Improve Dynu env handling and document secrets/dynu.env

docs/security-secrets.md

@@ -10,6 +10,7 @@ For machine-readable inventory metadata, use [`../secrets/inventory.json`](../se
 
 - Canonical example template: [`../secrets/.env.secrets.example`](../secrets/.env.secrets.example)
 - Runtime-loaded secret env file (local, non-committed): `../secrets/stack-secrets.env`
+- Dynu DNS inventory env file (local, non-committed): `../secrets/dynu.env`
 - Docker secret files (local, non-committed): `../secrets/*.txt`
 
 Treat the example template as the canonical shape for expected environment variables.
@@ -20,9 +21,11 @@ Treat the example template as the canonical shape for expected environment varia
    - Document expected variable names and usage expectations.
 2. **Local runtime env file (`stack-secrets.env`)**
    - Holds local runtime secret values loaded during compose rendering.
-3. **Local Docker secret files (`*.txt`)**
+3. **Local Dynu env file (`dynu.env`)**
+   - Holds `DYNU_*` values used by read-only Dynu DNS inventory scripts.
+4. **Local Docker secret files (`*.txt`)**
    - Hold password/token material consumed via `*_FILE` style configuration.
-4. **Externally managed secret inputs**
+5. **Externally managed secret inputs**
    - Some values are managed outside shared templates and provided through file mounts or environment substitution.
 
 ## Machine-readable inventory
@@ -41,6 +44,7 @@ Before running compose operations, follow [`./deployment-prerequisites.md`](./de
 Never commit:
 
 - `secrets/stack-secrets.env`
+- `secrets/dynu.env`
 - real `secrets/*.txt` secret files
 - real Terraform `.tfvars` files containing credentials
 - Terraform state files with sensitive runtime metadata