fix(rules): allowlist keyboard chord secrets in generic-api-key

[obchain]

Summary

generic-api-key flags VSCode/JetBrains keybinding entries like:

{ "key": "ctrl+shift+down", "command": "editor.action.moveSelectionDown" }

The chord ctrl+shift+down slips through the [a-z0-9][a-z0-9+/]{11,} branch of the secret regex because + is permitted there. The key identifier in front trips the semi-generic match and the chord is reported as a secret (#1897).

Add a chord-shape regex to the first generic-api-key allowlist (RegexTarget = secret):

(?i)^(?:(?:ctrl|cmd|shift|alt|opt|meta|super|win|fn|control|command|option)\+){1,5}(?:f[0-9]{1,2}|[a-z][a-z0-9]{0,14}|[0-9]{1,3}|[\[\]\\=\-'",.<>/;:`])$

It requires 1–5 known modifier prefixes joined by +, then a short word, F-key, digit, or single punctuation character. Anchored end-to-end (^...$) so the shape can't appear inside a real secret and over-allowlist.

Verification

$ gitleaks detect --no-git -s ./keybindings.json -v
# (chord findings gone, real CLOJARS token still flagged)

Six new FPs lock the behavior in via utils.Validate:

`"key": "ctrl+shift+down"`,
`"key": "shift+alt+down"`,
`"key": "ctrl+shift+alt+down"`,
`"key": "ctrl+shift+end"`,
`"key": "cmd+shift+p"`,
`"key": "ctrl+,"`,

Test plan

• go generate ./... regenerates config/gitleaks.toml cleanly (Validate passes new FPs)
• go test ./... green
• Smoke: scanning a file with the four chord forms from False Positive: (Some) Vscode keybindings - "key": "ctrl+shift+down" #1897 plus a CLOJARS token: chord findings suppressed, real secret still flagged

Closes #1897