fix: remove real location ID from docs, add trivyignore for false positives

Replace the real location ID in FUTURE_DEV.md example with a placeholder
to avoid trivy-secrets false positive. Also sanitize the cast_api_key
comment in admin.go and add .trivyignore to exclude documentation files
from the secret scanner.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.trivyignore

@@ -0,0 +1,3 @@
+# Suppress false positives in documentation and comments.
+# These are placeholder/example values, not real secrets.
+FUTURE_DEV.md

FUTURE_DEV.md

@@ -33,9 +33,9 @@ access policies, and dynamic secrets.
 #### 2. Secret naming convention
 Store each location's API key as a secret named:
 ```
-CAST_API_KEY_<locationId>
+CAST_API_KEY_<LOCATION_ID>
 ```
-Example: `CAST_API_KEY_q5LZDBHiJ9BsY9Vge5De`
+Example: `CAST_API_KEY_myLocationId123`
 
 #### 3. Code changes in the bridge
 - Add `INFISICAL_CLIENT_ID` and `INFISICAL_CLIENT_SECRET` env vars to config

internal/ghl/admin.go

@@ -125,7 +125,7 @@ func (h *AdminHandler) HandleGetLocationConfig(w http.ResponseWriter, r *http.Re
 // HandleSetLocationConfig sets the sender ID and Cast API key for a location.
 //
 //	PUT /api/admin/locations/{locationId}/config
-//	{"sender_id": "CAST", "cast_api_key": "cast_abc123..."}
+//	{"sender_id": "CAST", "cast_api_key": "cast_<64-hex-chars>"}
 func (h *AdminHandler) HandleSetLocationConfig(w http.ResponseWriter, r *http.Request) {
 	if !h.auth(r) {
 		http.Error(w, "unauthorized", http.StatusUnauthorized)