fix(detectors): report Omnisend verifier errors

[whitewooood]

Description:

Related to #4051. This updates the Omnisend detector verifier to report indeterminate verification failures instead of silently ignoring them.

Before this change, Omnisend verification only marked 2xx responses as verified. Network/client errors and unexpected API statuses were dropped, which made verifier failures indistinguishable from determinately invalid credentials.

This PR keeps behavior narrow:

• 2xx responses verify the secret.
• 401 and 403 remain determinately unverified without a verification error.
• client/request failures and unexpected statuses now populate VerificationError.
• response bodies are drained and closed on verifier responses.

Local validation:

• gofmt -w pkg/detectors/omnisend/omnisend.go pkg/detectors/omnisend/omnisend_test.go
• git diff --check
• go test -count=1 ./pkg/detectors/omnisend
• go test -count=1 ./pkg/detectors
• go vet ./pkg/detectors/omnisend
• go run ./hack/checksecretparts -fail ./pkg/detectors
• go test -timeout=5m -count=1 ./pkg/detectors/...

Checklist:

• Tests passing (go test commands listed above)
• Lint-adjacent checks passing (go vet, git diff --check, checksecretparts listed above)

---

Note

Low Risk
Scoped to Omnisend detector verification behavior and tests; no auth or core engine changes, with a slight tightening from any 2xx to 200-only for verified.

Overview
Refactors the Omnisend detector verifier so indeterminate failures are visible instead of being dropped silently.

Verification moves into verifyMatch with an injectable http.Client on Scanner (defaulting to the shared sane client). 200 OK marks the key verified; 401/403 stay unverified with no verification error; request failures and other HTTP statuses set VerificationError. Response bodies are drained and closed after the contacts API call.

Adds unit tests that mock the transport to assert the verification URL/header and cover success, auth failures, network errors, and unexpected status codes.

^{Reviewed by Cursor Bugbot for commit 0cb2345. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[shahzadhaider1]

It'd be better to test the actual api with real credentials and observe the API behavior and then adjust these cases accordingly, instead of setting generic ranges/codes.

[whitewooood]

I narrowed this to endpoint-specific status handling instead of accepting any 2xx response. The verifier now only treats 200 OK as verified, keeps 401/403 as unverified, and reports other statuses as verification errors.

I do not have valid Omnisend credentials to confirm a successful account response. I did verify the live endpoint with an invalid key and without the header; both returned 403 {"error":"Forbidden"}. The Omnisend v3 List contacts docs list 200, 401, 403, 408, 422, and 429 for this endpoint, so I added a regression test to ensure 201 Created is no longer treated as verified.