feat: add Secret Manager fallback for API credentials

- Add `cloud.google.com/go/secretmanager` dependency.
- Create `pkg/utils/secrets.go` to fetch secrets from Google Cloud Secret Manager.
- Update `pkg/app/api_client.go` to check `GCLOUD_PROJECT_ID` and fetch credentials from Secret Manager if environment variables are missing.
- Implement caching in `getAPIConfig` to avoid repeated Secret Manager calls.
- Add `resetAPIConfigCache` helper for testing.
- Update `pkg/app/test_utils_test.go` to reset config cache when setting mock env vars.
- Add `TestGetAPIConfig_SecretManagerFallback` to verify fallback logic.

Author: google-labs-jules[bot]

pkg/app/api_client.go

@@ -46,7 +46,7 @@ func getAPIConfig() (string, string) {
 
 	// If env vars are missing, try to fetch from Secret Manager
 	if url == "" || key == "" {
-		projectID := os.Getenv("GOOGLE_CLOUD_PROJECT")
+		projectID := os.Getenv("GCLOUD_PROJECT_ID")
 		if projectID != "" {
 			if url == "" {
 				var err error
@@ -63,7 +63,7 @@ func getAPIConfig() (string, string) {
 				}
 			}
 		} else {
-			log.Println("GOOGLE_CLOUD_PROJECT is not set, skipping Secret Manager lookup")
+			log.Println("GCLOUD_PROJECT_ID is not set, skipping Secret Manager lookup")
 		}
 	}
 

pkg/app/api_client_test.go

@@ -88,7 +88,7 @@ func TestSubmitQuery(t *testing.T) {
 		restore := setEnv("BIBLE_API_URL", "")
 		defer restore()
 		// Also unset PROJECT_ID to avoid Secret Manager lookup
-		defer setEnv("GOOGLE_CLOUD_PROJECT", "")()
+		defer setEnv("GCLOUD_PROJECT_ID", "")()
 
 		req := QueryRequest{}
 		var resp VerseResponse
@@ -103,7 +103,7 @@ func TestGetAPIConfig_SecretManagerFallback(t *testing.T) {
 	// Ensure Env Vars are empty
 	defer setEnv("BIBLE_API_URL", "")()
 	defer setEnv("BIBLE_API_KEY", "")()
-	defer setEnv("GOOGLE_CLOUD_PROJECT", "test-project")()
+	defer setEnv("GCLOUD_PROJECT_ID", "test-project")()
 
 	// Mock the secret function
 	oldGetSecret := getSecretFunc