ci: run fallow audit in lefthook pre-commit

Mirrors the same `fallow audit --base ... --fail-on-issues` check that
runs in CI, but locally against HEAD so issues surface at commit time
instead of after the push round-trip.

Scoped to `packages/**` source files via the glob — non-code edits
(README, docs, top-level configs) skip the hook entirely.

Measured locally: ~5s in parallel with the existing lint/format/typecheck
checks. Doesn't extend wall-clock time because typecheck (~11s) is the
long pole, and lefthook runs commands in parallel.

The default `--gate new-only` means inherited findings don't block the
commit — same gate behavior as CI, so local pre-commit and PR audit
agree.

Author: jrusso1020

lefthook.yml

@@ -12,6 +12,13 @@ pre-commit:
     typecheck:
       glob: "*.{ts,tsx}"
       run: cd packages/core && bunx tsc --noEmit && cd ../studio && bunx tsc --noEmit
+    # `fallow audit` runs the same check that gates PRs in CI, but locally
+    # against HEAD so issues surface before the push instead of after.
+    # `--gate new-only` is the default — inherited findings don't block the
+    # commit, only newly-introduced ones do. ~1-3s on typical commit sizes.
+    fallow:
+      glob: "packages/**/*.{ts,tsx,mts,cts,js,jsx,mjs,cjs}"
+      run: npx -y fallow@2.75.0 audit --base HEAD --fail-on-issues
     filesize:
       # Scoped to packages/studio — the 500 LOC limit is a studio architecture
       # standard enforced as part of the App.tsx decomposition work. Player and