Add a method to rotate encryption password

[danbarr]

ToolHive currently lacks any method to rotate/change the encryption password. Users must delete the keyring entry (with thv secret reset-keyring) and secrets_encrypted file and start over.

It would be good to have a method to do this.

We might also consider letting ToolHive generate a random password, assuming keyring access is verified on the user's system? (This could also imply an additional thv secret init --generate command to do this initially, and/or a question when running the first secret command?)

Potential workflow

Interactive version:

$ thv secret rotate-password
Enter the new encryption password: 

# User enters new password, ToolHive re-encrypts the file, then updates the keyring entry

Non-interactive version:

$ thv secret rotate-password --generate

# ToolHive generates a strong random password, re-encrypts the file, then updates the keyring entry
# IF keyring update fails for any reason, display the generated password to the user so they're not locked out of their file?

[JAORMX]

Still valid! Having to nuke everything with reset-keyring just to change your password isn't ideal.

We've got the infrastructure in place to support this (the EncryptedManager can already re-encrypt, and we have GenerateSecurePassword() for the --generate flag). It's mostly a matter of wiring up the command.

We'll get to this soon.