feat: add mapping mode for multi-key Vault secrets

[mdemauroy]

Summary

• Add a mapping configuration option to map environment variables to specific keys within multi-key Vault secrets, as an alternative to the path_prefix convention
• Implement MultiKeyProvider interface and ReadSecret on vaultProvider to support reading all key-value pairs from a single secret path
• Add CollectMappedSecrets helper that batches reads by path to minimize API calls
• Validate that mapping and path_prefix are mutually exclusive; block write/delete in mapping mode (read-only)

Example configuration

envs:
  dev:
    provider: vault
    mapping:
      MY_FIRST_TOKEN:
        path: shared/cdn
        key: MY_TOKEN
      MY_APIKEY:
        path: app/cms
        key: MY_API_KEY

Test plan

• Unit tests for CollectMappedSecrets (success, missing key, missing path, empty, deduplication)
• Unit tests for config loading with mapping and mutual exclusion validation
• Compile-time check that vaultProvider implements MultiKeyProvider

[mdemauroy]

Hi @BinSquare ! It would be great if you could check my addition to your awesome tool, I'm eager to use it as soon as possible with the multi-key / values vault secrets. It seems to work as intended but since I'm far from being an Go developer and I've received a lot of help from Claude Code youre validation is of course mandatory and required.
Thx 🙏

[BinSquare]

Looks mostly good!

Some slight changes requested.
Also recommend that you squash commits first.

Thanks for your contribution!

[mdemauroy]

Hi @BinSquare thanks a lot for that quick reply !
I've done my best and I hope my changes are ok but feel free to point any mistake.

Thank you for your time 🙏

[BinSquare]

well done, merging.