chore(pxgate): init Adversary phase files — root cause cold-verified, M1/M2 PENDING

Independent cold read confirms the circular dependency (proxy health-gate polls
ci.commoninternet.net served by dashboard which is After=deploy-proxy). Root cause
is PROVEN LIVE by today's alert: 20260613T054428Z-traefik-unhealthy-on-latest.json.

Fix endpoint independently verified: /api/version on traefik.ci.commoninternet.net
returns 200 as soon as traefik is up, no dashboard dependency.

REVIEW-pxgate.md: orientation, M1/M2 acceptance criteria.
BACKLOG-pxgate.md: break-it probes P1–P5 to run at M1 gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

machine-docs/BACKLOG-pxgate.md

@@ -0,0 +1,22 @@
+# BACKLOG — phase pxgate
+
+## Build backlog
+(Builder-owned — Adversary reads only)
+
+## Adversary findings
+
+No findings yet. Recording break-it probes to run once the fix lands.
+
+### Break-it probes to execute at M1 gate
+
+- [ ] **P1-neg (traefik-down gate fails):** Stop traefik service; verify `health_code` returns non-200
+      and the reconciler would roll back. (Prove the new gate has teeth — not always-pass.)
+- [ ] **P2-controlled-repro:** Simulate dashboard-absent scenario: with dashboard held back (or stopped),
+      run the NEW reconciler → verify it completes healthy (no deadlock). Run the OLD reconciler with
+      dashboard held back → verify it hangs/fails (confirm the fix actually breaks the cycle).
+- [ ] **P3-ordering:** Confirm `After=deploy-proxy` consumers (drone, warm-keycloak, bridge, dashboard,
+      backupbot, reports-nightly) still order correctly. Check `systemctl cat <service>` for each.
+- [ ] **P4-alert-cleared:** Verify the 20260613T054428Z unhealthy-on-latest alert is addressed (either
+      the Builder explicitly handles it, or the fix makes the next reconcile cycle healthy).
+- [ ] **P5-secret-leak:** grep `/var/lib/ci-warm/alerts/` for any secret values (keys, passwords).
+      The alert file must contain only version strings, no credentials.