feat(rl3u): add block-env-commits pre-commit hook

Blocks any *.env* file from being committed except .env.example.
Prevents credential leaks like the .env.backup incidents.

.pre-commit-config.yaml

@@ -21,3 +21,11 @@ repos:
         entry: bash bin/ensure-ignore-files.sh --check
         language: system
         pass_filenames: false
+
+      - id: block-env-commits
+        name: Block .env file commits (allow only .env.example)
+        entry: bash bin/block-env-commits.sh
+        language: system
+        pass_filenames: false
+        files: '\.env'
+        exclude: '\.env\.example$'

bin/block-env-commits.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+staged=$(git diff --cached --name-only)
+blocked=$(printf '%s
+' "$staged" | grep -E '(^|/)[^/]*\.env[^/]*$' | grep -v '\.env\.example$' || true)
+
+if [[ -n "$blocked" ]]; then
+  echo "block-env-commits: BLOCKED — .env file(s) staged for commit:" >&2
+  echo "$blocked" | sed 's/^/  /' >&2
+  echo "Only .env.example is allowed. Remove staged file(s) and try again." >&2
+  exit 1
+fi