Add CI lint for leaked workspace values in templates

[dhruv0811]

Summary

• Adds .scripts/check_template_leaks.py — scans all agent-*/ template configs for accidentally committed workspace-specific values (budget policy IDs, experiment IDs, personal app names, hardcoded Lakebase instance names, UUIDs)
• Adds .github/workflows/check-template-leaks.yml — runs the check on every push/PR touching agent-*/ files
• Catches the existing leaks in agent-non-conversational/databricks.yml (will intentionally fail CI until those are cleaned up)

What it detects

Pattern	Example
budget_policy_id fields	Should never exist in templates
Non-empty experiment_id	Should be "" — quickstart fills it in
Hardcoded Lakebase instance names	Should be <your-lakebase-instance-name>
Personal names in app names	agent-dhruv-offsite-demo instead of agent-non-conversational
Hardcoded UUIDs	Budget policies, SP client IDs, etc.
LAKEBASE_INSTANCE_NAME env var values	In both databricks.yml and app.yaml

Current output on main

Found 4 leaked value(s) in templates:

  agent-non-conversational/databricks.yml:9: budget_policy_id should not be in templates
  agent-non-conversational/databricks.yml:9: Hardcoded UUID found
  agent-non-conversational/databricks.yml:25: experiment_id must be empty (not a real ID)
  agent-non-conversational/databricks.yml:7: App name contains non-template words: ['dhruv', 'offsite', 'demo']

Test plan

• Verified script catches all known leaks on main (4 violations)
• Verified zero false positives (skips YAML comments, allows template abbreviations like stm/ltm)
• CI workflow triggers on PR — will fail until existing leaks are fixed

This pull request was AI-assisted by Isaac.