fix(envrc): correct hooks detection for worktrees and refresh tooling hints

[CybotTM]

Summary

• The hooks check used .git/hooks/pre-commit literally, so it always reported "not configured" inside a git worktree (where .git is a file). Switched to git rev-parse --git-path hooks so detection works for both regular repos and worktrees.
• Dropped the dead Husky branch + missing install-husky.sh reference (project already migrated to lefthook).
• Bumped REQUIRED_VERSION 1.25 → 1.26 to match go.mod.
• Fixed the gosec install hint (404 repo + non-existent snap pkg) to the canonical go install github.com/securego/gosec/v2/cmd/gosec@latest.
• Removed forced CGO_ENABLED=0 / GOOS=linux / GOARCH=amd64 exports. These belong in build commands, not a per-shell env — forcing CGO off silently breaks go test -race, and pinning GOOS/GOARCH breaks non-amd64 dev hosts.
• Replaced the hardcoded "60.1% coverage" claim with a pointer to make test-coverage so it can't drift.

Test plan

• bash -n .envrc passes
• In a worktree: detection now returns ✅ Git hooks configured (lefthook) instead of nagging
• Commit signed off (DCO)
• CI green

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Automated approval for maintainer PR

All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.

[gemini-code-assist]

Code Review

This pull request updates the .envrc file to bump the required Go version to 1.26, improves Git hook detection for worktrees, and streamlines tool installation commands. It also removes hardcoded Go environment variables and simplifies the hook verification logic. Review feedback identifies several areas where these changes are incomplete or inconsistent with other project files, including missing updates for the Go version in error messages, gosec installation methods in the Makefile, worktree support in lefthook.yml, and hardcoded test coverage values.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.26%. Comparing base (1f6109a) to head (2a1c593).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #598      +/-   ##
==========================================
- Coverage   87.28%   87.26%   -0.02%     
==========================================
  Files          88       88              
  Lines       10631    10631              
==========================================
- Hits         9279     9277       -2     
- Misses       1112     1113       +1     
- Partials      240      241       +1     

Flag	Coverage Δ
integration	87.15% <ø> (-0.14%)	⬇️
unittests	83.78% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Updates the repo’s direnv bootstrap (.envrc) to better reflect current tooling expectations and to correctly detect lefthook-based git hooks in both regular repos and git worktrees.

Changes:

• Bump the required Go version hint to 1.26 to align with go.mod.
• Fix git hooks detection in worktrees by resolving the hooks path via git rev-parse --git-path hooks.
• Refresh developer tooling hints (e.g., gosec install) and remove hardcoded GOOS/GOARCH/CGO environment exports.

[github-actions]

Automated approval for maintainer PR

All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Automated approval for maintainer PR

All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.