[codex] Add claim-bounded secret scanner evidence gate

[svy04]

Summary

Adds a claim-bounded secret scanner evidence gate for Metaforge public hygiene work. The new gate records external scanner availability, hosted GitHub secret-scanning posture, remote public-surface status, and explicit non-claims so the repo can respond to public trust feedback without overstating readiness.

What changed

• Added scripts/product-secret-scanner-evidence.ts plus tests.
• Wired product:secret-scanner-evidence into product:quality and non-mutating product:secret-scanner-evidence:check into verify:privacy.
• Added generated JSON, Markdown, and JSONL evidence artifacts.
• Updated evidence manifest and product-quality gate checks so the new report is required, hash-bound, and claim-bounded.
• Refreshed source-controlled product-quality evidence from a full local bun run product:quality pass.

Claim boundary

This does not claim full-history secret cleanliness, GitHub alert cleanliness, release readiness, production readiness, public security posture, or external validation. Current evidence records missing local scanner binaries plus disabled hosted secret scanning and push protection as gaps.

Validation

• bun test scripts/product-secret-scanner-evidence.test.ts scripts/product-evidence-manifest.test.ts scripts/product-github-hosted-trust-posture.test.ts scripts/product-github-remote-surface-audit.test.ts
• bun run typecheck --pretty false
• bun run product:secret-scanner-evidence
• bun run product:evidence-manifest
• bun run product:public-claim-boundary
• bun run scripts/product-quality-gate.ts
• bun run verify:privacy
• bun run product:quality
• git diff --check
• git diff --cached --check

[svy04]

Superseded by #163, which rebased the claim-bounded secret scanner evidence gate on current main, passed CI, and was merged.