chore(gitleaks): allowlist shell-variable Bearer headers (false positive)

The authorization-header-value rule fires on `-H "Authorization: Bearer
$BOB_TOKEN"` because the broad `\S+` match treats the shell variable as a
high-entropy literal. The actual token comes from $BOB_TOKEN at runtime
(set elsewhere in the flow), not from the literal source text.

Adds a narrowly scoped allowlist regex matching only the shell variable
expansion form (`$VAR` / `${VAR}`). A genuinely hardcoded Bearer string
like `Bearer abc123def456...` still trips the rule because the allowlist
regex requires a literal `$`.

Triggered on PR #496 (the agent_buy_with_retry helper inherited the
existing flow-13/14 step 46 idiom; the original sites in flow-03/04 and
buy-external are pre-existing on main and so never appeared in a PR diff
scan).

Author: bussyjd

.gitleaks.toml

@@ -44,6 +44,12 @@ regexes = [
     '''test test test test test test test test test test test junk''',
     # USDC storage slot values (uint256 padded, not secrets)
     '''0x0{50,}[0-9a-fA-F]{1,14}''',
+    # Shell variable expansion in HTTP Auth headers — the actual secret
+    # comes from $BOB_TOKEN / $LITELLM_KEY / etc. at runtime, not from
+    # the literal source text. Matches `Authorization: Bearer $VAR` and
+    # `Authorization: Basic ${VAR}` forms only; a hardcoded literal still
+    # trips the rule because the allowlist regex requires a literal `$`.
+    '''Authorization:\s+(?:Basic|Bearer)\s+\$\{?[A-Za-z_][A-Za-z0-9_]*''',
 ]
 paths = [
     # Gitleaks own config