Bump tangled to latest master (post-v1.13.0-alpha) and pin in auto-update

The tangled core was on rev 956f97c (v1.11.0-alpha) and v1.13.0-alpha
introduces automatic DID minting for repositories which we want.

Master HEAD (6a27cd2) is post-v1.13.0-alpha and includes the DID
auto-mint migration. After deploy, retry verification on the knot
dashboard at https://tangled.org/settings/knots.

Note: the build's reported version string is hardcoded to 1.11.0-alpha
in nix/pkgs/knot-unwrapped.nix upstream -- this is a stale label, but
the actual code includes v1.13.0-alpha features (DID minting schema in
knotserver/db/db.go).

Also add an explicit `nix flake update tangled` to auto-update.nix so
tangled is always tracked, independent of how other inputs are pinned.

hosts/asusmini/auto-update.nix

@@ -3,23 +3,33 @@
 {
   systemd.services.auto-update = {
     description = "Auto-update NixOS configuration";
-    path = with pkgs; [ git nix openssh ];
-    
+    path = with pkgs; [
+      git
+      nix
+      openssh
+    ];
+
     serviceConfig = {
       Type = "oneshot";
       User = "root";
       WorkingDirectory = "/etc/commonscomputing-nix";
     };
-    
+
     script = ''
       set -e
-      
+
       echo "Pulling latest changes..."
       git pull
-      
+
       echo "Updating flake inputs..."
       nix flake update
-      
+
+      # Explicitly update tangled so we always pull the latest knot/spindle
+      # builds, even if other inputs are pinned or the general update is
+      # later restricted. tangled.org/@tangled.org/core moves quickly and
+      # we want to track master.
+      nix flake update tangled
+
       # Check if there are changes to commit
       if ! git diff --quiet flake.lock; then
         echo "Committing flake.lock updates..."
@@ -31,13 +41,13 @@
       else
         echo "No flake.lock changes to commit"
       fi
-      
+
       echo "Rebuilding system..."
       if ! ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --flake .#asusmini; then
         echo "Build/switch failed, staying on current generation"
         exit 1
       fi
-      
+
       echo "Auto-update completed successfully"
     '';
   };
@@ -46,12 +56,12 @@
     description = "Auto-update timer";
     wantedBy = [ "timers.target" ];
     timerConfig = {
-      OnCalendar = "weekly";  # Run weekly, adjust as needed
-      Persistent = true;  # Run on boot if missed
-      RandomizedDelaySec = "1h";  # Add some randomness
+      OnCalendar = "weekly"; # Run weekly, adjust as needed
+      Persistent = true; # Run on boot if missed
+      RandomizedDelaySec = "1h"; # Add some randomness
     };
   };
-  
+
   # TODO: Set up SSH key for git push access
   # Options:
   # 1. Deploy key with write access to the repo