Rotate operator secrets into agenix and deepen caches

services/forgejo-nsc/README.md

@@ -155,11 +155,12 @@ instances:
 ```
 
 For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
-generate a Namespace token from the logged-in namespace account, and render
-bootstrap artifacts into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml` plus
-`intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
-`bearer_token` field so both the Compute API path and the `nsc` CLI fallback can
-consume the same secret material.
+generate a Namespace token from the logged-in Namespace account, and refresh
+`secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
+The token file is emitted as JSON with a `bearer_token` field so both the
+Compute API path and the `nsc` CLI fallback can consume the same secret
+material. Use `--write-intake` only when you explicitly need local plaintext
+debug copies.
 
 Long-lived runtime state is now sourced from age-encrypted files:
 
@@ -169,10 +170,9 @@ Long-lived runtime state is now sourced from age-encrypted files:
 - `secrets/forgejo/nsc-dispatcher-config.age`
 - `secrets/forgejo/nsc-autoscaler-config.age`
 
-After refreshing the intake files, re-encrypt them into `secrets/forgejo/*.age`
-and deploy the forge host so `config.age.secrets.*` updates the live paths for
-`services.burrow.forge`, `services.burrow.forgeRunner`, and
-`services.burrow.forgejoNsc`.
+After refreshing the encrypted secrets, deploy the forge host so
+`config.age.secrets.*` updates the live paths for `services.burrow.forge`,
+`services.burrow.forgeRunner`, and `services.burrow.forgejoNsc`.
 
 Run it next to the dispatcher: