Restructure flake validation into composable modules

Summary

This MR restructures the flake validation modules to be more composable and consistent:

Changes

1. Split flake module into sub-modules:

   • flake-lock.nix - Validates flake.lock is up to date
   • flake-show.nix - Validates nix flake show succeeds
   • flake-strict-inputs.nix (renamed from strict-flake-inputs.nix) - Validates inputs use protected refs

2. Composite flake module:

   • The main flake module now imports all three sub-modules
   • flake.enable = true enables all three validators by default
   • Each can be individually controlled via flake.lock.enable, flake.show.enable, flake.strict-inputs.enable

3. Breaking change:

   • strict-flake-inputs.enable → flake.strict-inputs.enable
   • Users importing the composite flake module get strict-inputs validation automatically
   • Users can disable individual validators: flake.strict-inputs.enable = false;

Benefits

• Consistency: All flake-related validation under flake.* namespace
• Composability: Import individual modules or use composite module
• Flexibility: Fine-grained control over which validators to enable
• Discoverability: Nested structure makes options easier to find

Migration

Old (0.10.x):

gitlab.ci = {
  imports = [
    inputs.gitlab-ci.modules.gitlab-ci.flake
    inputs.gitlab-ci.modules.gitlab-ci.strict-flake-inputs
  ];
  
  flake.enable = true;
  strict-flake-inputs.enable = true;
};

New (0.11.0):

gitlab.ci = {
  imports = [ inputs.gitlab-ci.modules.gitlab-ci.flake ];
  
  flake.enable = true;  # Enables lock, show, and strict-inputs
};

Or for fine-grained control:

gitlab.ci = {
  imports = [ inputs.gitlab-ci.modules.gitlab-ci.flake ];
  
  flake.enable = true;
  flake.strict-inputs.enable = false;  # Disable strict-inputs only
};

🤖 Generated with Claude Code