chore(pxgate): pre-stage builder-clone on main; fix nixos-rebuild instructions

builder-clone was on restructure/concurrency (caef217, 288 behind main).
Switched to main at d23baf8. STATUS updated with git checkout main safeguard.
Adversary idle probes all PASS @13:31Z.

machine-docs/STATUS-pxgate.md

@@ -23,15 +23,17 @@ M2 requires the orchestrator to deploy the fix to the live cc-ci host and verify
 
 ### WHAT is needed from the orchestrator
 
-Run `nixos-rebuild switch` on cc-ci with the current main branch (commit `0e9fd38`). The standard command from DECISIONS.md:
+Run `nixos-rebuild switch` on cc-ci. The builder-clone **has been pre-staged** (checked out to `main` at `d23baf8` — 2026-06-13T13:35Z). The orchestrator only needs to run nixos-rebuild:
 
 ```bash
-ssh cc-ci
-cd /root/builder-clone
-git pull  # pull to get commit 0e9fd38 (warm_reconcile.py traefik /api/version fix)
+ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull && git log --oneline -1'
+# EXPECTED: d23baf8 (or newer) review(pxgate): idle break-it probes PASS @13:31Z...
+
 nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"
 ```
 
+Note: `git checkout main` is included as a safeguard — the builder-clone was previously on `restructure/concurrency`; it is now on `main` but the checkout ensures correctness if it drifts.
+
 This rebuilds the nix store with the new `runner/warm_reconcile.py` and restarts `deploy-proxy.service` (unit script path changes → systemd restarts it on daemon-reload).
 
 ### HOW the Adversary verifies M2 (after nixos-rebuild)