Function resolve_key_with_source 

pub fn resolve_key_with_source(
    vault_path: &str,
) -> Result<(SecretString, KeySource), String>

Resolve the secret key and report where it came from.

Checks, in order:

1. MURK_KEY env var (explicit key)
2. MURK_KEY_FILE env var (path to a key file)
3. ~/.config/murk/keys/<hash-of-vault-path> (automatic lookup)

.env is not consulted at runtime. It is a write-only convenience that murk init populates with a MURK_KEY_FILE reference for direnv to export. Reading .env at runtime would let a copied vault in another repo borrow whichever key happened to be referenced in the current working directory’s .env — a confused-deputy path that defeats per-vault key isolation.