defmodule ArcadiaCloud.DigitalOcean.Tokens do @moduledoc """ DO API token resolver. Per-purpose so worker queues use separate tokens (rate limit isolation + blast radius — see project_arcadia_cloud memory). Phase 0/1 implementation: all purposes fall back to the single `DO_API_TOKEN` env var (or `:default_token` app env). Phase 2: read per-purpose bundles from the secrets vault. """ @env_var "DO_API_TOKEN" def fetch(purpose) when is_binary(purpose) do case resolve(purpose) do nil -> {:error, :no_token_configured} token -> {:ok, token} end end defp resolve(_purpose) do Application.get_env(:arcadia_cloud, :do_api_token) || System.get_env(@env_var) end end