0.2.2
   fi
 
   if ! command -v eclint &>/dev/null; then
@@ -99,11 +99,6 @@ check_dependencies() {
     go install honnef.co/go/tools/cmd/staticcheck@v0.6.1
   fi
 
-  if ! command -v yamllint &>/dev/null; then
-    print_warning "yamllint not found, installing..."
-    go install mvdan.cc/yaml/cmd/yaml-lint@v2.4.0
-  fi
-
   # Formatting tools
 
   if ! command -v gofumpt &>/dev/null; then