fix: always reject set -u in shell script validation hook (#2427)

The validate-file.ts hook previously only blocked `set -u` when
`set -eo pipefail` was absent from the file. This allowed scripts
with both `set -eo pipefail` and `set -u` to pass validation,
contradicting the shell rules that unconditionally ban nounset.

Fix the regex to always reject `set -u` variants on actual set
invocation lines (not comments or strings), and update the error
message to recommend `${VAR:-}` instead.

Co-authored-by: spawn-qa-bot <qa@openrouter.ai>

.claude/scripts/validate-file.ts

@@ -66,9 +66,11 @@ if (file.endsWith(".sh")) {
     fail(`echo -e detected in ${file} — use printf instead (macOS bash 3.x compat)`);
   }
 
-  // Check for set -u without set -eo pipefail
-  if (/set\s+-.*u/.test(content) && !/set\s+-eo\s+pipefail/.test(content)) {
-    fail(`set -u (nounset) detected in ${file} — use set -eo pipefail instead`);
+  // Check for set -u (nounset) — always banned, even alongside set -eo pipefail.
+  // Only match lines that actually invoke set (not comments or string literals).
+  const setUPattern = /^\s*set\s+-[a-z]*u/m;
+  if (setUPattern.test(content)) {
+    fail(`set -u (nounset) detected in ${file} — use \${VAR:-} for optional vars instead`);
   }
 }