Add unit tests for .sandcastle/scan-secrets.mts (patterns, skip-list, diff parser)

Commit 75a09e3 shipped .sandcastle/scan-secrets.mts — the only mechanical barrier between an unattended LLM agent and a pushed credential. It is regex-on-added-lines with a SKIP_BASENAME_RE for lockfiles/binaries, plus a small git log -p parser that tracks newLineNo through hunk headers. It has zero test coverage and the author's own comment warns it's "not designed against an adversarial agent."

A regression in any one of these is invisible until a real secret slips through.

Suggested cases:

1. One positive + one negative fixture per PATTERNS entry (anthropic-api-key, stripe-live-key, stripe-test-key, github-classic-token, github-fine-pat, jwt-like, aws-access-key, slack-token, claude-oauth-env, anthropic-key-env).
2. SKIP_BASENAME_RE covers pnpm-lock.yaml, package-lock.json, yarn.lock, *.min.js, *.png, *.woff2.
3. scanDiff correctly computes newLineNo for added lines after a hunk header (@@ -10,5 +20,7 @@ → first + line is at 20).
4. --END-- boundary in commit-message scan resets state correctly.
5. <scan-error> synthetic finding fires when execFileSync throws (fail-closed behaviour).

File: .sandcastle/scan-secrets.mts:1-182