— The options 1 and 2 are not meaningful because a delegate usually does not store the secret in the config file (or maybe: should not store) because of security reasons. Additionally most delegates use multiple nodes (forging and backup nodes) so forging-switching from outside is necessary. Maybe option 1 is mostly tested in testnet, but this is not a usecase because testnet delegates do not care about the security.
— Option 3 sounds good but is not automated. That’s why I suggested that a possibly existing encrypted passphrase is not deleted during the migration. This allows a smooth migration without downtime.
btw,, the proposed PR consists of one moved line only, the effects could be predictable ;)