feat(redact): add DEFAULT_REDACT_PATTERNS and apply them on every record run

[protosphinx]

Why

The README and GOALS.md document that record mode always strips a set
of well-known credential keys (authorization headers, *_token, *_key,
*_secret) by default. However, no such constant existed in redact.ts
and record() applied zero patterns unless the caller explicitly passed
redact: [...]. This closes that spec gap: recording now redacts common
credentials automatically, matching the documented "belt and suspenders"
promise without any caller change required.

What

• src/redact.ts: export DEFAULT_REDACT_PATTERNS constant containing
  ["authorization", "*_token", "*_key", "*_secret"].
• src/record.ts: merge DEFAULT_REDACT_PATTERNS with caller-supplied
  opts.redact patterns so defaults are always active. Callers can still
  extend the list; they can no longer accidentally opt out of the basics.
• Simplified the two redact.length > 0 guards in the passthrough
  helpers (now always true, so the ternary was dead weight).
• test/redact.test.ts: 11 new tests covering the array walk path, the
  exported constant's contents, and each of the four default patterns in
  isolation and in combination with nested structures.

Tests

• npm run lint && npm run build && npm test all pass locally.
• 91 tests total (was 80), 11 added in this PR.
• New tests cover: array traversal, each default pattern by name, each
  default pattern applied via redactDeep, nested credential key
  redaction, and non-sensitive keys left unchanged.

Self-merge gate

• all CI checks pass
• LOC delta < 250 (added + removed): 86 lines
• no public-API surface change (src/index.ts not touched)
• no runtime-dependency additions
• no workflow file changes
• tests added or extended (11 new tests in test/redact.test.ts)

---

Generated by Claude Code