package secrets

import (
	"os"
	"strings"
)

// Env resolves secret from KEY or KEY_FILE.
// KEY_FILE enables runtime secret injection via mounted files.
func Env(key string) string {
	if value := os.Getenv(key); value != "" {
		return value
	}

	filePath := os.Getenv(key + "_FILE")
	if filePath == "" {
		return ""
	}

	content, err := os.ReadFile(filePath)
	if err != nil {
		return ""
	}
	return strings.TrimSpace(string(content))
}