style(1b): auto-format + lint-clean the whole codebase (RL1)

Mechanical, semantics-preserving cleanup so the codebase passes the new lint stage:
- ruff format: all 32 Python files (wraps long signatures, normalizes quotes/blank lines).
- nixpkgs-fmt: modules/drone-runner.nix.
- shfmt (-i 2 -ci): scripts/*.sh.

Lint fixes (reviewed, behavior-preserving — no test weakened):
- ruff SIM105: try/except-pass -> contextlib.suppress (abra.py app_config rm; lifecycle.py janitor).
- ruff SIM115: open().read() -> with open() (run_recipe_ci.py redaction-values + gitea-token).
- statix: merge repeated sops `secrets.*` keys into one `secrets = { ... }` (comments kept);
  empty fn pattern `{ ... }:` -> `_:` (packages.nix).
- deadnix: drop unused lambda args (flake `self`; configuration.nix `lib`; overlay `final` -> `_`).

Verified on cc-ci: `scripts/lint.sh` -> lint: PASS; nixosConfigurations.cc-ci evaluates;
all Python byte-compiles. The deployed bridge/dashboard/runner source changes hash (reformat),
so cc-ci will be rebuilt to the new closure in W2 before the cold D1-D10 re-verification.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/drone-runner.nix

@@ -31,7 +31,7 @@ in
     environment = {
       DRONE_RPC_PROTO = "https";
       DRONE_RPC_HOST = "drone.ci.commoninternet.net";
-      DRONE_RUNNER_CAPACITY = maxTests;      # MAX_TESTS concurrency cap (see let-binding above)
+      DRONE_RUNNER_CAPACITY = maxTests; # MAX_TESTS concurrency cap (see let-binding above)
       DRONE_RUNNER_NAME = "cc-ci-exec";
       # exec runner needs a writable root for build workspaces
       DRONE_RUNNER_ROOT = "/var/lib/drone-runner";

modules/packages.nix

@@ -1,9 +1,9 @@
 # Project package overlay. `abra` (the Co-op Cloud CLI) is exposed as `pkgs.abra` so every
 # module (systemPackages, the proxy/drone reconcile oneshots) can use the same pinned build.
-{ ... }:
+_:
 {
   nixpkgs.overlays = [
-    (final: prev: {
+    (_: prev: {
       abra = prev.stdenv.mkDerivation rec {
         pname = "abra";
         version = "0.13.0-beta";

modules/secrets.nix

@@ -19,32 +19,34 @@
     # Do not also look for a GPG key.
     gnupg.sshKeyPaths = [ ];
 
-    # M0 proof secret — confirms the decrypt path works end to end.
-    secrets.test_secret = { };
+    secrets = {
+      # M0 proof secret — confirms the decrypt path works end to end.
+      test_secret = { };
 
-    # M2 Drone (A2 internal secrets). drone_rpc_secret is shared between the swarm-deployed
-    # Drone server (inserted as the `rpc_secret` swarm secret by scripts/deploy-drone.sh) and
-    # the host exec runner (read via the env template below). drone_gitea_client_secret is the
-    # Gitea OAuth app secret, inserted as the server's `client_secret` swarm secret.
-    secrets.drone_rpc_secret = { };
-    secrets.drone_gitea_client_secret = { };
+      # M2 Drone (A2 internal secrets). drone_rpc_secret is shared between the swarm-deployed
+      # Drone server (inserted as the `rpc_secret` swarm secret by scripts/deploy-drone.sh) and
+      # the host exec runner (read via the env template below). drone_gitea_client_secret is the
+      # Gitea OAuth app secret, inserted as the server's `client_secret` swarm secret.
+      drone_rpc_secret = { };
+      drone_gitea_client_secret = { };
 
-    # M3 comment-bridge (A2). Read by modules/bridge.nix's reconcile oneshot, which copies them
-    # into swarm secrets the bridge container mounts. webhook_hmac is also set on the Gitea webhook.
-    secrets.bridge_webhook_hmac = { };
-    secrets.bridge_drone_token = { };
-    secrets.bridge_gitea_token = { };
+      # M3 comment-bridge (A2). Read by modules/bridge.nix's reconcile oneshot, which copies them
+      # into swarm secrets the bridge container mounts. webhook_hmac is also set on the Gitea webhook.
+      bridge_webhook_hmac = { };
+      bridge_drone_token = { };
+      bridge_gitea_token = { };
 
-    # Phase-1c C2: the wildcard TLS cert+key are now sops secrets (in cc-ci-secrets), decrypted at
-    # activation to /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} — the exact path the traefik
-    # reconcile (modules/proxy.nix) already reads. Replaces the prior operator-drops-a-cert-file step.
-    secrets.wildcard_cert = {
-      path = "/var/lib/ci-certs/live/fullchain.pem";
-      mode = "0444"; # leaf+intermediate chain — not secret
-    };
-    secrets.wildcard_key = {
-      path = "/var/lib/ci-certs/live/privkey.pem";
-      mode = "0400"; # private key — root only
+      # Phase-1c C2: the wildcard TLS cert+key are now sops secrets (in cc-ci-secrets), decrypted at
+      # activation to /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} — the exact path the traefik
+      # reconcile (modules/proxy.nix) already reads. Replaces the prior operator-drops-a-cert-file step.
+      wildcard_cert = {
+        path = "/var/lib/ci-certs/live/fullchain.pem";
+        mode = "0444"; # leaf+intermediate chain — not secret
+      };
+      wildcard_key = {
+        path = "/var/lib/ci-certs/live/privkey.pem";
+        mode = "0400"; # private key — root only
+      };
     };
 
     # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.