feat: add secret boundary governance finding

[CoderDeltaLAN]

Summary

Adds AIRK-GOV002, a conservative governance finding for supported instruction files that do not show an explicit secret-handling boundary.

Scope

• Adds find_missing_secret_boundary_findings().
• Adds SECRET_BOUNDARY_RULE_ID, message, and conservative boundary patterns.
• Wires AIRK-GOV002 into the existing governance aggregator after AIRK-GOV006 and AIRK-GOV003.
• Adds direct governance tests for missing and present secret-handling boundaries.
• Adds a dedicated CLI JSON fixture for missing secret boundary behavior.
• Keeps the unsupported-claim fixture isolated for AIRK-GOV006.

Verification

• ./scripts/check.sh
• JSON smoke for tests/fixtures/repositories/missing-secret-boundary
• JSON smoke for tests/fixtures/repositories/unsupported-claim
• clean fixture JSON smoke with finding_count: 0
• isolated build + wheel install smoke

Product boundary

This does not scan for secrets, prove that a repository contains no secrets, or validate compliance. It only reports whether supported instruction files visibly mention a secret-handling boundary.

README is intentionally not changed in this phase.