FORGEJO_TOKEN secret injected via env var (not inline expression) to avoid CI injection risk; git insteadOf redirect authenticates the git+https:// circuitforge-core VCS URL at install time.
Completes issue #7 (public mirror setup): - .githooks/pre-commit: blocks sensitive filenames (.env, *.key, *.pem, id_rsa, credentials.json, etc.) and credential content patterns (private key headers, AWS keys, GitHub tokens, Stripe secret keys, generic API key assignments) from being committed - .github/ISSUE_TEMPLATE/support_request.md: third issue template for usage questions alongside existing bug report and feature request
