Fix --keyid flag scope and implement secret move command

- Restrict --keyid flag to PGP unlocker type only
- Add validation to prevent --keyid usage with non-PGP unlockers
- Implement 'secret move' command with 'mv' and 'rename' aliases
- Add comprehensive tests for move functionality
- Update documentation to reflect optional nature of --keyid for PGP

The move command allows renaming or moving secrets within a vault while
preserving all versions and metadata. It fails if the destination already
exists to prevent accidental overwrites.

internal/cli/unlockers.go

@@ -99,24 +99,27 @@ func newUnlockerAddCmd() *cobra.Command {
 	}
 
 	cmd := &cobra.Command{
-		Use:   "add <type> [keyid]",
+		Use:   "add <type>",
 		Short: "Add a new unlocker",
-		Long:  fmt.Sprintf(`Add a new unlocker of the specified type (%s).`, supportedTypes),
-		Args:  cobra.RangeArgs(1, 2), //nolint:mnd // Command accepts 1 or 2 arguments
+		Long: fmt.Sprintf(`Add a new unlocker of the specified type (%s).
+
+For PGP unlockers, you can optionally specify a GPG key ID with --keyid.
+If not specified, the default GPG key will be used.`, supportedTypes),
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cli := NewCLIInstance()
+			unlockerType := args[0]
 
-			// For PGP type, check if keyid is provided as positional argument
-			if args[0] == "pgp" && len(args) == 2 {
-				// Override any flag value with the positional argument
-				_ = cmd.Flags().Set("keyid", args[1])
+			// Check if --keyid was used with non-PGP type
+			if unlockerType != "pgp" && cmd.Flags().Changed("keyid") {
+				return fmt.Errorf("--keyid flag is only valid for PGP unlockers")
 			}
 
-			return cli.UnlockersAdd(args[0], cmd)
+			return cli.UnlockersAdd(unlockerType, cmd)
 		},
 	}
 
-	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlockers")
+	cmd.Flags().String("keyid", "", "GPG key ID for PGP unlockers (optional, uses default key if not specified)")
 
 	return cmd
 }