fix(hooks): surface gitleaks finding and clear block message

[ns408]

Summary

Improve the global pre-commit hook's UX when it blocks a secret commit. Previously it ran gitleaks protect --staged --no-banner --redact with no -v and aborted via a bare || exit 1, so the user saw only leaks found: N with no rule/file/line and no remedy.

Now the secret-scan block:

• adds -v so a hit prints the finding (RuleID / File / Line)
• adds --log-level error so clean commits stay fully silent
• replaces the silent exit 1 with an explicit COMMIT BLOCKED message including fix and override guidance

Only dotfiles/git/hooks/pre-commit changes; bootstrap already deploys it via cp -R to ~/.config/git/hooks.

Why

A guard that just prints a count and stops is frustrating and unteachable. Showing what/where and how to fix turns it into an actionable, educational block.

Test plan

Tested directly (no real commit needed):

printf -- '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEF...fake...\n-----END PRIVATE KEY-----\n' > demo-key.txt
git add -f demo-key.txt
bash dotfiles/git/hooks/pre-commit ; echo "exit: $?"   # finding + COMMIT BLOCKED, exit 1
git reset ; rm -f demo-key.txt

• Hit: prints RuleID: private-key / File / Line + COMMIT BLOCKED, exit 1.
• Clean staging: no output, exit 0 (quiet-on-success).
• shellcheck clean.

Out of scope (deferred)

• pre-push message parity (it already prints actionable messages; it's a working fail-closed hook).
• Migrating gitleaks protect --staged to gitleaks git --staged (deprecated in 8.18+, still works in 8.30.1).