Decommission forge compatibility pointers

docs/operator-setup.md

@@ -1,10 +1,16 @@
 # Operator Setup
 
-Run these checks before deploying or rotating any S5 workload:
+Run these checks before deploying any S5 workload:
 
 ```bash
 make check-tools
-make check-sops
+```
+
+When the app release work touches encrypted SOPS files, also verify the
+operator age identity against the encrypted file being changed:
+
+```bash
+SOPS_SENTINEL=<encrypted-file> make check-sops
 ```
 
 ## Required Tools
@@ -27,7 +33,7 @@ for primary/replica health and backup state.
 
 ## SOPS Age Key Bootstrap
 
-SOPS-encrypted values in this repo expect an age identity at:
+SOPS-encrypted values used by app release work expect an age identity at:
 
 ```text
 ~/.config/sops/age/keys.txt
@@ -46,9 +52,9 @@ Bootstrap procedure:
    ```bash
    chmod 600 ~/.config/sops/age/keys.txt
    ```
-5. Verify decryption:
+5. Verify decryption against the encrypted file being changed:
    ```bash
-   make check-sops
+   SOPS_SENTINEL=<encrypted-file> make check-sops
    ```
 
 Do not commit age identities, decrypted values, or copied SOPS plaintext