Implement process for migrating keys and algorithms

[dmjb]

Fixes #3315

Implement CLI command which is used to migrate keys and algorithms. This will:

1. Open connection to the DB
2. Query for secrets which do not have the default key ID or algorithm 3) Decrypts and re-encrypts with new data
3. Wraps all the above in a transaction which asks permission before
   commiting

State secrets in the session state table are deleted. Since they are short-lived secrets, there is no point in migrating them.

Tested locally.

Summary

Provide a brief overview of the changes and the issue being addressed.
Explain the rationale and any background necessary for understanding the changes.
List dependencies required by this change, if any.

Fixes #(related issue)

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[blkt]

LGTM, just left a couple of non-blocking suggestions.

[coveralls]

coverage: 52.021%. remained the same
when pulling 909bfad on key-rotate-command
into ad16d48 on main.

[blkt]

I like the split, thanks @dmjb