chore: add codespell and typos pre-commit hooks, fix typos

what

Added two new spell-checking pre-commit hooks (codespell and
typos) and updated existing hooks. All pre-commit repo
revisions are now pinned to commit SHAs with a frozen-tag
comment, including bumps for pre-commit-hooks, ruff,
pyproject-fmt, mypy, actionlint, and zizmor.

Fixed typos surfaced by the new spell-checkers:

• README.md: "wtih" -> "with"
• .github/workflows/release.yml: "packges" -> "packages"
• tests/test_tools_assetdb.py: "borken" -> "broken"

pyproject-fmt reordered pyproject.toml sections (pytest/coverage moved
after mypy) per the updated pyproject-fmt formatter.

Updated all dependencies with uv lock --upgrade.

why

Pinning pre-commit hooks to SHAs ensures reproducible local and CI runs
and matches the project's existing supply-chain hardening
posture. Adding codespell and typos automates catching the kind of
trivial typos that this very PR is cleaning up. Dependencies updated to
pick up CVE fixes.

testing

just lint and just test pass locally.

docs

No docs needed.

🤖 Generated with Claude Code