fix(ci): rewrite .gitleaksignore comment to avoid self-triggering scanner

Initial commit on this branch included the verbatim trigger phrase in a
.gitleaksignore comment, which itself matched generic-api-key — so the
allowlist file became its own new finding (PR #182 first run failed
fast on .gitleaksignore:6).

Rewrite the comment without the quoted phrase or rule keywords; the
fingerprint entry alone documents what's allowlisted.

Author: costajohnt

.gitleaksignore

@@ -1,9 +1,8 @@
 # Gitleaks fingerprint allowlist.
 # Format: <commit-sha>:<path>:<rule-id>:<line>
-# Add a fingerprint here only after manually verifying the finding is a false positive.
+# Add a fingerprint here only after manually verifying the finding.
 
-# False positive: gitleaks generic-api-key matches the literal phrase "key:" in a
-# Python comment ("# The key: price_50d_ago must be close to price_10d_ago.").
-# No real credential. Cannot be suppressed by editing the file because the match
-# is in commit history.
+# Verified false positive in a Python comment about momentum-strategy bar
+# indexing. Source line lives in commit history and cannot be suppressed
+# by editing the file in place.
 6eff1ebbe9074aa261688c52b5a2499734d2a1c1:tests/test_momentum_strategy.py:generic-api-key:147