Fix error handling in AddSecret to clean up on failure

- Clean up secret directory if Save() fails for new secrets
- Add tests to verify cleanup behavior
- Ensures failed secret additions don't leave orphaned directories

internal/vault/secrets.go

@@ -204,6 +204,12 @@ func (v *Vault) AddSecret(name string, value *memguard.LockedBuffer, force bool)
 	if err := newVersion.Save(value); err != nil {
 		secret.Debug("Failed to save new version", "error", err, "version", versionName)
 
+		// Clean up the secret directory if this was a new secret
+		if !exists {
+			secret.Debug("Cleaning up secret directory due to save failure", "secret_dir", secretDir)
+			_ = v.fs.RemoveAll(secretDir)
+		}
+
 		return fmt.Errorf("failed to save version: %w", err)
 	}