fix(harness): update Dockerfile comment to accurately describe token handling

Tokens are baked into image layers at build time — the previous comment
incorrectly implied they were not stored. Updated to make the security
posture explicit: the image itself must be treated as a secret.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jesseturner21

.github/harness/Dockerfile

@@ -15,7 +15,8 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg -o
     && apt-get install -y gh \
     && rm -rf /var/lib/apt/lists/*
 
-# Tokens are passed as build args only — not stored in env vars
+# Tokens are baked into the image at build time. This image must be treated as a
+# secret and stored only in a registry with equivalent access controls.
 ARG CLONE_TOKEN
 ARG GITHUB_TOKEN