Replace whole-file pipelock exclude with inline suppression (#1116)

Use `# pipelock:ignore Credential in URL` on the specific false
positive line instead of excluding all of client.rb from scanning.
The rest of the file is now scanned normally.

.github/workflows/pipelock.yml

@@ -24,5 +24,3 @@ jobs:
           test-vectors: 'false'
           exclude-paths: |
             config/locales/views/reports/
-            # False positive: client.rb stores Bearer token and sends Authorization header by design
-            app/models/assistant/external/client.rb

app/models/assistant/external/client.rb

@@ -20,7 +20,7 @@ class Assistant::External::Client
 
   def initialize(url:, token:, agent_id: "main", session_key: "agent:main:main")
     @url = url
-    @token = token
+    @token = token # pipelock:ignore Credential in URL
     @agent_id = agent_id
     @session_key = session_key
   end