feat: redesign pass_mgr CLI interface

New commands:
- pass_mgr list                              # list all keys
- pass_mgr get-secret --key <key>            # get secret
- pass_mgr get-username --key <key>          # get username
- pass_mgr set --key <k> --username <u> --secret <s>  # set credential
- pass_mgr unset --key <key>                 # remove credential
- pass_mgr generate --key <key> [--username] # generate random secret
- pass_mgr rotate --key <key>               # rotate secret, keep username
- pass_mgr admin init                        # initialize

Also updated pcexec to recognize new get-secret format (with backward compat).

plugin/tools/pcexec.ts

@@ -58,8 +58,15 @@ export interface PcExecError extends Error {
 function extractPassMgrGets(command: string): Array<{ key: string; fullMatch: string }> {
   const results: Array<{ key: string; fullMatch: string }> = [];
   
-  // Pattern for $(pass_mgr get key) or `pass_mgr get key`
+  // Patterns for both old and new pass_mgr formats:
+  //   Old: $(pass_mgr get key), `pass_mgr get key`, pass_mgr get key
+  //   New: $(pass_mgr get-secret --key key), `pass_mgr get-secret --key key`
   const patterns = [
+    // New format: pass_mgr get-secret --key <key>
+    /\$\(\s*pass_mgr\s+get-secret\s+--key\s+(\S+)\s*\)/g,
+    /`\s*pass_mgr\s+get-secret\s+--key\s+(\S+)\s*`/g,
+    /pass_mgr\s+get-secret\s+--key\s+(\S+)/g,
+    // Old format (backward compat): pass_mgr get <key>
     /\$\(\s*pass_mgr\s+get\s+(\S+)\s*\)/g,
     /`\s*pass_mgr\s+get\s+(\S+)\s*`/g,
     /pass_mgr\s+get\s+(\S+)/g,
@@ -84,7 +91,7 @@ function extractPassMgrGets(command: string): Array<{ key: string; fullMatch: st
 async function getPassword(key: string): Promise<string> {
   return new Promise((resolve, reject) => {
     const passMgrPath = process.env.PASS_MGR_PATH || 'pass_mgr';
-    const child = spawn(passMgrPath, ['get', key], {
+    const child = spawn(passMgrPath, ['get-secret', '--key', key], {
       stdio: ['ignore', 'pipe', 'pipe'],
       env: {
         ...process.env,