claim(2pc): PC1 conservative prune deployed+verified; PC2/PC3 local-store cache confirmed

ci-docker-prune (gated surgical prune) live on cc-ci: old autoPrune --all gone, new timer
enabled (daily), no-ops below 80% disk keeping the local image cache, never --all/--volumes.
Daemon stays PAT-authenticated (nptest2); /var/lib/docker retained across rebuild. PC3 proof:
redis:7-alpine deploy->teardown(service rm, image retained)->redeploy = "Image is up to date",
no layer re-download (cold 5303ms -> warm 674ms). Docs: runbook "Image cache & prune policy",
warm.md, DECISIONS Phase-2pc, IDEAS (registry pull-through cache deferred + revisit trigger).
Gate 2pc CLAIMED, awaiting Adversary cold-verify.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

machine-docs/JOURNAL-2pc.md

@@ -45,3 +45,42 @@ oneshot `systemd.service` running a surgical, **triple-gated** prune:
 When all gates pass: `docker {container,image,builder} prune -f --filter until=24h` — dangling +
 age-gated only. NEVER `--all` (keeps tagged base/in-use images), NEVER `--volumes` (warm canonical
 data, per swarm.nix's existing comment).
+
+## 2026-05-29 — Implemented + deployed + verified on cc-ci
+
+**Implementation.** `nix/modules/docker-prune.nix` (NEW) + `swarm.nix` (dropped autoPrune block) +
+`configuration.nix` import. Unit renamed `docker-prune` → **`ci-docker-prune`** because the NixOS
+docker module reserves `systemd.services.docker-prune` (build conflict caught by `nixos-rebuild
+build`: "conflicting definition values for systemd.services.docker-prune.description"). Renamed,
+rebuilt clean.
+
+**Deploy.** Synced the 3 changed nix files to `/root/cc-ci` (tar over ssh; isolated change — host
+tree otherwise unchanged), `nixos-rebuild build` (clean, shellcheck on the writeShellApplication
+passed), then `systemd-run --unit=ccci-sw ... nixos-rebuild switch path:/root/cc-ci#cc-ci`. Switch
+finished (22.5s CPU), `systemctl is-system-running` → `running`.
+
+**Verification (real host).**
+- Old NixOS `docker-prune.timer` → `is-enabled` = **not-found** (autoPrune gone). `ci-docker-prune.timer`
+  → enabled + active; `list-timers` NEXT = Sat 2026-05-30 00:00 UTC (daily).
+- Manual `systemctl start ci-docker-prune.service` at `/`=31%: log →
+  `docker-prune: / at 31% (< 80%) — keeping local image cache, nothing to do`. No images removed
+  (21 → 21). Gate works.
+- PC2: `docker info | grep Username` → `nptest2` (PAT auth retained after rebuild). `/var/lib/docker`
+  persistent (21 recipe images retained across the rebuild).
+- PC3 layer-reuse proof (real swarm deploy→teardown→redeploy, redis:7-alpine, docker.io via authed daemon):
+  ```
+  COLD pull: 897d... Already exists; c14c.. f546.. a300.. 941e.. 4f4f.. 677c.. Pull complete  (6 downloaded)
+             Status: Downloaded newer image for redis:7-alpine        COLD_PULL_MS=5303
+  service create pc3b -> 1/1
+  service rm pc3b      -> retained_after_teardown: redis:7-alpine 487efc061638   (image REMAINS)
+  WARM pull: Status: Image is up to date for redis:7-alpine          WARM_PULL_MS=674   (no bytes)
+  redeploy create pc3b -> redeploy_ok (reused local layers)
+  ```
+  Cold 5303ms (6 layer downloads) → warm 674ms (authenticated manifest check only, 0 layers
+  re-downloaded). The alpine base layer `897d...` showed "Already exists" even on the cold pull =
+  cross-image base-layer reuse, a bonus cache win. Teardown (`service rm`) retained the image —
+  matches `teardown_app` (no rmi).
+
+**Docs/decisions.** `docs/runbook.md` (new "Image cache & prune policy" + updated rate-limit note),
+`docs/warm.md` (autoPrune→ci-docker-prune), `DECISIONS.md` (Phase-2pc entry), `cc-ci-plan/IDEAS.md`
+(deferred registry cache + revisit trigger). Gate claimed.