chore(security): add gitleaks config allowlisting vendored/test fixtures

Suppress false positives so `gitleaks detect` is clean:
- third_party/* (cargokit ships a public binary-verification key)
- workspace_management_unit_test.dart (obfuscated "token" fixture)
- gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair)

Real leaked secrets are purged from history, not allowlisted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitleaks.toml

@@ -0,0 +1,26 @@
+# gitleaks config for xworkmate-app
+# Keeps all default rules, and allowlists known non-secret findings:
+#   - vendored third-party code (cargokit ships a *public* verification key)
+#   - unit-test fixtures (hardcoded "device-1" / "token" test vectors)
+# Real leaked credentials are NOT allowlisted here — they are purged from
+# history and rotated.
+
+title = "xworkmate-app gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Vendored third-party code and unit-test fixtures (no real secrets)"
+paths = [
+  # cargokit (super_native_extensions) ships a public binary-verification key
+  '''third_party/.*''',
+  # Dart unit-test fixtures: obfuscated "token" / fake TF password assertions
+  '''test/features/workspace_management/workspace_management_unit_test\.dart''',
+  # Go unit-test fixtures: hardcoded "device-1" identity key pair
+  '''go/go_core/internal/gatewayruntime/runtime_test\.go''',
+]
+regexes = [
+  # cargokit public key value, in case it is referenced outside third_party/
+  '''test-public-key-hex''',
+]