docs: expand operational runbooks

docs/config-and-secrets.md

@@ -0,0 +1,56 @@
+# Config And Secrets
+
+This document describes the current config layout and the intended secret-handling boundary for the Debian deployment.
+
+## Current Config Files In Repo
+
+Main runtime config examples live under:
+
+- `share/conf/db.txt`
+- `share/conf/game.txt`
+
+These files are part of the runtime tree and are required by the legacy server layout.
+
+## Important Security Boundary
+
+The repository currently contains literal config values for legacy compatibility. They must be treated as bootstrap/default values, not as a safe long-term secret store.
+
+Practical rule:
+
+- do not treat git-tracked config files as the final production secret source of truth
+
+## What Should Not Live In Git
+
+Do not commit:
+
+- production DB passwords
+- real admin page passwords
+- host-specific private tokens
+- private SSH material
+- per-environment override files with live secrets
+
+## Current Operational Model
+
+For the current Debian VPS:
+
+- root-only operational wrappers may inject short-lived values locally
+- headless login healthcheck uses a temporary password via environment, not a command-line literal
+- the installed wrapper is root-only and not network-facing
+
+## Admin Page Password
+
+The source repository now supports hardening for the admin page password. The long-term goal should be:
+
+- no implicit production default
+- host-local secret injection
+- explicit runtime validation
+
+## Recommended Direction
+
+The Debian deployment should eventually move to a clearer contract such as:
+
+- git-tracked template/default files
+- host-local env file or secret file owned by root
+- documented override points
+
+Until that is done, keep all real secret rotation and secret overrides on the host, not in commits.