Move secretlint from inline install to declared package.json dependency

[WilliamBerryiii]

Summary

The security-scan.yml reusable workflow installs secretlint at runtime via npm install --no-save @secretlint/secretlint-rule-preset-recommend rather than declaring it as a dev dependency in package.json. This creates an implicit, unversioned dependency that can break silently when upstream versions change.

Current State

# .github/workflows/security-scan.yml
- name: Install secretlint
  run: npm install --no-save @secretlint/secretlint-rule-preset-recommend

Acceptance Criteria

• Add @secretlint/secretlint-rule-preset-recommend to devDependencies in package.json with a pinned version
• Add @secretlint/core to devDependencies in package.json with a pinned version
• Update security-scan.yml to use npm ci or rely on the existing node_modules from the install step
• Verify security-scan workflow passes in a test PR
• Update package-lock.json

References

• PR build(ci): replace MegaLinter with per-tool GitHub Actions lint workflows #240 — MegaLinter replacement
• Issue ci(lint): replace MegaLinter with dedicated per-tool GitHub Actions workflows #235 — Parent issue