M1: proxy via real coop-cloud/traefik (abra, wildcard/no-ACME); recipe deploy+teardown; M1 CLAIMED

Orchestrator decision: deploy canonical coop-cloud traefik via abra instead of a
hand-rolled module. abra packaged in Nix (pinned). custom-html deployed over HTTPS
(200) via the gateway and torn down clean. docs/install.md seeded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG.md

@@ -16,11 +16,14 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
 ### M1 — Swarm + abra target
 - [x] Docker + single-node swarm via Nix (modules/swarm.nix: docker + swarm-init oneshot + `proxy`
       overlay net + daily autoprune). Verified: Swarm=active, proxy overlay present.
-- [x] Traefik (file provider → /var/lib/ci-certs/live/) as a swarm stack on `proxy`; wildcard cert
-      served as default cert. Verified end-to-end: gateway 143.244.213.108:443 SNI-passthrough →
-      cc-ci Traefik terminates TLS w/ `CN=*.ci.commoninternet.net` (LE E8), HTTP 404 (no router yet).
-- [ ] abra installed; deploy + tear down a trivial recipe by hand over HTTPS
-- [ ] Gate: M1 — recipe reachable over HTTPS at *.ci.commoninternet.net, torn down clean
+- [x] Proxy = real coop-cloud/traefik via abra (orchestrator decision, replaces custom traefik.nix):
+      wildcard/file-provider mode, pre-issued cert as ssl_cert/ssl_key swarm secrets, LETS_ENCRYPT_ENV
+      empty → no ACME. `scripts/deploy-proxy.sh` (idempotent). Verified E2E via gateway: wildcard cert
+      served, 0 ACME log lines.
+- [x] abra installed (modules/abra.nix, pinned 0.13.0-beta); deployed custom-html by hand over HTTPS
+      (HTTP 200 nginx page via gateway) and tore it down clean (services/volumes/secrets/containers=0).
+- [x] Gate: M1 — recipe reachable over HTTPS at *.ci.commoninternet.net, torn down clean →
+      CLAIMED 2026-05-26, awaiting Adversary.
 
 ### M2 — Drone online
 - [ ] Drone server + exec runner via Nix; Gitea OAuth app