Add Kingfisher secret scanner to prek hooks

Running alongside TruffleHog to compare coverage. Kingfisher uses
staged-only mode with validation disabled for fast, offline-safe
pre-commit checks. Validation will be enabled in the planned cron job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/changelog.d/+kingfisher-prek.feature.md

@@ -0,0 +1 @@
+Add MongoDB Kingfisher secret scanner as a prek hook alongside TruffleHog for comparative coverage evaluation.

prek.toml

@@ -25,7 +25,7 @@ repo = "https://github.com/pre-commit/pre-commit-hooks"
 rev = "v6.0.0"
 hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 
-# Secret detection
+# Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
 rev = "v3.94.0"
@@ -36,6 +36,23 @@ hooks = [
   ] },
 ]
 
+[[repos]]
+repo = "https://github.com/mongodb/kingfisher"
+rev = "v1.91.0"
+hooks = [
+  { id = "kingfisher", args = [
+    "scan",
+    ".",
+    "--staged",
+    "--quiet",
+    "--no-update-check",
+    "--no-validate",
+  ], stages = [
+    "pre-commit",
+    "pre-push",
+  ] },
+]
+
 # YAML linting
 [[repos]]
 repo = "https://github.com/adrienverge/yamllint"