Replace whole-file pipelock exclude with inline suppression (#1116)

Use `# pipelock:ignore Credential in URL` on the specific false
positive line instead of excluding all of client.rb from scanning.
The rest of the file is now scanned normally.

.github/workflows/pipelock.yml

@@ -24,5 +24,3 @@ jobs:
           test-vectors: 'false'
           exclude-paths: |
             config/locales/views/reports/
-            # False positive: client.rb stores Bearer token and sends Authorization header by design
-            app/models/assistant/external/client.rb