Switch git hooks from pre-commit to prek (#276)

## Summary

- Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative
- Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML)
- Add new built-in checks: case conflicts, private key detection, executable shebangs
- Install prek via mise native registry (`aqua:j178/prek`) instead of pipx
- Update all doc references across README, contributing guide, and how-to docs

## Notes

- `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags)
- All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged
- Tested: all hooks pass on clean tree, deliberate doc link breakage is caught

## Test plan

- [x] `prek run --all-files` passes all checks
- [x] Broken wiki-link correctly caught by `docs-check-links`
- [x] taplo-format auto-fixes TOML formatting on commit
- [x] commit-msg hook (mikado invariant) fires correctly

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276

docs/how-to/zot/add-container-version-sync-check.md

@@ -14,7 +14,7 @@ tags:
 
 # Add Container Version Sync Check
 
-Add a pre-commit check that validates version consistency across the three places container versions are declared: Dockerfile ARGs, `service-versions.yaml`, and nix derivations. No VERSION files needed — the existing sources are the source of truth, and the check enforces they agree.
+Add a prek check that validates version consistency across the three places container versions are declared: Dockerfile ARGs, `service-versions.yaml`, and nix derivations. No VERSION files needed — the existing sources are the source of truth, and the check enforces they agree.
 
 ## Context
 
@@ -38,7 +38,7 @@ Blacklisted containers (utility images, not tracked services): `kubectl`, `nette
 
 Container-to-service name mapping: `quartz` → `docs`, `kiwix-serve` → `kiwix`.
 
-### 2. Added pre-commit hook
+### 2. Added prek hook
 
 ```yaml
 - id: container-version-check
@@ -62,7 +62,7 @@ The check discovered that ntfy's Dockerfile pins v2.17.0 but nixpkgs has ntfy-sh
 | File | Change |
 |------|--------|
 | `mise-tasks/container-version-check` | New: typer CLI sync validation script |
-| `.pre-commit-config.yaml` | Add `container-version-check` hook |
+| `prek.toml` | Add `container-version-check` hook |
 | `service-versions.yaml` | Populate `current-version` for all hybrid services + authentik |
 
 ## Verification

docs/how-to/zot/adopt-commit-based-container-tags.md

@@ -42,7 +42,7 @@ Each container's version is extracted at build time from existing declarations
 - **Dockerfile builds**: parsed from `ARG CONTAINER_APP_VERSION=<value>` in the Dockerfile
 - **Nix builds**: extracted from `version = "..."` in `default.nix`, or `CONTAINER_APP_VERSION` from the Dockerfile, or `dagger call nix-version` for nixpkgs packages
 
-The [[add-container-version-sync-check]] pre-commit check ensures these declarations stay in sync with `service-versions.yaml`. See [[pin-container-versions]] for the work to ensure every container has a parseable version.
+The [[add-container-version-sync-check]] prek check ensures these declarations stay in sync with `service-versions.yaml`. See [[pin-container-versions]] for the work to ensure every container has a parseable version.
 
 ### Image Tag Format