fix: restore .gitleaks.toml lost during merge (#58)

The file was created on security/scorecard-hardening branch but only
the ci.yml change was cherry-picked to main — the config file itself
was left behind. CI references --config .gitleaks.toml which caused
the Security job to fail.

Adds allowlist for test placeholder tokens (nra_00112233...) that
trigger generic-api-key false positives.

.gitleaks.toml

@@ -0,0 +1,13 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+title = "NORA gitleaks rules"
+
+[allowlist]
+  description = "Global allowlist for false positives"
+  paths = [
+    '''\.gitleaks\.toml$''',
+  ]
+  regexTarget = "match"
+  # Test placeholder tokens (e.g. nra_00112233...)
+  regexes = ['''nra_0{2}[0-9a-f]{30}''']