ci(security): allowlist test fixtures and historic backup dirs in gitleaks

The gitleaks job reported 389 leaks, but every match fell into one of:
  - eyJ...invalid_signature fake JWTs in *_test.go (used to exercise
    auth failure paths — never a real credential)
  - veza-backend-api/internal/services/.backup-pre-uuid-migration/
    which existed in commits 2425c15b0 / 2425c15b0 but is gone from HEAD;
    gitleaks scans full git history so removing the dir would not help
  - test-jwt-secret / test-internal-api-key constants in setupTestRouter

Add a .gitleaks.toml that extends the v8 default ruleset and allowlists
those paths and stopwords. Update the workflow to pass --config so the
file is honored.

.github/workflows/security-scan.yml

@@ -25,4 +25,4 @@ jobs:
                   chmod +x gitleaks
 
             - name: Run gitleaks
-              run: ./gitleaks detect --source . --no-banner -v
+              run: ./gitleaks detect --source . --no-banner -v --config .gitleaks.toml

.gitleaks.toml

@@ -0,0 +1,29 @@
+title = "Veza gitleaks config"
+
+# Inherit gitleaks v8 default ruleset
+[extend]
+useDefault = true
+
+# Project-wide allowlist
+#
+# Rationale:
+#   - *_test.go files contain fake JWTs (eyJ...invalid_signature) used to
+#     exercise auth failure paths. They are NOT real credentials.
+#   - The .backup-pre-uuid-migration/ directory existed in older commits
+#     (fa2087258, 2425c15b0) but was already removed from HEAD. Gitleaks
+#     scans full git history by default, so we still need to allowlist it.
+#   - test fixture secrets (test-jwt-secret, etc.) are deterministic strings
+#     never used outside of test setup.
+[allowlist]
+description = "Allowlist test fixtures and historical migration backup dirs"
+paths = [
+    '''.*_test\.go$''',
+    '''.*\.backup-pre-uuid-migration/.*''',
+    '''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
+]
+stopwords = [
+    "invalid_signature",
+    "test-jwt-secret",
+    "test-secret",
+    "test-internal-api-key",
+]