CLI: support credential maps

[josephjclark]

Short Description

This PR allows credentials to be passed to the CLI. When running a workflow with Lightning credential UUIDs, users can pass a value for each id.

Fixes #210 and part of the #1186 epic

Implementation Details

This PR does several things:

• Allow --credential to passed to the CLI, which is a path to a JSON object which maps
• The CLI will apply credentials in the map to the incoming execution plan before the runtime gets hold of it
• Note that configuration strings which are paths, like my-cred.json, still work (although I don't know why we need this)
• When pulling from lightning, project credentials are written to step.configuration

It may be interesting to note that the credential map is not supported at all by the runtime. Just like the Worker, its the CLI's responsibility to resolve credentials into a manageable, executable form.

Other work

Probably not in this PR, but here is some related stuff wot needs looking at?

• DONE We should support yaml credential maps
• Maybe credential ids can be partial? Makes sense with UUIDS but probably not with user ids
• Later, add the credential map to the Workspace (I've paused because do we default it?)
• Work out how to support keychain credentials

AI Usage

Please disclose how you've used AI in this work (it's cool, we just want to know!):

• Code generation (copilot but not intellisense)
• Learning or fact checking
• Strategy / design
• Optimisation / refactoring
• Translation / spellchecking / doc gen
• Other
• I have not used AI

You can read more details in our Responsible AI Policy

[josephjclark]

It would be really nice, when pulling a project, if we could:

1. generate a credential map with empty values and a nice comment
2. warn the user if we detect any unset credentials. So we need a validateCredentialMap function.

This is probably for later