Improve secrets classification evidence gates

[MAUROCERON]

Summary

Implements #1105 by strengthening secrets-management secret classification so reviewers reduce public-by-design false positives while catching encoded Kubernetes Secret and modern provider-token false negatives.

Changes

• Adds modern provider token patterns for OpenAI project keys, Google API keys, Stripe restricted keys, Slack app-level tokens, npm, Hugging Face, SendGrid, Twilio, and GCP service-account JSON private-key fields.
• Adds a Public-by-Design Keys classification table for Stripe publishable keys, Firebase Web API keys, Sentry public DSNs, Algolia search-only keys, and Google Maps browser keys.
• Adds encoded secret handling for Kubernetes Secret data: blocks and large credential-adjacent base64 blobs, with decode-and-rescan guidance that never prints decoded values.
• Adds high-entropy non-secret filters for SRI hashes, digests, commit SHAs, lockfile hashes, and UUIDs.
• Requires detect-secrets baseline audit/freshness evidence, not only baseline presence.
• Adds edge-case fixtures covering public client keys, encoded DB URLs, encoded service-account JSON, modern token prefixes, digest/UUID false positives, and poisoned baselines.

Validation

• Markdown fence balance checked locally for both changed files.
• Remote branch content fetched and checked for marker presence plus encoding corruption.
• Duplicate check: issue [REVIEW] secrets-management: public-by-design key false positives, base64 K8s Secret misses, dated prefix catalog #1105 has no comments and no visible PR matching 1105 OR secrets-management public-by-design base64 K8s Secret prefix before this submission.
• Official references checked with HTTP 200: Kubernetes Secrets, Stripe API keys, Firebase API keys, GitHub Secret Scanning supported patterns, and detect-secrets.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.