feat: open proxy token file

README.md

@@ -18,17 +18,17 @@ open on your laptop instead of failing in a headless shell.
 
 - The **host** runs `open-proxy serve`, listening on `127.0.0.1:7777`.
 - The **VM** runs the `open-proxy open` client, which connects to
-  `127.0.0.1:7777` *on the VM*.
+  `127.0.0.1:7777` _on the VM_.
 - An SSH **reverse tunnel** maps the VM's `127.0.0.1:7777` back to the host's
   server, so nothing is exposed on the network.
 
 Per argument, the client does the cheapest thing that works:
 
-| Argument                     | Behavior                                                        |
-| ---------------------------- | --------------------------------------------------------------- |
-| Existing **regular file**    | Streams the bytes to the host; host writes it to a temp dir (keeping the filename/extension) and opens that copy. |
-| **URL** (`https://…`, `mailto:…`) | Forwarded as a string; host opens it.                      |
-| Anything else                | Forwarded as a string; host's `open` decides.                   |
+| Argument                          | Behavior                                                                                                          |
+| --------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| Existing **regular file**         | Streams the bytes to the host; host writes it to a temp dir (keeping the filename/extension) and opens that copy. |
+| **URL** (`https://…`, `mailto:…`) | Forwarded as a string; host opens it.                                                                             |
+| Anything else                     | Forwarded as a string; host's `open` decides.                                                                     |
 
 > **Best effort, by design.** A copied `report.html` that references sibling
 > assets (`./style.css`, images) won't find them on the host — only the single
@@ -46,7 +46,8 @@ Produces one static binary used for both roles.
 
 ```sh
 # Optional but recommended if the VM is multi-user: require a shared secret.
-export OPEN_PROXY_TOKEN=$(openssl rand -hex 16)
+openssl rand -hex 16 > ~/.config/open-proxy-token
+export OPEN_PROXY_TOKEN_FILE=~/.config/open-proxy-token
 
 open-proxy serve            # listens on 127.0.0.1:7777
 ```
@@ -65,14 +66,14 @@ to the GUI.
    ln -sf open-proxy ~/.local/bin/open      # convenience / macOS habit
    ```
 
-   `~/.local/bin` must come *before* `/usr/bin` in `$PATH`. The binary checks
+   `~/.local/bin` must come _before_ `/usr/bin` in `$PATH`. The binary checks
    `argv[0]`, so a symlink named `xdg-open` or `open` runs in client mode.
 
-2. If you set a token on the host, set the same one on the VM (e.g. in your
-   shell rc):
+2. If you set a token on the host, set the same one on the VM (e.g. via a
+   secret-managed file):
 
    ```sh
-   export OPEN_PROXY_TOKEN=<same value as host>
+   export OPEN_PROXY_TOKEN_FILE=~/.config/open-proxy-token
    ```
 
 ## The tunnel
@@ -110,10 +111,10 @@ fail — it falls back to the **real** opener. It walks `$PATH` for the next
 `xdg-open`/`open` that isn't this binary and runs that, so a shadowed VM still
 behaves sanely offline.
 
-Fallback fires only on a *connection* failure. An HTTP rejection (e.g. a 403
+Fallback fires only on a _connection_ failure. An HTTP rejection (e.g. a 403
 from a token mismatch) is surfaced as an error, not silently opened locally.
 
-Both the fallback and the host's own opener resolve the *real* `xdg-open`/`open`
+Both the fallback and the host's own opener resolve the _real_ `xdg-open`/`open`
 by skipping this binary on `$PATH`, so it's safe to shadow the opener names on
 the host too (e.g. a box that is both host and VM) without recursing.
 
@@ -127,11 +128,12 @@ open ./diagram.png               # copied to host, opens in host image viewer
 
 ## Configuration
 
-| Variable             | Default            | Meaning                                              |
-| -------------------- | ------------------ | ---------------------------------------------------- |
-| `OPEN_PROXY_ADDR`    | `127.0.0.1:7777`   | Client target / server listen address.               |
-| `OPEN_PROXY_TOKEN`   | _(unset)_          | Shared secret; if set on the server, clients must match. |
-| `OPEN_PROXY_MAXSIZE` | `104857600` (100M) | Max file transfer size in bytes (server-side).       |
+| Variable                | Default            | Meaning                                                                   |
+| ----------------------- | ------------------ | ------------------------------------------------------------------------- |
+| `OPEN_PROXY_ADDR`       | `127.0.0.1:7777`   | Client target / server listen address.                                    |
+| `OPEN_PROXY_TOKEN`      | _(unset)_          | Shared secret; if set on the server, clients must match.                  |
+| `OPEN_PROXY_TOKEN_FILE` | _(unset)_          | File containing the shared secret, used when `OPEN_PROXY_TOKEN` is unset. |
+| `OPEN_PROXY_MAXSIZE`    | `104857600` (100M) | Max file transfer size in bytes (server-side).                            |
 
 ## Security notes