fix: remove committed private keys and add gitleaks CI

- Remove all cert files from git tracking (git rm --cached)
  - crates/pm-agent-client/certs/client.key (private key)
  - crates/pm-agent-client/certs/client.crt (public cert)
  - crates/pm-agent-client/certs/ca.crt (public cert)
- Add .gitignore patterns for *.key, *.key.pem, certs/*.crt, certs/*.pem
- Update pm-agent-client doc examples to use std::fs::read() instead of include_bytes!
- Add gitleaks secret scanning job to CI workflow
- Update security-review.md with critical finding for Issue #12
- Add README.md to crates/pm-agent-client/certs/ explaining runtime cert generation

Private keys were dev/test only - no production key rotation needed.
Git history purge with filter-repo will follow after PR merge.

Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>

crates/pm-agent-client/certs/README.md

@@ -0,0 +1,31 @@
+# Agent Client Certificates
+
+**⚠️ Private keys are NOT committed to version control.**
+
+This directory holds mTLS certificates used by `pm-agent-client` for testing.
+The entire directory is excluded from git via `.gitignore`.
+
+## Generating Test Certificates
+
+Certificates are generated automatically on first run by the `pm-ca` service,
+or you can generate them manually for development:
+
+```bash
+# Create certs directory if it doesn't exist
+mkdir -p crates/pm-agent-client/certs
+
+# Generate using the pm-ca service (preferred)
+# Or copy from /etc/patch-manager/certs/ on a deployed host
+```
+
+## Production Deployment
+
+Production certificates are managed by `pm-ca` at `/etc/patch-manager/certs/`.
+The `pm-agent-client` reads certificates from file paths configured in
+`config.toml` (`agent_client_cert_path`, `agent_client_key_path`, `ca_cert_path`).
+
+## Security
+
+- **Never commit private keys** (`*.key`, `*.key.pem`) to version control
+- The `gitleaks` CI check scans for accidentally committed secrets
+- See `SECURITY.md` and `docs/security-review.md` for full details