refactor(settings): adopt environment-only runtime secret flow

tooling/deploy/.env.production.example

@@ -6,8 +6,13 @@ NEXTAUTH_SECRET=replace-with-a-long-random-secret
 
 # Optional but commonly needed application settings.
 SENTRY_DSN=
+OPENAI_API_KEY=
+AZURE_OPENAI_API_KEY=
+AZURE_DALLE_API_KEY=
+GEMINI_API_KEY=
 SMTP_HOST=
 SMTP_PORT=587
 SMTP_USER=
 SMTP_PASSWORD=
 SMTP_FROM=CapaKraken <notifications@example.com>
+ANONYMIZATION_SEED=

tooling/deploy/README.md

@@ -25,9 +25,12 @@ On the target host, the deploy directory should contain:
 
 1. Copy `tooling/deploy/.env.production.example` to the target host as `.env.production`.
 2. Fill in the required secrets and URLs.
-3. Ensure Docker Engine and Docker Compose v2 are installed.
-4. Ensure the target host can pull from `ghcr.io`.
-5. Run the image release workflow, then the staging or production deploy workflow with the same image tag.
+3. Provision runtime AI/SMTP/anonymization secrets on the host through `.env.production` or the platform's secret facility.
+4. Keep admin settings for status/verification only; do not use them to enter or rotate operational secrets.
+5. After migration, use the admin cleanup action to remove any legacy database-stored runtime secrets.
+6. Ensure Docker Engine and Docker Compose v2 are installed.
+7. Ensure the target host can pull from `ghcr.io`.
+8. Run the image release workflow, then the staging or production deploy workflow with the same image tag.
 
 ## Manual Host Test