pkgs/clan: Improve error message on clan secrets users add

Improve error message on `clan secrets users add [user] --age-key
`AGE-PLUGIN-YUBIKEY`

Since there is no way to get the recipient through the AGE-PLUGIN-YUBIKEY,
we should fail fast and give an actionable error to the user.

pkgs/clan-cli/clan_cli/secrets/types.py

@@ -21,6 +21,12 @@ def secret_name_type(arg_value: str) -> str:
 def public_or_private_age_key_type(arg_value: str) -> str:
     if Path(arg_value).is_file():
         arg_value = Path(arg_value).read_text().strip()
+    elif arg_value.startswith("AGE-PLUGIN-"):
+        msg = (
+            f"AGE-PLUGIN keys cannot be used directly as they are plugin identifiers, not recipient keys. "
+            f"Please provide the corresponding age1 public key instead. Got: '{arg_value}'"
+        )
+        raise ClanError(msg)
 
     public_keys = get_public_age_keys(arg_value)
 

pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py

@@ -1050,3 +1050,28 @@ def test_secrets_key_generate_gpg(
                     ]
                 )
             assert output.out == "secret-value"
+
+
+@pytest.mark.with_core
+def test_secrets_users_add_age_plugin_error(
+    test_flake_with_core: FlakeForTest,
+) -> None:
+    """Test that AGE-PLUGIN keys raise proper error message"""
+    with pytest.raises(ClanError) as exc_info:
+        cli.run(
+            [
+                "secrets",
+                "users",
+                "add",
+                "--flake",
+                str(test_flake_with_core.path),
+                "testuser",
+                "AGE-PLUGIN-YUBIKEY-18P5XCQVZ5FE4WKCW3NJWP",
+            ]
+        )
+
+    error_msg = str(exc_info.value)
+    assert "AGE-PLUGIN keys cannot be used directly" in error_msg
+    assert "plugin identifiers, not recipient keys" in error_msg
+    assert "corresponding age1 public key instead" in error_msg
+    assert "AGE-PLUGIN-YUBIKEY-18P5XCQVZ5FE4WKCW3NJWP" in error_msg