Support secrets and signing

[Marenz]

This PR adds support for request signing via an optional secret and propagates that change through tests, the client library, and the CLI.

[llucax]

LGTM in general, but I have a few comments.

[llucax]

I would leave thing the same as they are configured in other repos. I think making this inconsistent across repos will make the docs harder to navigate to users.

[Marenz]

(or it will make this one repo easier and every other stays harder to navigate :P )

[llucax]

For me the side bar is an index, and as an index it should be sorted alphabetically. If you want to sort things in a more organized way, it might be better to have an overview at the module/class documentation.

[llucax]

Suggested change

	"--secret",
	help="API signing secret for authentication",
	envvar="DISPATCH_API_SECRET",
	"--sign-secret",
	help="API secret for signing",
	envvar="DISPATCH_API_SIGN_SECRET",

[Marenz]

Uh.. you wanna rename the env variable?
what about the API_KEY then? Consistently it should become DISPATCH_API_AUTH_KEY

[llucax]

Yes, that would be the ideal IMHO. If it is too disruptive by now, I would accept both for a transitional period, but again, not sure how possible that is using click's built-in env var management.

[Marenz]

I mean, it's only used by ppl directly and it's very easy to adjust to it. I can make it print a warning or so if that var is set. It's not like an API. Just a TUI.

[llucax]

Right, yeah, not that disruptive. Sounds good to me!

[Copilot]

Pull Request Overview

This PR adds support for request signing via optional secrets by updating the authentication mechanism from a simple key-based system to support both auth keys and optional signing secrets. Key changes include:

• Replaces key parameter with auth_key and adds optional sign_secret parameter throughout the codebase
• Updates CLI to support both deprecated --api-key and new --auth-key/--sign-secret options with proper deprecation warnings
• Removes authentication/access control logic from the fake test service

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/test_cli.py	Updates test environment to use new auth key naming
src/frequenz/client/dispatch/test/client.py	Updates FakeClient constructor to use new auth_key parameter
src/frequenz/client/dispatch/test/_service.py	Removes authentication logic and metadata parameters from all service methods
src/frequenz/client/dispatch/_client.py	Updates DispatchApiClient to accept auth_key and sign_secret, removes manual metadata handling
src/frequenz/client/dispatch/main.py	Adds CLI support for new auth parameters with deprecation handling
pyproject.toml	Updates frequenz-client-base dependency version requirement
RELEASE_NOTES.md	Documents new secret signing feature

Comments suppressed due to low confidence (1)

src/frequenz/client/dispatch/test/client.py:27

• The auth_key value "what" is unclear and non-descriptive. Consider using a more descriptive test value like "test_auth_key" or "mock_auth_key".

        super().__init__(server_url="mock", auth_key="what", connect=False)

[llucax]

LGTM, only one small suggestion.

[llucax]

Ah, nice, maybe include --api-key too.

Suggested change

	help="API key for authentication (deprecated, use DISPATCH_API_AUTH_KEY)",
	help="API key for authentication (deprecated, use --auth-key or DISPATCH_API_AUTH_KEY instead)",

[llucax]

Removed from the queue in case you want to address it.