Guard placeholder safety scans

[kriptoburak]

Summary

• add regression coverage that allowed API-key placeholders do not suppress private wording findings
• keep public safety scans strict when placeholder examples share a line with confidential phrases

Validation

• uv run ruff format tests/test_public_safety.py
• uv run ruff format --check tests/test_public_safety.py
• uv run ruff check tests/test_public_safety.py
• uv run pytest tests/test_public_safety.py
• uv run ruff format --check .
• uv run ruff check .
• uv run basedpyright
• uv run pytest --cov=hermes_tweet --cov=tests --cov-report=term-missing --cov-fail-under=100
• uv run bandit -q -r hermes_tweet scripts
• uv run python scripts/check_public_safety.py
• uv run pip-audit
• uv run python scripts/check_public_links.py
• uv run python scripts/check_hermes_agent_compat.py
• uv build
• uv run twine check dist/*
• actionlint
• git diff --check

Note

Add test to verify placeholder expressions do not suppress private wording detection in scan_line

Adds a pytest test in test_public_safety.py that checks check_public_safety.scan_line correctly flags 'internal cost' wording in a README line that also contains an API key assignment and f-string placeholder expressions. This guards against a regression where placeholder rendering could mask private wording matches.

^{Macroscope summarized ab893ae.}