kloudkit · bdsoha · May 13, 2026 · May 13, 2026 · May 13, 2026
@@ -74,18 +74,21 @@ docker run \
 
 ### File-Based Passwords
 
-Instead of passing passwords as environment variables, you can mount them as files.
-This is useful with Docker secrets or mounted credential files.
+Instead of passing passwords as environment variables, you can mount them as files
+*(useful with Docker secrets or Kubernetes `Secret` projections)*.
+Point the variable at the file with the `file:` prefix, or mount the file at the
+convention path and leave the variable unset.
 
-- <EnvVar group="auth" name="password_file" />
-- <EnvVar group="auth" name="password_hashed_file" />
-
-```sh{3-4}
+```sh{2-3}
 docker run \
-  ghcr.io/kloudkit/workspace:v0.2.1 \
-  -v ./my_hashed_password.txt:/run/secrets/workspace/auth_password_hashed
+  -e WS_AUTH_PASSWORD_HASHED=file:/run/secrets/workspace/auth/password_hashed \
+  -v ./password_hashed.txt:/run/secrets/workspace/auth/password_hashed:ro \
+  ghcr.io/kloudkit/workspace:v0.2.1
 ```
 
+See [Resolving Secret Values](/settings/configuration#resolving-secret-values)
+for the full resolution chain and Kubernetes example.
+
 ### Rate Limiting
 
 The workspace has a built-in throttling mechanism to rate-limit password authentication

@@ -174,8 +174,9 @@ For more information, visit our [contribution guide](/contribute/).
 | `codex`                     | codex CLI                                  | *v0.0.20* |       |
 | `conan`                     | Conan CLI and related tools                | *v0.0.21* |       |
 | `continue`                  | cn CLI and continue extension              |           |       |
-| `cpp`                       | C++ and related tools                      |           |   ✅   |
+| [**`cpp →`**](/tools/cpp)   | C++ and related tools                      |           |   ✅   |
 | `dagger`                    | dagger.io CLI and SDK                      |           |       |
+| `dive`                      | Image-layer explorer TUI                   |           |       |
 | `doctl`                     | DigitalOcean CLI                           | *v0.2.0*  |       |
 | `dotnet`                    | .NET framework and related extensions      |           |   ✅   |
 | `gcloud`                    | Google Cloud CLI for GCP                   |           |   ✅   |

@@ -2,6 +2,8 @@
 see:
   - name: Editor Settings
     link: /editor/settings
+  - name: Secrets
+    link: /settings/secrets
 ---
 
 # Configuration
@@ -34,6 +36,64 @@ Such variables can be reviewed in the [global variables](#global-variables) sect
 To enable a boolean environment variable, set it to a *truthy* value, either `1` or `true`.
 :::
 
+## Resolving Secret Values
+
+Secret-shaped variables resolve through a four-step chain so the same property works across
+Docker and Kubernetes without `_FILE` companions:
+
+- <EnvVar group="auth" name="password" />
+- <EnvVar group="auth" name="password_hashed" />
+- <EnvVar group="auth" name="github_token" />
+- <EnvVar group="secrets" name="master_key" />
+- <EnvVar group="server" name="ssl_cert" />
+- <EnvVar group="server" name="ssl_key" />
+
+The resolver returns the first match:
+
+1. **Env literal:** `WS_X=value`.
+2. **`file:` prefix:** `WS_X=file:/path` reads the file *(one trailing newline stripped, internal newlines preserved)*.
+3. **Convention default:** mount a file at `/run/secrets/workspace/<group>/<property>` and leave
+   the variable unset.
+4. **Schema default:** typically unset.
+
+::: code-group
+
+```sh [Env literal]
+docker run \
+  -e WS_AUTH_PASSWORD=super_duper_secret \
+  ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```sh [file: prefix]
+docker run \
+  -e WS_AUTH_PASSWORD=file:/run/secrets/workspace/auth/password \
+  -v ./password.txt:/run/secrets/workspace/auth/password:ro \
+  ghcr.io/kloudkit/workspace:v0.2.1
+```
+
+```yaml [Kubernetes]
+volumes:
+  - name: workspace-secrets
+    secret:
+      secretName: workspace-secrets
+      items:
+        - key: password
+          path: auth/password
+containers:
+  - name: workspace
+    volumeMounts:
+      - name: workspace-secrets
+        mountPath: /run/secrets/workspace
+        readOnly: true
+```
+
+:::
+
+::: tip
+`ws-cli show env <KEY>` reports where the value came from: `env-set`, `env-file`,
+`secret-file-default`, or `yaml-default`.
+:::
+
 <!--@include: ../partials/environment-variables.md -->
 
 ## Deprecated