move SSO client secret to Docker secret, gate SSO entrypoint on SSO_ENABLED

sso-entrypoint.sh

@@ -3,7 +3,13 @@ set -e
 
 # SSO plugin installer — runs before the original CryptPad entrypoint.
 # Clones the cryptpad/sso plugin into the plugins volume if not already present
-# or if the version has changed, then delegates to the real entrypoint.
+# or if the version has changed.
+
+# Skips SSO setup entirely when SSO_ENABLED is not "true".
+if [ "${SSO_ENABLED}" != "true" ]; then
+  echo "[sso-entrypoint] SSO not enabled, skipping plugin install"
+  exec "$@"
+fi
 
 PLUGIN_DIR="/cryptpad/lib/plugins/sso"
 VERSION_FILE="${PLUGIN_DIR}/.version"
@@ -28,4 +34,4 @@ else
 fi
 
 # Hand off to the original CryptPad entrypoint
-exec /bin/bash /cryptpad/docker-entrypoint.sh "$@"
+exec "$@"