Add support for secret references in developer environments, allowing users to reference Proton Pass secrets directly in shell sessions and configuration files without ever writing sensitive values to disk in plain text.

The Problem
Developers currently have no way to use Proton Pass as the single source of truth for secrets in their development workflows. Even with a .env file properly added to .gitignore, credentials still exist in plain text on disk, vulnerable to accidental exposure, editor leaks, and local filesystem access.

Each developer on a team must also manually sync secret values out-of-band, creating drift and security gaps.

Proposed Solution
Introduce a pass CLI command (e.g. proton-pass run or pass inject) that resolves secret references at runtime and injects them as environment variables into a process, similar to how 1Password's op run command works.

This would enable a workflow like:

bashproton-pass run -- node server.js
```

Where a .env file (or shell config) contains only references, never values:
```
DATABASEURL=op://vault/postgres/connection-string
APISECRET=op://vault/stripe/secret-key

The CLI authenticates with Proton Pass (via session token or biometric unlock), resolves each reference at runtime, and passes the real values to the child process — which never touches the filesystem.

Key Capabilities Requested

• A proton-pass run CLI command that wraps a process and injects resolved secrets as environment variables
• Support for a reference syntax (e.g. proton://vault/item/field) pointing to specific vault items and fields
• Integration with .env-style files so tools like dotenv, direnv, and Docker Compose can pick up the resolved values without modification
• A proton-pass inject variant that prints resolved output to stdout for piping into scripts
• Optional: a VS Code / JetBrains extension that resolves references transparently during local development

Why This Matters
Proton Pass is already trusted for personal and team credentials. Extending it into the developer workflow, where secrets are most often mishandled, makes it a complete end-to-end secrets solution. It directly addresses the gap between "secure storage" and "secure usage," which is where most breaches actually happen.

This feature would make Proton Pass a compelling alternative to 1Password Secrets Automation and HashiCorp Vault for individual developers and small teams who don't need enterprise-scale infrastructure but do need secrets hygiene.