Rotate operator secrets into agenix and deepen caches

docs/FORWARDEMAIL.md

@@ -26,11 +26,14 @@ Forward Email also documents these operational constraints:
 
 ## Burrow Secret Layout
 
-Present in `intake/` today:
+Authoritative secrets now live in:
 
-- `intake/forwardemail_api_token.txt`
-- `intake/hetzner-s3-user.txt`
-- `intake/hetzner-s3-secret.txt`
+- `secrets/forwardemail/api-token.age`
+- `secrets/forwardemail/hetzner-s3-user.age`
+- `secrets/forwardemail/hetzner-s3-secret.age`
+
+Legacy plaintext `intake/` files may still exist locally for debugging, but the
+tooling now prefers the age-encrypted files above.
 - Hetzner public S3 endpoint for Forward Email: `https://hel1.your-objectstorage.com`
 - Hetzner object storage region: `hel1`
 - Hetzner bucket used for Forward Email backups: `burrow`
@@ -69,12 +72,12 @@ Example:
 ```sh
 Tools/forwardemail-custom-s3.sh \
   --domain burrow.net \
-  --api-token-file intake/forwardemail_api_token.txt \
+  --api-token-file secrets/forwardemail/api-token.age \
   --s3-endpoint https://hel1.your-objectstorage.com \
   --s3-region hel1 \
   --s3-bucket burrow \
-  --s3-access-key-file intake/hetzner-s3-user.txt \
-  --s3-secret-key-file intake/hetzner-s3-secret.txt
+  --s3-access-key-file secrets/forwardemail/hetzner-s3-user.age \
+  --s3-secret-key-file secrets/forwardemail/hetzner-s3-secret.age
 ```
 
 Retest an existing domain configuration without rewriting it:
@@ -82,7 +85,7 @@ Retest an existing domain configuration without rewriting it:
 ```sh
 Tools/forwardemail-custom-s3.sh \
   --domain burrow.net \
-  --api-token-file intake/forwardemail_api_token.txt \
+  --api-token-file secrets/forwardemail/api-token.age \
   --test-only
 ```