fix: Restore all files lost during destructive rebase

A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.

This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).

Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitleaks.toml

@@ -0,0 +1,77 @@
+# Gitleaks Configuration for BreakPilot
+# https://github.com/gitleaks/gitleaks
+#
+# Run locally: gitleaks detect --source . -v
+# Pre-commit: gitleaks protect --staged -v
+
+title = "BreakPilot Gitleaks Configuration"
+
+# Use the default rules plus custom rules
+[extend]
+useDefault = true
+
+# Custom rules for BreakPilot-specific patterns
+[[rules]]
+id = "anthropic-api-key"
+description = "Anthropic API Key"
+regex = '''sk-ant-api[0-9a-zA-Z-_]{20,}'''
+tags = ["api", "anthropic"]
+keywords = ["sk-ant-api"]
+
+[[rules]]
+id = "vast-api-key"
+description = "vast.ai API Key"
+regex = '''(?i)(vast[_-]?api[_-]?key|vast[_-]?key)\s*[=:]\s*['"]?([a-zA-Z0-9-_]{20,})['"]?'''
+tags = ["api", "vast"]
+keywords = ["vast"]
+
+[[rules]]
+id = "stripe-secret-key"
+description = "Stripe Secret Key"
+regex = '''sk_live_[0-9a-zA-Z]{24,}'''
+tags = ["api", "stripe"]
+keywords = ["sk_live"]
+
+[[rules]]
+id = "stripe-restricted-key"
+description = "Stripe Restricted Key"
+regex = '''rk_live_[0-9a-zA-Z]{24,}'''
+tags = ["api", "stripe"]
+keywords = ["rk_live"]
+
+[[rules]]
+id = "jwt-secret-hardcoded"
+description = "Hardcoded JWT Secret"
+regex = '''(?i)(jwt[_-]?secret|jwt[_-]?key)\s*[=:]\s*['"]([^'"]{32,})['"]'''
+tags = ["secret", "jwt"]
+keywords = ["jwt"]
+
+# Allowlist for false positives
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''\.env\.example$''',
+    '''\.env\.template$''',
+    '''docs/.*\.md$''',
+    '''SBOM\.md$''',
+    '''.*_test\.py$''',
+    '''.*_test\.go$''',
+    '''test_.*\.py$''',
+    '''.*\.bak$''',
+    '''node_modules/.*''',
+    '''venv/.*''',
+    '''\.git/.*''',
+]
+
+# Specific commit allowlist (for already-rotated secrets)
+commits = []
+
+# Regex patterns to ignore
+regexes = [
+    '''REPLACE_WITH_REAL_.*''',
+    '''your-.*-key-change-in-production''',
+    '''breakpilot-dev-.*''',
+    '''DEVELOPMENT-ONLY-.*''',
+    '''placeholder.*''',
+    '''example.*key''',
+]