docs: audit SecretStore endpoint scope

TODO.md

@@ -243,14 +243,21 @@ Present in the code but not yet fully endpoint-audited:
 SDK-listed blocks that do not currently show a top-level handler in
 `src/nwconn.c`:
 
-- SDK `0x2222/92` / wire `0x5c` SecretStore, SDK `0x2222/123` / wire
-  `0x7b` service-address enumeration, and SDK `0x2222/131` / wire `0x83`
-  RPC/NLM-control style calls appear in the PDF/WebSDK index but do not
-  currently show top-level handlers in `src/nwconn.c`.  These are likely
-  later-generation buckets, but each must be confirmed against the
-  includes/WebSDK before adding guarded stubs.  Only endpoints bucketed as
-  1.x/2.x/3.x compatibility or planned 4.x work should receive disabled source
-  stubs.
+- SDK `0x2222/92` / wire `0x5c` SecretStore is scope-audited as a
+  later-generation SecretStore/eDirectory single-sign-on family.  The local NDK
+  PDF marks the family as NetWare Server 5.x and eDirectory 8.5 or later, with
+  subverbs `0` Query Server through `9` Get Service Information.  There is no
+  active top-level handler in `src/nwconn.c`, no indirect provider path was
+  found in the audited source, and no source stub should be added under the
+  current 1.x/2.x/3.x plus planned-4.x rule.  It remains prose-only/out of the
+  current compatibility target.
+- SDK `0x2222/123` / wire `0x7b` service-address enumeration and SDK
+  `0x2222/131` / wire `0x83` RPC/NLM-control style calls appear in the
+  PDF/WebSDK index but do not currently show top-level handlers in
+  `src/nwconn.c`.  These are likely later-generation buckets, but each must be
+  confirmed against the includes/WebSDK before adding guarded stubs.  Only
+  endpoints bucketed as 1.x/2.x/3.x compatibility or planned 4.x work should
+  receive disabled source stubs.
 
 Follow-up: