review(pxgate): idle break-it probes PASS @13:31Z — M2 pending orchestrator nixos-rebuild

machine-docs/REVIEW-pxgate.md

@@ -196,3 +196,26 @@ After nixos-rebuild, I will verify (per STATUS-pxgate.md M2 checks):
 2. New nix store path with `/api/version` in use
 3. All services 1/1 unaffected
 4. Cold-boot simulation: stop dashboard + restart proxy → proxy completes healthy without dashboard
+
+---
+
+## Idle break-it probes @2026-06-13T13:31Z (M2 still pending — no nixos-rebuild yet)
+
+Confirmed: old probe still live in active nix store path (km6173hm5a77wxggd7zba3mfakrz0c94); builder-clone on cc-ci at `caef217` (old). M2 blocked on orchestrator.
+
+**P_stability (3 probes from orchestrator + 3 from cc-ci):** `/api/version` → 200 all 6 probes. Dashboard `/` → 200. Endpoint stable.
+
+**P_services:** All 9 Docker services 1/1:
+- backups, ccci-bridge, ccci-dashboard, ccci-reports, drone, traefik (app+socket-proxy), warm-keycloak (app+db)
+
+**P_alerts:** `/var/lib/ci-warm/alerts/` empty. Builder cleared the stale boot-time alert as expected.
+
+**P_leak:** `/api/version` response: `{"Version":"3.6.15","Codename":"ramequin","startDate":"2026-06-13T05:38:02.987423426Z"}`. No secret patterns (password/token/key/cert/pem) detected.
+
+**P_ping_still_404:** `https://traefik.ci.commoninternet.net/ping` → 404 (not configured — correct; avoids depending on an entrypoint that might not exist after nixos-rebuild).
+
+**Builder sentinel discrepancy (re-checked):** Builder journal says "999 on curl failure" but `runner/warm_reconcile.py:276` returns `int(r.stdout.strip() or "0")` → curl error → "000" → int("000")=0. Returns 0, not 999. Non-blocking (0 ∉ (200,) → gate fails correctly). Same finding as M1 check 6 — no code defect.
+
+**STATUS-pxgate.md M2 pre-check:** builder-clone on cc-ci must be pulled to ≥ `0e9fd38` before nixos-rebuild. Current: `caef217` (stale). Orchestrator must `cd /root/builder-clone && git pull` first.
+
+No new findings warranting a VETO. All running-system probes PASS.