fix(ci): accept detect-secrets-hook baseline self-updates

detect-secrets-hook (the CI entry-point, not 'detect-secrets scan') auto-
updates the baseline in-place when it finds file/line drift, then exits
non-zero with 'please git add'. My prior 'detect-secrets scan' regen
produced a baseline without the exclude-files filter block and with
stale .github/detect-secrets.baseline self-entries that the hook keeps
pruning. Re-ran locally with the exact CI invocation

  detect-secrets-hook --baseline .github/detect-secrets.baseline \
    --exclude-files '^(INVENTORY\.json|\.github/detect-secrets\.baseline)$' \
    <changed-files>

which produced a stable baseline (subsequent re-run exit 0). Committed
the stabilised baseline. Delta: adds the exclude-files regex to
filters_used, prunes the old self-entries for the baseline file.

No signal code changed. No parameter touched. No evidence edited.

Author: neuron7xLab