diff --git a/docs/editor/authentication.md b/docs/editor/authentication.md
index 25c9f5a..4c359d2 100644
--- a/docs/editor/authentication.md
+++ b/docs/editor/authentication.md
@@ -74,18 +74,21 @@ docker run \
### File-Based Passwords
-Instead of passing passwords as environment variables, you can mount them as files.
-This is useful with Docker secrets or mounted credential files.
+Instead of passing passwords as environment variables, you can mount them as files
+*(useful with Docker secrets or Kubernetes `Secret` projections)*.
+Point the variable at the file with the `file:` prefix, or mount the file at the
+convention path and leave the variable unset.
--
--
-
-```sh{3-4}
+```sh{2-3}
docker run \
- ghcr.io/kloudkit/workspace:v0.2.1 \
- -v ./my_hashed_password.txt:/run/secrets/workspace/auth_password_hashed
+ -e WS_AUTH_PASSWORD_HASHED=file:/run/secrets/workspace/auth/password_hashed \
+ -v ./password_hashed.txt:/run/secrets/workspace/auth/password_hashed:ro \
+ ghcr.io/kloudkit/workspace:v0.2.1
```
+See [Resolving Secret Values](/settings/configuration#resolving-secret-values)
+for the full resolution chain and Kubernetes example.
+
### Rate Limiting
The workspace has a built-in throttling mechanism to rate-limit password authentication
diff --git a/docs/editor/features.md b/docs/editor/features.md
index 3a98015..ab7cb07 100644
--- a/docs/editor/features.md
+++ b/docs/editor/features.md
@@ -174,8 +174,9 @@ For more information, visit our [contribution guide](/contribute/).
| `codex` | codex CLI | *v0.0.20* | |
| `conan` | Conan CLI and related tools | *v0.0.21* | |
| `continue` | cn CLI and continue extension | | |
-| `cpp` | C++ and related tools | | ✅ |
+| [**`cpp →`**](/tools/cpp) | C++ and related tools | | ✅ |
| `dagger` | dagger.io CLI and SDK | | |
+| `dive` | Image-layer explorer TUI | | |
| `doctl` | DigitalOcean CLI | *v0.2.0* | |
| `dotnet` | .NET framework and related extensions | | ✅ |
| `gcloud` | Google Cloud CLI for GCP | | ✅ |
diff --git a/docs/settings/configuration.md b/docs/settings/configuration.md
index ef71323..41cb9fc 100644
--- a/docs/settings/configuration.md
+++ b/docs/settings/configuration.md
@@ -2,6 +2,8 @@
see:
- name: Editor Settings
link: /editor/settings
+ - name: Secrets
+ link: /settings/secrets
---
# Configuration
@@ -34,6 +36,64 @@ Such variables can be reviewed in the [global variables](#global-variables) sect
To enable a boolean environment variable, set it to a *truthy* value, either `1` or `true`.
:::
+## Resolving Secret Values
+
+Secret-shaped variables resolve through a four-step chain so the same property works across
+Docker and Kubernetes without `_FILE` companions:
+
+-
+-
+-
+-
+-
+-
+
+The resolver returns the first match:
+
+1. **Env literal:** `WS_X=value`.
+2. **`file:` prefix:** `WS_X=file:/path` reads the file *(one trailing newline stripped, internal newlines preserved)*.
+3. **Convention default:** mount a file at `/run/secrets/workspace//` and leave
+ the variable unset.
+4. **Schema default:** typically unset.
+
+::: code-group
+
+```sh [Env literal]
+docker run \
+ -e WS_AUTH_PASSWORD=super_duper_secret \
+ ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```sh [file: prefix]
+docker run \
+ -e WS_AUTH_PASSWORD=file:/run/secrets/workspace/auth/password \
+ -v ./password.txt:/run/secrets/workspace/auth/password:ro \
+ ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```yaml [Kubernetes]
+volumes:
+ - name: workspace-secrets
+ secret:
+ secretName: workspace-secrets
+ items:
+ - key: password
+ path: auth/password
+containers:
+ - name: workspace
+ volumeMounts:
+ - name: workspace-secrets
+ mountPath: /run/secrets/workspace
+ readOnly: true
+```
+
+:::
+
+::: tip
+`ws-cli show env ` reports where the value came from: `env-set`, `env-file`,
+`secret-file-default`, or `yaml-default`.
+:::
+
## Deprecated