Description
Right now, the code will default to using the encrypted provider (i.e. the local provider) if no secrets provider is explicitly configured, and will prompt the user for a decryption password on the first use of any secrets functionality if none has been set up.
In order to support the API, we need to enforce a separate setup step which will prompt the user to select the type of secrets provider they want, and provide any details needed (the decryption password for the encrypted provider, and the token for the 1Password provider type). This should be exposed as a dedicated CLI command (e.g. thv secrets setup).
At minimum, we should treat it as an error to call a CLI command relating to secrets if the user has not set up a secrets provider. We may also want to consider calling the command automatically.