feat: improve secret-ref UX and docs for profiles

[rmanibus]

Summary

Implement RFC 0011 issue #91 with CLI UX and documentation updates for profile/store secret references.

What Changed

• Store CLI UX
  • store new now accepts explicit *_secret flags:
    • -password-secret, -encryption-key-secret, -recovery-key-secret
    • -s3-access-key-secret, -s3-secret-key-secret
    • -store-sftp-password-secret, -store-sftp-key-secret
  • Legacy *-env flags remain supported and are converted to env://... refs when writing.
  • When both *-secret and *-env are provided, *-secret wins.
• CLI help/completion
  • Updated usage docs (cloudstic help) for new *_secret flags.
  • Updated shell completion definitions for new store flags.
• Documentation
  • docs/user-guide.md: secret ref guidance, scheme list, examples, and headless fallback guidance.
  • docs/encryption.md: explicit separation between repository key slots and profile credential references.

Notes

For documentation examples, this PR assumes cross-platform secret schemes are available:

• keychain://... (macOS)
• wincred://... (Windows)
• secret-service://... (Linux)

Validation

• go test ./cmd/cloudstic -count=1
• go test ./...
• golangci-lint run ./...

Tracking

• Closes RFC 0011: Documentation and CLI UX updates for profile secret references #91
• Epic: RFC 0011: Epic / Tracking issue for profile credential storage backends #93
• RFC: rfcs/0011-profile-credential-storage-backends.md

[codecov]

Codecov Report

❌ Patch coverage is 63.74269% with 124 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
cmd/cloudstic/cmd_store.go	63.77%	68 Missing and 28 partials ⚠️
cmd/cloudstic/usage.go	0.00%	14 Missing ⚠️
cmd/cloudstic/interactive.go	33.33%	10 Missing ⚠️
cmd/cloudstic/secret_store_stub.go	0.00%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds richer store credential/encryption handling to the Cloudstic CLI by introducing secret reference flags and interactive flows (including macOS Keychain writes), plus a new store verify command to validate store connectivity and encrypted-repo unlock.

Changes:

• Added cloudstic store verify subcommand and updated CLI usage + shell completions.
• Enhanced store new to support *_secret flags, prefill existing store values in interactive mode, and verify configured encryption credentials for initialized encrypted repos.
• Expanded docs on secret reference usage and interactive encryption setup.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
docs/user-guide.md	Documents store verify and recommends *_secret secret-ref fields/schemes.
docs/encryption.md	Adds explanation of profile credential references and supported secret-ref schemes.
cmd/cloudstic/usage.go	Updates help output for new subcommand and new *-secret flags.
cmd/cloudstic/secret_store_stub.go	Non-darwin stubs for native secret store write/exists helpers.
cmd/cloudstic/secret_store_darwin.go	macOS implementation for writing/checking secrets via security.
cmd/cloudstic/secret_store_darwin_test.go	Unit tests for the macOS security command invocations.
cmd/cloudstic/runner.go	Adds reusable stdin/line reader plumbing to support interactive prompting.
cmd/cloudstic/interactive.go	Uses runner line reader; adds hidden-input secret prompt.
cmd/cloudstic/completion.go	Adds completions for store verify and the new *-secret flags.
cmd/cloudstic/cmd_store.go	Implements store verify, secret-ref flag handling, interactive encryption config, and verification of encrypted repo unlock credentials.
cmd/cloudstic/cmd_store_test.go	Adds/updates tests covering prefills, secret refs, credential verification, and missing-secret behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.