[codex] Build secret management pages

README.md

@@ -32,6 +32,8 @@ In `Development`, startup applies the current EF Core migration set and inserts
 
 Set `Conductor:BootstrapDevelopmentDatabase` to `false` to skip the development database bootstrap in test hosts or other controlled startup scenarios.
 
+Secret descriptors are managed at `/settings/secrets`. The page supports creating, listing, rotating, and deleting GitHub PAT and OpenAI API key descriptors while masking saved values after entry.
+
 ## Persistence Configuration
 
 The host registers `ConductorDbContext` from `src/Conductor.Infrastructure.Persistence.Sqlite` using the `ConnectionStrings:Conductor` value. The default is:

docs/feature_guides.md

@@ -34,6 +34,8 @@ The secret descriptor list supports GitHub PAT and OpenAI API key credentials as
 
 Descriptors may include validation status, validation timestamp, a short validation message, and validation metadata JSON such as accepted token prefixes and the runtime environment variable used for injection. Plaintext token values are only accepted during create or rotate workflows and must not be returned in descriptor responses.
 
+Use the secret management page at `/settings/secrets` to add credential descriptors before wiring repositories or Symphony instances to credentials. Enter the value only when creating or rotating the descriptor; after the operation succeeds, Conductor stores the protected payload separately from descriptor metadata and renders only masked placeholders.
+
 ## Workflow Profile Management
 
 Workflow profiles are managed from `/settings/workflows`. Operators can create a profile, edit an existing profile, mark one profile as the default, and preview the raw `WORKFLOW.md` source before saving.

docs/user_guide.md

@@ -10,9 +10,11 @@ Initial user workflows will cover dashboard review, repository import, instance
 
 The dashboard includes a needs-attention panel for active critical and warning items. Each row shows the affected repository or Symphony instance, the current severity, the reason it needs attention, and a link to the source area for follow-up.
 
-## Secret Review
+## Secret Management
 
-The Secrets page lists saved credential descriptors for orchestration. GitHub PAT and OpenAI API key descriptors are shown independently, and saved values are rendered only as masked placeholders.
+Open `/settings/secrets` to create and maintain credential descriptors. The page supports GitHub PAT, OpenAI API key, Codex home, and other secret descriptors scoped globally, by project, by repository, or by Symphony instance.
+
+Saved secret values are masked in the descriptor list. Operators can rotate or delete a descriptor from the list, but stored values are not shown again after creation or rotation.
 
 ## Manual Instance Registration