fix: scan staged blobs in pre-commit secret guard

[yibeichan]

Summary

• scan staged blob content in the pre-commit secret guard instead of working-tree files
• skip deleted paths when scanning staged entries
• bump hook template version to v4 and add a regression for staged/working-tree divergence

Closes #211.

Tests

• uv run --with pytest --with ./cli python -m pytest cli/tests/test_pre_commit_hook.py -q
• uv run --with pytest --with ./cli python -m pytest cli/tests/test_init_standalone.py::TestInitStandalone::test_pre_commit_constant_matches_disk cli/tests/test_init_standalone.py::TestInitStandalone::test_post_commit_constant_matches_disk cli/tests/test_init_standalone.py::TestInitStandalone::test_pre_commit_blocks_real_looking_keys cli/tests/test_init_standalone.py::TestInitStandalone::test_pre_commit_does_not_match_sk_substrings -q
• uv run --with pytest --with ./cli python -m pytest cli/tests/test_doctor.py::TestCheckHooksFreshness -q
• cd cli && uv run --with pytest --with . python -m pytest tests/