Summary

• Root cause of bug: gitleaks not detecting legit secrets (RSA private key) #189: The Docker runtime image was missing the `git` binary. `gitleaks git` mode shells out to `git` to traverse commit history — without it, gitleaks exits 1 with an empty report. The proxy misread exit 1 as "findings present, read report", got an empty list, and silently passed the push.
• Secondary fix: Use `--exit-code 2` so gitleaks findings produce exit 2, making runtime errors (exit 1) unambiguous from clean scans (exit 0) and findings (exit 2).
• Fail-closed: When `secret-scan: enabled: true` and the scanner errors or is unavailable, the push is now blocked with a clear message instead of silently passing.
• Smoke tests upgraded: Fake truncated PEM keys replaced with real keys from `openssl`/`ssh-keygen` (with fallback detection). Added PKCS#8 (`BEGIN PRIVATE KEY`) alongside PKCS#1 (`BEGIN RSA PRIVATE KEY`).
• CI: New `docker-smoke-test` job builds the image, seeds Gitea, and runs `push-fail-secrets.sh` + `proxy-fail-secrets.sh` end-to-end against the real Docker distribution.
• Descriptive error on blocked `/info/refs`: Previously returned a bare 403 with no body.

Test plan

• CI passes — `docker-smoke-test` job blocks all secret-containing pushes
• `GitleaksRunnerTest` — 4 tests covering `scanGit` and `scan` modes
• `SecretScanningFilterTest#scannerUnavailable_failClosed` — scanner error produces FAIL step
• `UrlRuleFilterTest` — descriptive `sendError` + `recordFetch` on blocked `/info/refs`
• Local: `source test/gitea/env.sh && bash test/push-fail-secrets.sh && bash test/proxy-fail-secrets.sh`

closes #189
closes #200