Add the shared dotenv guard script and enforce it in CI to block tracked .env* and *.env files outside .secrets.
