style(1b): auto-format + lint-clean the whole codebase (RL1)

Mechanical, semantics-preserving cleanup so the codebase passes the new lint stage:
- ruff format: all 32 Python files (wraps long signatures, normalizes quotes/blank lines).
- nixpkgs-fmt: modules/drone-runner.nix.
- shfmt (-i 2 -ci): scripts/*.sh.

Lint fixes (reviewed, behavior-preserving — no test weakened):
- ruff SIM105: try/except-pass -> contextlib.suppress (abra.py app_config rm; lifecycle.py janitor).
- ruff SIM115: open().read() -> with open() (run_recipe_ci.py redaction-values + gitea-token).
- statix: merge repeated sops `secrets.*` keys into one `secrets = { ... }` (comments kept);
  empty fn pattern `{ ... }:` -> `_:` (packages.nix).
- deadnix: drop unused lambda args (flake `self`; configuration.nix `lib`; overlay `final` -> `_`).

Verified on cc-ci: `scripts/lint.sh` -> lint: PASS; nixosConfigurations.cc-ci evaluates;
all Python byte-compiles. The deployed bridge/dashboard/runner source changes hash (reformat),
so cc-ci will be rebuilt to the new closure in W2 before the cold D1-D10 re-verification.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/keycloak/test_install.py

@@ -1,4 +1,5 @@
 """keycloak — install stage (recipe #2, DB-backed SSO; D2 install + D3 Playwright)."""
+
 import os
 import sys
 
@@ -23,6 +24,8 @@ def test_playwright_admin_login(deployed_app):
             page.goto(url, wait_until="domcontentloaded", timeout=45000)
             # admin console redirects to the login form; wait for a username field to render
             page.wait_for_selector("input#username, input[name='username']", timeout=30000)
-            assert "keycloak" in page.content().lower() or page.locator("input#username").count() > 0
+            assert (
+                "keycloak" in page.content().lower() or page.locator("input#username").count() > 0
+            )
         finally:
             browser.close()