Add the shared dotenv guard script and enforce it in CI to block tracked .env* and *.env files outside .secrets.
Include all pending UI token normalization updates, stylesheet changes, and the global theme token verification script.
