[Audit] Phase 2 — frontend security audits (secret leak, route-guard coverage, headers/CSP, raw-HTML sinks)

[cssbruno]

Part of #361. Build the four frontend audits as baseline policy rules, populating the frontend block of gowdk-security.json and producing findings.

Scope

• Secret/data-leak (audit_bundle_secret): scan embedded asset selection + literal build-time data for secret-shaped values. Reuse runtime/app/redact.go's redactionRules and the appgen embed-skip predicate; flag .env, source maps, private files.
• Client route-guard coverage (audit_client_route_unguarded): confirm every SPA/static route's default-deny is reflected in the generated deny registry, so static hosting can't serve a guardless page.
• Security headers / CSP (audit_headers_missing): policy can require header; static side here, runtime verification lands in Phase 4 ([Audit] Phase 4 — integration-test runner (testkit, --emit-tests/--run) + runtime/app security headers #364).
• Escaping / XSS sinks (audit_raw_html_sink): add view.RawHTMLSinks beside view.ViewDependencies; flag g:html / raw sinks unless allowlisted.

The diagnostic codes are already registered (PR #360). This issue wires the detectors that emit them.

Acceptance criteria

• gowdk-security.json frontend block is populated (bundleSecrets, unguardedRoutes already done, rawHtmlSinks, configuredHeaders).
• gowdk audit emits each finding with a file:line and remediation.
• Unit tests per audit; no false positives on the example apps.

Out of scope

Full data-flow/taint analysis of raw-HTML sinks (flag sites only).

Related: #361, #119 (fail-closed secret).