chore(config): add secret detection and security validation for config files

[kriscoleman]

While the current config design correctly uses api_key_env to store environment variable names (not actual keys), there's no runtime validation to catch accidental secret leakage. A user could unknowingly paste an actual API key into a template variable or config field.

Add a validation layer that detects potential secrets in config values and warns users before saving.

Acceptance Criteria

• Add a ValidateConfig() function to pkg/config/ that scans all string values in the config for patterns that look like secrets:
  • sk- prefix (OpenAI/Anthropic API keys)
  • ghp_ prefix (GitHub personal access tokens)
  • gho_, ghu_, ghs_ prefixes (GitHub OAuth/user/server tokens)
  • xoxb-, xoxp- prefixes (Slack tokens)
  • Long base64-like strings (>40 chars, high entropy)
• Run validation during config.SaveConfig() -- warn the user before writing if potential secrets are detected
• Run validation during ailloy customize interactive mode -- warn immediately when a suspicious value is entered
• Warnings are non-blocking (user can proceed) but clearly explain the risk
• Add unit tests for secret pattern detection with true/false positive cases
• Audit existing config paths to confirm api_key_env is never used to store actual key values

Notes

• Parent epic: epic(customize): rearchitect ailloy customize as a compiler for ai instructions and workflows #24
• Independent of other issues (can be worked in parallel)
• Key file: pkg/config/config.go (add ValidateConfig function)
• Keep pattern list extensible -- use a slice of compiled regexps