M1: Docker + single-node swarm via Nix (swarm-init + proxy overlay)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

BACKLOG.md

@@ -14,7 +14,8 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
       → CLAIMED 2026-05-26, awaiting Adversary (see STATUS.md)
 
 ### M1 — Swarm + abra target
-- [ ] Docker + single-node swarm via Nix
+- [x] Docker + single-node swarm via Nix (modules/swarm.nix: docker + swarm-init oneshot + `proxy`
+      overlay net + daily autoprune). Verified: Swarm=active, proxy overlay present.
 - [ ] Traefik (file provider → /var/lib/ci-certs/live/) + per-run wildcard router
 - [ ] abra installed; deploy + tear down a trivial recipe by hand over HTTPS
 - [ ] Gate: M1 — recipe reachable over HTTPS at *.ci.commoninternet.net, torn down clean