fix(gemspec): ship only runtime files in packaged gem

The gemspec used `git ls-files` to populate `s.files`, which pulled every
tracked file — Gemfile, Gemfile.lock, examples/, spec/, .github/,
.devcontainer/, etc. — into the published gem. Downstream vulnerability
scanners (AWS ECR, Snyk, Trivy, Grype) parse those bundled Gemfile.lock
and example-app Gemfiles and report findings against dependencies that
are never loaded at runtime, producing large volumes of false positives
for gem consumers.

Switch to an explicit allow-list covering only the files needed to load
and run the gem: lib/**/*.rb, LICENSE, README.md, CHANGELOG.md,
auth0.gemspec, and .version. Drop s.test_files (deprecated by RubyGems)
and s.executables (no tracked bin/ entries exist). Package contents drop
from ~385 files to 51.

Refs #720

Author: tmertens

auth0.gemspec

@@ -11,9 +11,7 @@ Gem::Specification.new do |s|
   s.summary     = 'Auth0 API Client'
   s.description = 'Ruby toolkit for Auth0 API https://auth0.com.'
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.files         = Dir['lib/**/*.rb'] + %w[LICENSE README.md CHANGELOG.md auth0.gemspec .version]
   s.require_paths = ['lib']
 
   s.add_runtime_dependency 'rest-client', '~> 2.1'