feat: bundle gitleaks for all supported architectures (linux/darwin x64/arm64)

[coopernetes]

Problem

The build system downloads a single gitleaks binary for the build-time platform and packs it into the JAR as the classpath resource gitleaks. A JAR built on Linux x86_64 (e.g. in CI or the Docker build stage) bundles only the Linux x86_64 binary.

When that image or JAR is run on Apple Silicon (aarch64/arm64), GitleaksRunner fails to resolve the bundled binary and falls through to auto-install or scanner-path. If neither is configured, secret scanning silently fails open — or, after the fix in this branch, fails closed and blocks all pushes.

Proposed fix

Bundle all four binaries at build time under arch-specific resource names:

• gitleaks/linux_x64
• gitleaks/linux_arm64
• gitleaks/darwin_x64
• gitleaks/darwin_arm64

Update downloadGitleaks in build.gradle to download all four (not just the build-time platform). Update GitleaksRunner.extractBundledBinary() to select the resource matching os.name + os.arch at runtime.

Impact

• Operators running the proxy JAR directly on macOS M1/M2 get secret scanning out of the box
• Multi-arch Docker images work correctly without requiring auto-install: true
• No change to the public API or configuration