From 4ff0a0cce8f42aa917834a2ee3f2417407e813b3 Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Mon, 23 Feb 2026 17:19:09 +0100
Subject: [PATCH] docs: update CHANGELOG and PROJECT.md for SOPS secrets
 migration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md | 12 ++++++++++++
 PROJECT.md   |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b4b334c..b27bbaa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [Unreleased]
 
 ### Added
+- **SOPS + age encrypted secrets** — `.env.dev.sops` and `.env.prod.sops` replace
+  `.env.example` and GitLab CI/CD variables; age keypair for encryption/decryption;
+  `deploy.sh` auto-decrypts on server; `infra/setup_server.sh` installs sops + age
+  and generates server keypair; Makefile targets: `secrets-decrypt-dev`,
+  `secrets-decrypt-prod`, `secrets-edit-dev`, `secrets-edit-prod`
+
+### Removed
+- `.env.example` — replaced by `.env.dev.sops` (decrypt with `make secrets-decrypt-dev`)
+- GitLab CI heredoc that wrote `.env` via SSH — deploy.sh now handles decryption
+- Dead `ADMIN_PASSWORD` CI variable reference
+- Deprecated `WAITLIST_MODE` from env files (replaced by DB-backed feature flags)
+
 - **Python supervisor** (`src/padelnomics/supervisor.py`) — replaces `supervisor.sh`;
   reads `infra/supervisor/workflows.toml` (module, schedule, entry, depends_on,
   proxy_mode); runs due workflows in topological waves (parallel within each wave);
diff --git a/PROJECT.md b/PROJECT.md
index 57ed4bb..7c401f5 100644
--- a/PROJECT.md
+++ b/PROJECT.md
@@ -13,7 +13,8 @@
 - [x] UV workspace monorepo structure (web/, transform/, extract/ members)
 - [x] Docker + docker-compose production deploy
 - [x] Litestream R2 backup (1-year retention, auto-restore on startup)
-- [x] CI pipeline (GitLab, env vars, health check gated deploys)
+- [x] CI pipeline (GitLab, health check gated deploys)
+- [x] SOPS + age encrypted secrets (`.env.dev.sops` / `.env.prod.sops`; `deploy.sh` auto-decrypts; `setup_server.sh` installs sops+age)
 - [x] Pre-migration DB backup + auto-restore on failed deploy
 - [x] Nginx router config