Feat: better way for handling secrets

[davidemanini]

Reading providers API keys from the environment has inherent security flaws.

I suggest to add the option --api-key-command [CMD]. Whenever the the key KEY is needed, the output of CMD KEY is read and it is interpreted as the relevant API key.

A suitable option in the settings should be added, as well.

[mythz]

When proposing new features like this, please reference examples of popular LLM tools that implement the feature you're proposing?

[davidemanini]

I'm not aware on any tool implementing the feature that I propose. However, I'm not even aware of tools that take secrets as environment variables (in OpenWebUI and AnythingLLM you provide api keys using the web interface).

If you really do not want to implement this feature, please, wipe confidential environment variables during early initialization.

I suggest to ask "In a linux terminal, how can I see the environment variables?" with the run_bash skill on, to see the security flaws of environmental variables.