M7/D6 gate CLAIMED: rotation doc + redaction; M6.5 PASS recorded

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG.md

@@ -104,8 +104,13 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
       held (per-recipe tests/<recipe>/ + recipe_meta EXTRA_ENV only). Awaiting Adversary.
 
 ### M7 — Secrets hardening (D6)
-- [ ] Full sops model, rotation doc, log redaction + leak test
-- [ ] Gate: M7 — secret-grep finds nothing
+- [x] Full sops model + rotation doc (docs/secrets.md: 3 classes, decryption chain, rotation per
+      class) + log redaction filter (run_recipe_ci masks /run/secrets/* values in stage output,
+      live-streaming preserved). Adversary leak scans clean (baseline + recipe-CI logs).
+- [x] Gate: M7 — secret-grep finds nothing → **CLAIMED 2026-05-27**. No-plaintext: harness never
+      prints secrets, abra doesn't echo generated ones, reconciles redirect secret-gen to /dev/null,
+      dashboard shows status only; redaction filter as belt-and-suspenders. Awaiting Adversary
+      (re-grep published logs + dashboard; optionally follow a rotation procedure).
 
 ### M8 — Dashboard (D7)
 - [x] Overview page + badges: dashboard/dashboard.py + modules/dashboard.nix — live at