Add pelican credentials token setup command for standalone credential file creation

[Copilot]

Extracts credential file creation from the rclone PR (#3085) into a standalone CLI command that acquires OAuth2 tokens and persists them (with refresh token and client credentials) to disk.

New CLI command

pelican credentials token setup <pelican-url>
pelican credentials token setup --no-password --write pelican://federation.example.org/namespace/path
pelican credentials token setup --credential-file /path/to/creds.pem --read pelican://federation.example.org/namespace/path

Flags: --read/--write (scope), --no-password (skip encryption), --credential-file (custom output path).

Changes

• docs/parameters.yaml — New Client.CredentialFile parameter to override default credential file path
• param/ — Regenerated via go generate to expose Client_CredentialFile
• config/encrypted.go
  • GetEncryptedConfigName() respects Client.CredentialFile override
  • SaveConfigContentsToFile(config, path, withPassword) — writes credentials to a specific path, optionally unencrypted
  • HasEncryptedPassword() — checks if credential file uses password-protected PEM
• cmd/credentials_token_setup.go — New setup subcommand wired into credentials token
• cmd/config_mgr.go — Wire setup into the existing credentials token command tree
• config/credential_file_test.go — Tests for SaveConfigContentsToFile, HasEncryptedPassword, and GetEncryptedConfigName override including a roundtrip test

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• abc123
  • Triggering command: /tmp/go-build3488651583/b001/config.test /tmp/go-build3488651583/b001/config.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.count=1 sdk-for-go/sdk/a-Wl,--export-dynamic-symbol=main om/pressly/goose/tmp/go-link-1142583669/trivial.c rg/toolchain@v0.0.1-go1.25.0.lin-importcfg --gdwarf-5 p mpile rg/toolchain@v0.-buildtags knNv�� @v1.3.2/protoc-g-errorsas @v1.3.2/protoc-g-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet abis o/sdk/internal/e-unsafeptr=false --64 ux-amd64/pkg/too/tmp/go-build1551708337/b359/vet.cfg (dns block)
  • Triggering command: /tmp/go-build1296534582/b001/config.test /tmp/go-build1296534582/b001/config.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.count=1 1.67.3/internal/-errorsas om/dlclark/regex-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 l/linux_amd64/co-o ux-amd64/pkg/too/tmp/ccfr49sc.o -I g_.a om/aws/aws-sdk-go@v1.45.25/aws/endpoints/defaultgithub.com/GehirnInc/crypt/common rg/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/compile --gdwarf-5 channelz mpile rg/toolchain@v0.-o (dns block)
• cilogon.org
  • Triggering command: /tmp/go-build3488651583/b001/config.test /tmp/go-build3488651583/b001/config.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.count=1 sdk-for-go/sdk/a-Wl,--export-dynamic-symbol=main om/pressly/goose/tmp/go-link-1142583669/trivial.c rg/toolchain@v0.0.1-go1.25.0.lin-importcfg --gdwarf-5 p mpile rg/toolchain@v0.-buildtags knNv�� @v1.3.2/protoc-g-errorsas @v1.3.2/protoc-g-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet abis o/sdk/internal/e-unsafeptr=false --64 ux-amd64/pkg/too/tmp/go-build1551708337/b359/vet.cfg (dns block)
  • Triggering command: /tmp/go-build1296534582/b001/config.test /tmp/go-build1296534582/b001/config.test -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.count=1 1.67.3/internal/-errorsas om/dlclark/regex-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 l/linux_amd64/co-o ux-amd64/pkg/too/tmp/ccfr49sc.o -I g_.a om/aws/aws-sdk-go@v1.45.25/aws/endpoints/defaultgithub.com/GehirnInc/crypt/common rg/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/compile --gdwarf-5 channelz mpile rg/toolchain@v0.-o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Standalone client credential file creation</issue_title>
<issue_description>One side-quest in https://github.com/PelicanPlatform/pelican/pull/3085/changes was adding the ability in the client to create an unencrypted credential file (containing a refresh token and an OIDC client credential) and the ability to hand a credential file to the pelican client as a command line flag.

Let's extract just that code (which will help make the rclone PR smaller) and make some of it accessible via the CLI. Let's call the CLI:

pelican credentials token setup

and, instead of the functionality in pelican credentials token get or pelican token fetch that print out a single access token, it saves a credential file to disk containing the token and refresh token / credentials that we can use elsewhere. Have a --no-password flag that allows the user to skip password-protecting the file.

The Client_CredentialFile pieces from the rclone PR can be brought over relatively unscathed.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Standalone client credential file creation #3142

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[bbockelm]

Please rebase the branch to a single commit so I can more easily cherry-pick.

[Copilot]

Please rebase the branch to a single commit so I can more easily cherry-pick.

I'm unable to squash commits because git rebase requires force push, which isn't available in my environment. The "Initial plan" commit (bc027bd) is an empty commit with no file changes — all actual code is in e67a5e7. Could you squash the commits when cherry-picking, or I can recreate the branch if you prefer?