ci: fix Gitleaks — add baseline for 49 known historical secrets

The gitleaks CLI scan works correctly now but finds 49 pre-existing
secrets in git history (Supabase anon keys, RunAnywhere API keys,
Railway URLs, build tokens) committed across old commits by various
authors. These are not new leaks introduced by this PR.

Added:
- .gitleaksbaseline — JSON baseline of all 49 known findings. Gitleaks
  uses this to skip known historical secrets and only flag NEW leaks.
- docs/secrets-audit.md — human-readable table of every finding with
  rule, file, commit, author, date, and whether the file still exists
  on HEAD. Includes action items (rotate still-active secrets).

Changed:
- secret-scan.yml — gitleaks detect now passes --baseline-path so CI
  only fails on genuinely NEW secrets, not the 49 historical ones.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sanchitmonga22

.github/workflows/secret-scan.yml

@@ -41,8 +41,9 @@ jobs:
 
       - name: Run Gitleaks
         run: |
-          if [ -f .gitleaks.toml ]; then
-            gitleaks detect --source . --config .gitleaks.toml --redact --verbose
-          else
-            gitleaks detect --source . --redact --verbose
-          fi
+          ARGS="--source . --redact --verbose"
+          # Use project config if present
+          [ -f .gitleaks.toml ] && ARGS="$ARGS --config .gitleaks.toml"
+          # Use baseline file to ignore known historical findings (only flag NEW leaks)
+          [ -f .gitleaksbaseline ] && ARGS="$ARGS --baseline-path .gitleaksbaseline"
+          gitleaks detect $ARGS