fix(hooks): align pre-commit.mts .env detection with commit-msg.mts (basename-based)

Bugbot flagged: pre-commit.mts tested the full path against /^\.env/
(catching only root-level), while commit-msg.mts uses basename()
(catching .env at any depth). A nested packages/cli/.env.local
should be blocked at commit time, not just root .env. Aligned both
to basename-based matching, and added .env.precommit to pre-commit's
allowlist so it matches commit-msg's allowlist.

Author: jdalton

.git-hooks/pre-commit.mts

@@ -8,6 +8,7 @@
 // Bypassable: --no-verify skips this hook entirely. Use sparingly
 // (hotfixes, history operations, pre-build states).
 
+import { basename } from 'node:path'
 import process from 'node:process'
 
 import {
@@ -62,11 +63,18 @@ const main = (): number => {
     errors++
   }
 
-  // .env files (allowlist .env.example / .env.test).
+  // .env files at any depth — allow only .env.example, .env.test,
+  // .env.precommit (templates / tracked placeholders). Match the
+  // commit-msg.mts behavior: a nested .env.local is just as much a
+  // leak as a root-level one. basename() catches both.
   out('Checking for .env files...')
-  const envFiles = stagedFiles.filter(
-    f => /^\.env(\.[^/]+)?$/.test(f) && !/^\.env\.(example|test)$/.test(f),
-  )
+  const envFiles = stagedFiles.filter(f => {
+    const base = basename(f)
+    return (
+      /^\.env(\.[^/]+)?$/.test(base) &&
+      !/^\.env\.(example|test|precommit)$/.test(base)
+    )
+  })
   if (envFiles.length > 0) {
     out(red('✗ ERROR: .env file detected!'))
     envFiles.forEach(f => out(f))