Add Z.ai detector

[moizxsec]

Description

Adds a secret detector for Z.ai (Zhipu AI) API keys, used to authenticate against the GLM model APIs.

• Key format: a 32-character hex id and a 16-character secret joined by a period (e.g. 0123…cdef.AbCd…5678), pre-filtered by the zai/zhipu/bigmodel/glm keywords to keep signal high.
• Verification: a non-destructive GET https://api.z.ai/api/paas/v4/models with the key as a Bearer token. 200 → verified, 401 → unverified, anything else is treated as an indeterminate verification error.
• Registration: wired into defaults.go behind a new ZaiDetectorEnabled feature flag, matching the pattern used for other recently added detectors (Wit, Tly, Datadog, etc.), and enabled by default in main.go.

Checklist

• Added the ZAI detector type to proto/detector_type.proto and regenerated protos (make protos).
• Implemented the detector and pattern tests (go test ./pkg/detectors/zai/ -tags=detectors).
• Registered in DefaultDetectors and added to excludedFromDefaultList in the defaults test while feature-flag gated.
• gofmt / go vet clean.

Closes #4658

---

Note

Low Risk
Additive detector and proto enum only; follows existing gated-detector patterns with no changes to core scan or auth flows.

Overview
Adds a Z.ai (Zhipu AI) secret detector for API keys shaped as 32-hex.16-alphanumeric, gated on nearby keywords (zai, zhipu, bigmodel, glm).

When verification is on, keys are checked with a read-only GET to https://api.z.ai/api/paas/v4/models using Bearer auth (200 verified, 401 not). The new DetectorType_ZAI proto value is wired into default detectors behind ZaiDetectorEnabled, turned on by default in main.go, with pattern tests in pkg/detectors/zai.

^{Reviewed by Cursor Bugbot for commit 2898425. Bugbot is set up for automated code reviews on this repo. Configure here.}