Problem
The client secret can only be supplied via the ANGLERFISH_CLIENT_SECRET environment variable (src/anglerfish/config.py, src/anglerfish/auth.py). Secret-file delivery is the norm for systemd LoadCredential, Docker/Kubernetes secrets, and agent-based secret managers, and it keeps the value out of process environments.
Proposal
Add ANGLERFISH_CLIENT_SECRET_FILE (and ANGLERFISH_CERT_PASSPHRASE_FILE): when set, read the value from that file (stripping a trailing newline). The plain env var wins if both are set, or error on ambiguity — maintainer is open to either, state your choice in the PR. Mirror the existing certificate-path handling in auth.py for style.
Acceptance:
- Documented in
.env.example and README configuration section.
- Unit tests for: file present, file missing (clean
AuthenticationError), both variables set.
Problem
The client secret can only be supplied via the
ANGLERFISH_CLIENT_SECRETenvironment variable (src/anglerfish/config.py,src/anglerfish/auth.py). Secret-file delivery is the norm for systemdLoadCredential, Docker/Kubernetes secrets, and agent-based secret managers, and it keeps the value out of process environments.Proposal
Add
ANGLERFISH_CLIENT_SECRET_FILE(andANGLERFISH_CERT_PASSPHRASE_FILE): when set, read the value from that file (stripping a trailing newline). The plain env var wins if both are set, or error on ambiguity — maintainer is open to either, state your choice in the PR. Mirror the existing certificate-path handling inauth.pyfor style.Acceptance:
.env.exampleand README configuration section.AuthenticationError), both variables set.