feat(dev-env): wire shared pre-commit secret scanner via core.hooksPath

Ships `modules/dev-env/scripts/git-hooks/pre-commit` — the same
secret-scanner pattern omnixy uses, lightly adapted (drops the
omnixy-specific test_auth.py skip, generic header comment).

New option `lnbits-sensei.devEnv.gitHooks.enable` (off by default).
When on, modules/dev-env/config.nix installs the hook at
`~/.local/share/lnbits-sensei/git-hooks/pre-commit` and sets the
consumer's git `core.hooksPath` to that directory, so every repo on
the machine picks it up without per-repo wiring.

The hook refuses to commit obvious secrets (PRIVATE KEY blocks,
`password=…`, `secret=…`, `api_key=…`, `admin_key=…`, AWS keys,
non-placeholder POSTGRES_PASSWORD) and unencrypted sops files
(checks for a top-level `sops:` block AND `mac: ENC[…]` — either
signal alone is forgeable). False positives are handled via
`# pragma: allowlist secret` line- or block-level markers (gitleaks
convention).

docs/secrets-management.md gets a new subsection covering what the
hook does, when to enable it, and the false-positive escape hatches.
The Pitfalls section's reference to "the pre-commit hook most
consumers use" is replaced with a concrete pointer to this option.

`nix flake check --no-build` stays green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/dev-env/options.nix

@@ -123,6 +123,18 @@ in
       '';
     };
 
+    gitHooks = {
+      enable = mkEnableOption ''
+        Shared pre-commit hook via `core.hooksPath`. Installs a single
+        secret-scanner hook under
+        `~/.local/share/lnbits-sensei/git-hooks/pre-commit` and points
+        the consumer's git config there — so every repo on the machine
+        picks it up without per-repo wiring. Refuses to commit obvious
+        secrets and unencrypted sops files; false positives are handled
+        via `# pragma: allowlist secret` markers
+      '';
+    };
+
     claude = {
       enable = mkEnableOption ''
         Seed `~/dev/lnbits/CLAUDE.md` from