Add environment variable support for OIDC client secret (#2325)

Add support for loading OIDC client secret from TOOLHIVE_OIDC_CLIENT_SECRET
environment variable. This enables Kubernetes-native secret injection via
SecretKeyRef in future operator enhancements.

The change is backward compatible - if the environment variable is not set,
the behavior remains unchanged (uses config.ClientSecret as before).

This is preparatory work for adding SecretKeyRef support to InlineOIDCConfig
in the operator, which will be implemented in a follow-up PR.

Related to #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: JAORMX

pkg/auth/token.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -541,6 +542,14 @@ func NewTokenValidator(ctx context.Context, config TokenValidatorConfig) (*Token
 		registry.AddProvider(NewGoogleProvider(config.IntrospectionURL))
 	}
 
+	// Load client secret from environment variable if not provided in config
+	// This allows secrets to be injected via Kubernetes Secret references
+	if config.ClientSecret == "" {
+		if envSecret := os.Getenv("TOOLHIVE_OIDC_CLIENT_SECRET"); envSecret != "" {
+			config.ClientSecret = envSecret
+		}
+	}
+
 	// Add RFC7662 provider with auth if configured
 	if config.ClientID != "" || config.ClientSecret != "" {
 		rfc7662Provider, err := NewRFC7662ProviderWithAuth(