chore(deploy): add encrypted runtime secret source [skip ci]

deploy/railiance/secrets/inter-hub.env.sops.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: inter-hub-env
+    namespace: inter-hub
+type: Opaque
+stringData:
+    DATABASE_URL: ENC[AES256_GCM,data:uMryx592YJ4Puc1Dg3msJ251RGWW34zAsmc4oIhFZ5IrloOLOzKgBkzpYCnt0v6X5iQSWLayBbCI1clfFf6W5vLFvyWBNzfWzlc66sFiU/IG0qJZZIIWNnWUZmTqvN31gtSXjTYQM0lvDZBbSRjLwRRchMaG/LCrhUo+akhV3QMXWvpuDHnC82b0OaOwZRCnNM4=,iv:U9VdgQpZY+5OI5KaTTFvSejiibaH03RqTaBruKTgups=,tag:zWWVVB/zXvio6z8jzt8FYA==,type:str]
+    IHP_BASEURL: ENC[AES256_GCM,data:GrIWPkoT3OroUgbZiLDsoBH6QgKbjROFkYU=,iv:Ky1ysaY6YQ0WRDywCG+WLys//8N4be2Lw8a0jJr7ovo=,tag:7+lyTiXfop+Q7CW66frWuw==,type:str]
+    IHP_ENV: ENC[AES256_GCM,data:q4SFghcGM7Yodg==,iv:Vd1Dq+AKcxKayChG4PLeyTQvFpU7KEbGg/FpTqJzTps=,tag:yR+7AjKoWv/TrLvsQqRc8A==,type:str]
+    IHP_SESSION_SECRET: ENC[AES256_GCM,data:vjhRzB6xXw6m5+9zUCMXAhJcBk7XZJCsA0GwqN+UvottYL/XEFKFPkeFco2YzxCnYZ5B1bdaFgK2eFVXs0qgrQ==,iv:JE9dEZvpldqreBufrvj6Keb7VFdXcJHhuZgMfeVsc1A=,tag:aWM9HGsoRD0z/LYLNoORJg==,type:str]
+    PORT: ENC[AES256_GCM,data:4KBUgA==,iv:IPYTKvQVFlxy53OIJiyMnnM7LDN2qqdrn2VxWDbUaa8=,tag:J5a1jUcRi004FakTp7qEHA==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNHZxdHFnMjRWOE5DMUhB
+            NlgzSFUrT2FCUjR1cy8vdG9mcHRLcXcwT0VRCnl0cURjWUMyNTJSY1hYK3N4ZHRV
+            bTJqQjR6SDNQOTJTb0ZmSGdWSXc5YVUKLS0tIDBvQUowR0ZLMDI5YUIvOEU2SkFS
+            SlJ3TEJqeWx2MzlnanFWajFJaWQ0Sm8KglhHEIOrJrbWbQS0mUI2fGGmdkt9GUVr
+            dBSr0HPa+DsNwStM2n6EJHADcF1+3CS2HP1JS0m58QkNfuJiF1EIZw==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
+    encrypted_regex: ^(DATABASE_URL|IHP_SESSION_SECRET|IHP_BASEURL|PORT|IHP_ENV)$
+    lastmodified: "2026-06-14T15:54:36Z"
+    mac: ENC[AES256_GCM,data:Z5r73+ihZB1BUyFcC3E97G6/rQdcmDdujoUCNhbU8H2tLD3TlF8619nMt2KfOUiygiGdy+luBJYu9mgbc7zimR163E/JJjOLIRBErXQsYZOHYS2BL62xcNIGeII56UpJlnfVICFNtKYzmxmDI/ZFDMbZa1Z6q29SfUjY7WdnvjE=,iv:Frk1qAkfufNN0WHb9X0jyNureILOc/Ww0CbON2XArEs=,tag:vZ9ronrfa1Pt+f//MOsw2Q==,type:str]
+    version: 3.13.1

workplans/IHUB-WP-0018-railiance01-deployment.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Railiance01 Deployment — Production Operations Scaffold"
 domain: inter_hub
 repo: inter-hub
-status: active
+status: finished
 owner: custodian
 topic_slug: inter_hub
 created: "2026-04-29"
@@ -217,7 +217,7 @@ that database through the `inter-hub-env` Kubernetes Secret.
 
 ```task
 id: IHUB-WP-0018-T05
-status: in_progress
+status: done
 priority: high
 state_hub_task_id: "926f82d1-15cd-425d-8a41-3d6b51c07f0b"
 ```
@@ -256,9 +256,17 @@ and related runtime env is committed and wired into the deploy path.
 **Progress note (2026-06-14):** Added repo root `.sops.yaml`, plaintext
 guardrails under `deploy/railiance/secrets/`, an example Secret manifest, and
 `k8s-secret-json-to-sops-input.py` to convert the live Kubernetes Secret into a
-SOPS-ready manifest without printing values. This remains in progress because
-`deploy/railiance/secrets/inter-hub.env.sops.yaml` is not committed yet; local
-`sops` tooling was not available during this session.
+SOPS-ready manifest without printing values. At that point the encrypted source
+file was still pending because local `sops` tooling was not available.
+
+**Completion note (2026-06-14):** Created
+`deploy/railiance/secrets/inter-hub.env.sops.yaml` from the live
+`inter-hub/inter-hub-env` Kubernetes Secret using temporary `sops` v3.13.1 and
+the shared Railiance age recipient. Verified the file is SOPS-encrypted, parses
+as YAML, leaves only non-secret metadata reviewable, and does not contain the
+checked plaintext runtime markers. Decryption/apply verification remains a
+custody-backed operator capability because the private age identity is not
+present in the normal workstation or haskelseed shell.
 
 ### R6 — Helm chart in railiance-apps