Add .fips-template.yaml to opt into fips-agents patch flow

[rdwj]

Companion PR to fips-agents/fips-agents-cli#48 (the manifest loader) and the parallel gateway-template change. After both merge, `fips-agents patch` will work for projects scaffolded from this template — it doesn't today, because the CLI's hardcoded fallback raises `ValueError` for the `ui` project type.

What

Adds `.fips-template.yaml` at the repo root with `schema_version: 1`. Three categories: `chart`, `docs`, `build`.

`never_patch` (9 entries):

• `cmd/**` — user's Go entry point.
• `go.mod` — user's deps.
• `chart/values.yaml` — user's deploy config.
• `planning/**` — user-authored notes.
• `static/**` — user's web content (HTML/CSS/JS and the embed.go that serves it).
• `**/*_test.go` — tests are user code.
• `.env*`, `README.md`, `LICENSE`.

Compatibility

Older CLI installs that don't know about `.fips-template.yaml` continue to refuse `patch` for UI projects exactly as before. Non-breaking.

Test plan

• Manifest parses cleanly through `fips_agents_cli.tools.patching._load_template_manifest` and `_categories_from_manifest` (validated locally against PR #48's loader).
• `_resolve_categories` correctly returns the manifest's categories instead of raising.
• No secrets detected by gitleaks.
• After CLI #48 merges and ships in a release, scaffold a UI project and run `patch check` against this template — should never offer to patch `static/` or `cmd/`.