Fix gitleaks false positive on JWT example in docs

Replace the JWT header example (eyJhbGci...) in CLAUDE.md and README.md
with a plain placeholder; add .gitleaks.toml to allowlist the three
historical commits that already contain it so --all scanning passes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: bryanjonas

.github/workflows/secret-scan.yml

@@ -20,3 +20,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LOG_OPTS: --all
+          GITLEAKS_CONFIG: .gitleaks.toml

.gitleaks.toml

@@ -0,0 +1,13 @@
+title = "Bareclaw Gitleaks Config"
+
+[allowlist]
+description = "Allowlist for example/placeholder values in documentation"
+
+# The JWT header prefix eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 was used as a
+# documentation example in CLAUDE.md and README.md. It is not a real token.
+# Historical commits already contain this value so it must be allowlisted here.
+commits = [
+  "5aec5a21cc367a97153d063dbfc23dbafe3079fc",
+  "0dafcb4028f8c81cd4fa8bef9cb0f41d9f9430a5",
+  "02a28b0c9fc2df3973a8951e082b684fbd73b726",
+]

CLAUDE.md

@@ -160,7 +160,7 @@ bootstrap_agent: default  # optional; defaults to app's default_agent
 
 **`secrets/<id>.yaml`** (always gitignored — flat key/value):
 ```yaml
-token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+token: "your-token-here"
 ```
 The filename must match the superpower `id`. Consider `chmod 600 secrets/<id>.yaml`.
 

README.md

@@ -170,7 +170,7 @@ bootstrap_agent: default  # optional; defaults to app's default_agent
 
 **`secrets/<id>.yaml`** (always gitignored — flat key/value; filename must match superpower id):
 ```yaml
-token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+token: "your-token-here"
 ```
 
 Consider `chmod 600 secrets/<id>.yaml`. Placeholders like `{token}` in `bootstrap_prompt` are interpolated from the merged config + secrets at bootstrap time.