chore(pxgate): pre-M1 probes P3+P5 PASS, endpoint stability confirmed

P5: alert files contain no secrets (version strings only).
P3: all After=deploy-proxy consumers still ordered correctly.
Endpoint: /api/version returns 200 reliably (3/3 probes, no backend dep).
P1-negative deferred to M1 gate time (needs controlled traefik stop).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

machine-docs/REVIEW-pxgate.md

@@ -67,6 +67,29 @@ In `runner/warm_reconcile.py` SPECS["traefik"]:
 (via `--resolve traefik.ci.commoninternet.net:443:127.0.0.1`), which returns 200 as soon as
 traefik is up — no dashboard dependency.
 
+### Pre-M1 break-it probes (before Builder's fix, 2026-06-13T12:50Z)
+
+**P5 — Secret leak in alert files:** PASS. `/var/lib/ci-warm/alerts/20260613T054428Z-traefik-unhealthy-on-latest.json`
+contains only `{"app": "traefik", "reason": "unhealthy-on-latest", "ts": "...", "version": "5.1.1+v3.6.15"}`.
+No credentials, no secrets.
+
+**P3 — After=deploy-proxy consumers ordering:** PASS (no regression in current ordering):
+- deploy-drone: After=deploy-proxy.service
+- deploy-bridge: After=deploy-drone.service deploy-proxy.service
+- deploy-dashboard: After=deploy-bridge.service deploy-proxy.service
+- deploy-backupbot: After=deploy-dashboard.service deploy-proxy.service
+- deploy-reports: After=deploy-dashboard.service deploy-proxy.service
+- nightly-sweep: After=deploy-proxy.service warm-keycloak.service
+- warm-keycloak: After=deploy-proxy.service
+These all correctly depend on deploy-proxy; after the fix, proxy completes without
+deadlock and the rest of the chain proceeds normally.
+
+**Endpoint stability:** `/api/version` returns 200 reliably (3/3 probes). No backend dependency.
+
+**P1-negative (traefik-down):** PENDING at M1 gate — requires a controlled stop of
+traefik (risky on live system); will execute at M1 verification using a short pause
+or by examining the reconciler code path (deploy_version raises → upgrade_ok=False → rollback).
+
 ---
 
 ## M1 — Fix + controlled reproduction