Add repository sensitive artifact guard

[GHX5T-SOL]

/claim #10

Summary

• add a self-contained repository sensitive-artifact commit guard for Project Repository & Version Control
• evaluate synthetic commit, tag, merge request, and export bundle metadata before sensitive artifacts become durable in repository history
• detect synthetic credential/private-key indicators, PHI-like raw participant fields, restricted-data public exposure, notebook output leakage, sensitive path names, and Git LFS routing gaps
• generate deterministic rewrite, LFS routing, remediation, rollback, JSON, Markdown, SVG, and H.264 MP4 reviewer artifacts

Safety

• synthetic fixtures only in repository-sensitive-artifact-guard/sample-data.js
• no real repository scans, real secrets, patient data, private projects, credentials, Git provider operations, or external service calls

Demo artifact

• repository-sensitive-artifact-guard/reports/demo.mp4

Validation

• npm run check
• npm test (8 tests)
• npm run demo
• ffprobe -v error -select_streams v:0 -show_entries stream=codec_name,width,height,duration,avg_frame_rate -show_entries format=size,duration -of default=noprint_wrappers=1 repository-sensitive-artifact-guard/reports/demo.mp4 -> H.264, 1280x720, 4 seconds, 25 fps, 59,273 bytes
• git diff --check
• git diff --cached --check
• gitleaks detect --source /home/kali/money/worktrees/scibase-ai --no-git --redact --exit-code 1 -> no leaks found