Add IBM Detect Secrets scanning

[lucarlig]

Summary

Set up the same IBM Detect Secrets guard used in IBM/mcp-context-forge for this cpex-plugins repo, so secrets are caught locally and in PR CI before merge.

Upstream reference: https://github.com/IBM/mcp-context-forge

Relevant upstream pieces to mirror/adapt:

• .pre-commit-config.yaml / .pre-commit-lite.yaml hook using https://github.com/ibm/detect-secrets pinned to 076672a9a01abdfc7ecee2e7d14f08cdccb73976 (0.13.1+ibm.64.dss).
• .secrets.baseline generated with --use-all-plugins.
• Makefile helper targets for scan, audit, and pre-commit hook equivalent.
• PR workflow that runs pre-commit on pull requests.

Why

cpex-plugins contains plugin examples, tests, manifests, config files, and CI metadata. These are common places for accidental tokens, keys, or example credentials to land. Matching the mcp-context-forge secret detection setup gives this repo the same baseline protection.

Proposed scope

• Add IBM Detect Secrets to pre-commit for text files.
• Generate and commit an audited .secrets.baseline for existing findings or false positives.
• Exclude generated lockfiles and vendored/noisy artifacts as needed, similar to upstream (Cargo.lock, uv.lock, go.sum, package lockfiles, etc.).
• Add Makefile targets such as:
  • detect-secrets-scan: update baseline with IBM Detect Secrets.
  • detect-secrets-audit: audit baseline findings.
  • detect-secrets-hook: run the same check CI/pre-commit should enforce.
• Add or update a PR workflow so the hook runs on pull requests.
• Document the local workflow briefly in existing developer docs if needed.

Acceptance criteria

• pre-commit run detect-secrets --all-files or the repo equivalent fails on unaudited secrets.
• make detect-secrets-hook passes on the current tree.
• make detect-secrets-scan can regenerate .secrets.baseline using the pinned IBM fork.
• PR CI runs the secret detection hook.
• Existing legitimate test fixtures/examples are either cleaned up or explicitly audited in the baseline.