docs: update CHANGELOG and PROJECT.md for SOPS secrets migration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [Unreleased]
 
 ### Added
+- **SOPS + age encrypted secrets** — `.env.dev.sops` and `.env.prod.sops` replace
+  `.env.example` and GitLab CI/CD variables; age keypair for encryption/decryption;
+  `deploy.sh` auto-decrypts on server; `infra/setup_server.sh` installs sops + age
+  and generates server keypair; Makefile targets: `secrets-decrypt-dev`,
+  `secrets-decrypt-prod`, `secrets-edit-dev`, `secrets-edit-prod`
+
+### Removed
+- `.env.example` — replaced by `.env.dev.sops` (decrypt with `make secrets-decrypt-dev`)
+- GitLab CI heredoc that wrote `.env` via SSH — deploy.sh now handles decryption
+- Dead `ADMIN_PASSWORD` CI variable reference
+- Deprecated `WAITLIST_MODE` from env files (replaced by DB-backed feature flags)
+
 - **Python supervisor** (`src/padelnomics/supervisor.py`) — replaces `supervisor.sh`;
   reads `infra/supervisor/workflows.toml` (module, schedule, entry, depends_on,
   proxy_mode); runs due workflows in topological waves (parallel within each wave);

PROJECT.md

@@ -13,7 +13,8 @@
 - [x] UV workspace monorepo structure (web/, transform/, extract/ members)
 - [x] Docker + docker-compose production deploy
 - [x] Litestream R2 backup (1-year retention, auto-restore on startup)
-- [x] CI pipeline (GitLab, env vars, health check gated deploys)
+- [x] CI pipeline (GitLab, health check gated deploys)
+- [x] SOPS + age encrypted secrets (`.env.dev.sops` / `.env.prod.sops`; `deploy.sh` auto-decrypts; `setup_server.sh` installs sops+age)
 - [x] Pre-migration DB backup + auto-restore on failed deploy
 - [x] Nginx router config