M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED

Host decrypts /run/secrets/test_secret via its ssh host key (age identity);
off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev
for nixpkgs 24.11 compat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

STATUS.md

@@ -1,11 +1,15 @@
 # STATUS — cc-ci Builder
 
-**Phase:** M0 — Foundations
-**In-flight:** Base flake config deployed + verified. Next M0 task: sops-nix + decrypt a test secret.
-**Last updated:** 2026-05-26 (M0 base config live)
+**Phase:** M0 → M1. M0 complete & CLAIMED; starting M1 (swarm + Traefik + abra) while awaiting verdict.
+**In-flight:** M1 — Docker + single-node swarm via Nix (first M1 task).
+**Last updated:** 2026-05-26 (M0 claimed)
 
 ## Gates
-- (none claimed yet — M0 gate pends sops wiring)
+- **Gate: M0 — CLAIMED, awaiting Adversary** (2026-05-26). Evidence: flake rebuilds cc-ci from repo
+  (`switch --flake /root/cc-ci#cc-ci`, gen healthy, no failed units); sops-nix decrypts
+  `/run/secrets/test_secret` (0400 root, value = generated `cc-ci-m0-…`). Repro: clone repo, sync to
+  host, `nixos-rebuild switch --flake .#cc-ci`, then `systemctl is-system-running` + check the secret.
+  Per §6.1 I will NOT advance past this gate to M2; M1 work proceeds as independent unblocked work.
 
 ## Blocked
 - (none)