Fix --keyid flag scope and implement secret move command

- Restrict --keyid flag to PGP unlocker type only
- Add validation to prevent --keyid usage with non-PGP unlockers
- Implement 'secret move' command with 'mv' and 'rename' aliases
- Add comprehensive tests for move functionality
- Update documentation to reflect optional nature of --keyid for PGP

The move command allows renaming or moving secrets within a vault while
preserving all versions and metadata. It fails if the destination already
exists to prevent accidental overwrites.

README.md

@@ -106,6 +106,11 @@ Lists all secrets in the current vault. Optional filter for substring matching.
 - **NO RECOVERY**: Once removed, the secret cannot be recovered
 - **ALL VERSIONS DELETED**: Every version of the secret will be permanently deleted
 
+#### `secret move <source> <destination>` / `secret mv` / `secret rename`
+Moves or renames a secret within the current vault.
+- Fails if the destination already exists
+- Preserves all versions and metadata
+
 ### Version Management
 
 #### `secret version list <secret-name>` / `secret version ls`
@@ -144,7 +149,7 @@ Creates a new unlocker of the specified type:
 - `keychain`: macOS Keychain integration (macOS only)
 
 **Options:**
-- `--keyid <id>`: GPG key ID (required for PGP type)
+- `--keyid <id>`: GPG key ID (optional for PGP type, uses default key if not specified)
 
 #### `secret unlocker remove <unlocker-id> [--force]` / `secret unlocker rm` ⚠️ 🛑
 **DANGER**: Permanently removes an unlocker. Like Unix `rm`, this command does not ask for confirmation.
@@ -439,3 +444,4 @@ Released as a free software gift to the world, no strings attached, under the [W
 Contact: [sneak@sneak.berlin](mailto:sneak@sneak.berlin)
 
 [https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2](https://keys.openpgp.org/vks/v1/by-fingerprint/5539AD00DE4C42F3AFE11575052443F4DF2A55C2)
+