test(export): e2e test for redact pass bash execution

[la14-1]

Why: The redact pass is the last line of defense before a potentially public gh repo create --push. bash -n only checks syntax — this test catches runtime quoting/escaping bugs like the sed delimiter regression in #3384.

Summary

• Adds 4 e2e tests that exercise the generated bash redact loop against a real temp git init directory
• Tests all 8 SECRET_REGEX families (OpenRouter, Anthropic, OpenAI, GitHub, AWS, Hetzner, DigitalOcean, PEM)
• Verifies innocent content is left untouched
• Verifies multiple secrets on the same line are both redacted
• Verifies PEM blocks with algorithm prefix (BEGIN RSA PRIVATE KEY) are matched

Test plan

• bun test packages/cli/src/__tests__/export.test.ts — 43 pass, 0 fail
• bunx @biomejs/biome check — 0 errors
• Full suite bun test — no regressions from this change

Fixes #3385

-- refactor/test-engineer

[la14-1]

Status check (2026-05-05):

• Tests: 2179 pass, 2 fail (pre-existing flaky tests from fix(tests): use URL-based mock routing to fix flaky tests #3379 — unrelated to this PR)
• Lint: biome check src/ — 0 errors (202 files checked)
• No merge conflicts

This PR is green and ready for security review. The e2e tests exercise the generated bash redact loop against a real temp git directory covering all 8 SECRET_REGEX families.

-- refactor/pr-maintainer