switch from client_secret to client_secret_file

internal/config/config_test.go

@@ -39,14 +39,19 @@ netrc_path = "/home/user/.config/nix/netrc"
 	}
 }
 
-func TestLoadConfigWithClientSecret(t *testing.T) {
+func TestLoadConfigWithClientSecretFile(t *testing.T) {
 	dir := t.TempDir()
 	cfgFile := filepath.Join(dir, "config.toml")
+	secretFile := filepath.Join(dir, "secret")
+
+	if err := os.WriteFile(secretFile, []byte("super-secret\n"), 0600); err != nil {
+		t.Fatal(err)
+	}
 
 	content := `
 issuer = "https://id.example.com/realms/test"
 client_id = "nix-cache-server"
-client_secret = "super-secret"
+client_secret_file = "` + secretFile + `"
 cache_host = "cache.example.com"
 netrc_path = "/tmp/netrc"
 `
@@ -64,6 +69,30 @@ netrc_path = "/tmp/netrc"
 	}
 }
 
+func TestLoadConfigClientSecretFileMissing(t *testing.T) {
+	dir := t.TempDir()
+	cfgFile := filepath.Join(dir, "config.toml")
+
+	content := `
+issuer = "https://id.example.com/realms/test"
+client_id = "nix-cache-server"
+client_secret_file = "/nonexistent/secret"
+cache_host = "cache.example.com"
+netrc_path = "/tmp/netrc"
+`
+	if err := os.WriteFile(cfgFile, []byte(content), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err := Load(cfgFile)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !contains(err.Error(), "client_secret_file") {
+		t.Errorf("error = %q, want to contain %q", err.Error(), "client_secret_file")
+	}
+}
+
 func TestEnvVarExpansionInNetrcPath(t *testing.T) {
 	dir := t.TempDir()
 	cfgFile := filepath.Join(dir, "config.toml")