chore: scrub upstream-notify.yml + add gitleaks allowlist for placeholders

upstream-notify.yml:
- runs-on: self-hosted -> ubuntu-latest. The job only calls the gh CLI
  to upsert an issue; no internal resources needed. Removes the
  self-hosted-runner disclosure and frees those minutes for jobs that
  actually need self-hosted.
- Drop the comment about "185 unread tickets between Feb 18 and Mar 19,
  2026" — operational anecdote, not useful to a public reader.

.gitleaks.toml:
- New file. Extends gitleaks default rules with a tight allowlist for
  documented placeholder values (sk_live_xxx, sk_live_your_key,
  YOUR_API_KEY, ${VAR_NAME}, etc.) that appear in curl examples,
  OpenAPI/AsyncAPI specs, and llms-full.txt. Suppresses the 150 known
  benign findings while keeping real-looking tokens flagged — verified
  by injecting a fake sk_live_realLookingToken1234567890 and confirming
  it's still caught.

Author: Mlaz-code

.github/workflows/upstream-notify.yml

@@ -1,12 +1,9 @@
 name: Handle Upstream API Endpoint Change
 
-# Receives `repository_dispatch` events from upstream repos (sharp-api-go)
-# when handler files change. Dedups to ONE rolling open issue per UTC day —
-# subsequent dispatches the same day append a comment instead of opening a
-# new issue. This bounds noise at ≤1 new issue/day even at firehose rates.
-#
-# Earlier version (pre-2026-05) opened a fresh issue per dispatch, which
-# produced 185 unread tickets between Feb 18 and Mar 19, 2026.
+# Receives `repository_dispatch` events from upstream repos when handler
+# files change. Dedups to ONE rolling open issue per UTC day — subsequent
+# dispatches the same day append a comment instead of opening a new issue.
+# This bounds noise at ≤1 new issue/day even at firehose rates.
 
 on:
   repository_dispatch:
@@ -18,7 +15,7 @@ permissions:
 
 jobs:
   upsert-review-issue:
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     timeout-minutes: 5
 
     steps:

.gitleaks.toml

@@ -0,0 +1,35 @@
+# Gitleaks config — extends the default rule set with allowlists for
+# documented placeholder values. Real secrets are still caught.
+#
+# Run locally:  gitleaks git --redact=0 --log-level warn
+# CI:           any standard gitleaks-action invocation will read this file.
+
+[extend]
+useDefault = true
+
+[[allowlists]]
+description = "Documentation placeholders — these strings appear in code samples and API examples and are intentionally never real keys."
+regexes = [
+  # SharpAPI key placeholders used throughout the docs and OpenAPI spec
+  '''sk_live_(your_key|xxx|abc123def456|REDACTED|\.\.\.)\b''',
+  '''sk_test_(pro|hobby|sharp|free|your_key|xxx)\b''',
+  '''sharpapi_(new|rotated)[a-z0-9]{20,40}''',
+  # Generic placeholders
+  '''YOUR_API_KEY''',
+  '''<YOUR_[A-Z_]+>''',
+]
+
+[[allowlists]]
+description = "curl-auth-header false positives in docs — fires on placeholder credentials only. A curl line containing a real-looking token (e.g. sk_live_[A-Za-z0-9]{20,}) is NOT matched here and will still be flagged."
+paths = [
+  '''content/.+\.mdx$''',
+  '''public/llms-full\.txt$''',
+  '''public/openapi\.json$''',
+  '''public/asyncapi\.yaml$''',
+]
+regexTarget = "match"
+regexes = [
+  '''X-API-Key:\s*(sk_live_(your_key|xxx|\.\.\.|REDACTED)|sk_test_(pro|hobby|sharp|free|xxx)|YOUR_API_KEY|\$\{?[A-Z_]+\}?)''',
+  '''Authorization:\s*Bearer\s+(sk_live_(your_key|xxx|\.\.\.|REDACTED)|YOUR_API_KEY|\$\{?[A-Z_]+\}?)''',
+  '''api_key=(sk_live_(your_key|xxx|\.\.\.|REDACTED)|YOUR_API_KEY|\$\{?[A-Z_]+\}?)''',
+]