fix: accept secret value as separate argument in vault put

[stack72]

Summary

• Changed vault put argument signature from <vault_name> <key_value> to <vault_name> <key> [value] so users can pass the secret as a separate positional argument
• When 3 args given, treats arg2 as key and arg3 as value directly (no KEY=VALUE parsing needed)
• When 2 args given, maintains full backward compatibility: KEY=VALUE format, stdin piping, and interactive prompt all still work
• Updated error message to mention all three input methods including the new 3-arg form

Test Plan

• All 3564 existing tests pass
• Updated test for new error message format (now mentions <key> <value> form)
• deno check, deno lint, deno fmt all clean
• Manual test: swamp vault put <vault> KEY value works
• Manual test: swamp vault put <vault> KEY=value still works (backward compat)
• Manual test: echo "value" | swamp vault put <vault> KEY still works

Closes #880

Co-authored-by: Blake Irvin bixu@users.noreply.github.com

🤖 Generated with Claude Code

[github-actions]

CLI UX Review

Blocking

None.

Suggestions

1. vault_put.ts argument signature — The new .arguments("<vault_name:string> <key:string> [value:string]") is surfaced in --help output. The [value] bracket correctly signals optionality. One minor note: the help text for this command has no description for the arguments themselves (Cliffy doesn't always show per-argument descriptions), so users discovering the command via --help may not immediately see that the old KEY=VALUE form and stdin piping still work. Consider adding a note to .description() or a .example() call to surface all three input methods, e.g.:

   .example("Separate args", "swamp vault put myvault MY_KEY secretvalue")
   .example("Inline KEY=VALUE", "swamp vault put myvault MY_KEY=secretvalue")
   .example("Stdin", "echo secretvalue | swamp vault put myvault MY_KEY")
   

2. Error message formatting — The updated error message in resolveKeyValue now lists three forms (separate arg, inline, stdin), which is clearer than before. The wording Provide the value as a separate argument, inline, or via stdin: is accurate and readable. No change needed, just a note that this is a nice improvement.

Verdict

PASS — The new 3-arg form is a clear UX improvement with full backward compatibility. Help text and error messages are consistent with the rest of the CLI. No blocking issues.

[github-actions]

Code Review

Blocking Issues

None.

Suggestions

1. Consider a unit test for the 3-arg path in the action handler (vault_put_test.ts): The new valueArg !== undefined branch is straightforward (two assignments), but a test exercising the command with three positional arguments would give full coverage of the new feature. Not blocking since the path is trivial and the manual test plan covers it.

Overall this is a clean, well-structured change. The backward compatibility is preserved correctly, the priority order (explicit arg > KEY=VALUE > stdin > interactive) is clearly commented, the libswamp import boundary is respected, and the error message update with the corresponding test update is thorough.