ops: add integration secret rotation and offsite backup alerting

infra/deploy/SECRET_ROTATION_CHECKLIST.md

@@ -18,6 +18,11 @@ Recommended:
 2. Proxmox API token secret
 3. Payment/webhook secrets
 
+Enterprise hardening:
+
+1. Keep one grace window for webhook secret rotation (`*_previous`) to avoid dropped payment events during provider cutover.
+2. Validate new Proxmox token directly against `/api2/json/version` before applying it in panel settings.
+
 ## Runbook (Safe Order)
 
 1. Create timestamped app/env/db backup.
@@ -47,6 +52,22 @@ Script guarantees:
 3. Post-rotation health + login verified
 4. Summary written to `/root/proxpanel-secret-rotation-<timestamp>.txt`
 
+For integration secrets (Proxmox + payment/webhook + alerting endpoints), use:
+
+```bash
+sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
+  --proxmox-token-secret 'new_token_secret' \
+  --paystack-secret 'new_paystack_secret' \
+  --flutterwave-webhook-hash 'new_hash'
+```
+
+After external provider cutover is confirmed, clear grace secrets:
+
+```bash
+sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
+  --finalize-payment-webhook-grace
+```
+
 ## Rollback Plan
 
 If post-rotation checks fail: