The production hardening guide documented rotation for SUPERSET_SECRET_KEY but
not for the other security-critical secrets, so operators following the
checklist could leave guest-token/async-query JWT secrets and SMTP/DB
credentials un-rotated after a leak.
Add an "Appendix C: Secrets Register and Rotation Schedule" enumerating all
security-critical secrets with their purpose, leak risk, and rotation cadence,
and reference it from the ongoing-maintenance checklist.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>