fix(hooks): align pre-push .env detection with pre-commit/commit-msg

The pre-push hook used a narrow regex (/^\.env(\.local)?$/) that only
matched root-level .env and .env.local files. Meanwhile pre-commit and
commit-msg use basename() with a broader pattern that catches .env files
at any depth and with any suffix (excluding example/test/precommit).

Since pre-push is the mandatory enforcement layer that catches things
bypassed via --no-verify, it must be at least as strict. Use the same
basename()-based detection pattern from the other hooks.

Author: cursoragent

.git-hooks/pre-push.mts

@@ -17,6 +17,7 @@
 
 import { spawnSync } from 'node:child_process'
 import { existsSync, statSync } from 'node:fs'
+import { basename } from 'node:path'
 
 import process from 'node:process'
 
@@ -190,8 +191,15 @@ const scanFilesInRange = (range: string): number => {
     return 0
   }
 
-  // Top-level sensitive filenames in the change set.
-  const envHits = changed.filter(f => /^\.env(\.local)?$/.test(f))
+  // .env files at any depth — allow only .env.example, .env.test,
+  // .env.precommit (templates / tracked placeholders).
+  const envHits = changed.filter(f => {
+    const base = basename(f)
+    return (
+      /^\.env(\.[^/]+)?$/.test(base) &&
+      !/^\.env\.(example|test|precommit)$/.test(base)
+    )
+  })
   if (envHits.length > 0) {
     out(red('✗ BLOCKED: Attempting to push .env file!'))
     out(`Files: ${envHits.join(', ')}`)