init --decrypt without talm.key: error needs recovery-path hint

[lexfrei]

Problem

talm init --decrypt against a project where talm.key is missing emits a raw stack-style error with no hint about the recovery path:

failed to decrypt secrets: load key: read key file: open /tmp/project/talm.key: no such file or directory

Operators don't always know that talm.key is required to decrypt — the message reads like a bug in talm rather than "you need to restore your key".

Reproduction

mkdir /tmp/talm-decrypt-test && cd /tmp/talm-decrypt-test
talm init --preset cozystack --name test --endpoints https://192.0.2.1:6443
mv talm.key /tmp/key.backup
talm init --decrypt

Error path: pkg/age/age.go:32 (the load key wrapper in DecryptString) bubbles up through pkg/commands/init.go decrypt entrypoint without adding a hint.

Expected

A hint pointing at the recovery options:

failed to decrypt secrets: load key: read key file: open .../talm.key: no such file or directory
hint: talm.key is required to decrypt secrets.encrypted.yaml. Restore your
      backed-up key, or re-run `talm init` to regenerate (will write new
      secrets — the old ones will not be decryptable without the original key).

Trivially achievable by adding errors.WithHint in either pkg/age/age.go at the load-key site or in pkg/commands/init.go at the decrypt entrypoint.

Why this matters

talm.key loss is a real operational scenario (laptop swap, lost backup, fresh checkout). The current error suggests an internal bug; the fixed version points at recovery.

Surfaced during the dev17 manual test plan exercise.