diff --git a/.gitea/workflows/ci-probe.yaml b/.gitea/workflows/ci-probe.yaml
new file mode 100644
index 0000000..19fd23a
--- /dev/null
+++ b/.gitea/workflows/ci-probe.yaml
@@ -0,0 +1,73 @@
+# THROWAWAY DIAGNOSTIC — delete once the real gate is wired.
+#
+# This answers the questions that decide the CI architecture, on facts rather
+# than guesses:
+#   * How does this runner execute a plain job — directly on the host, or inside
+#     a default container? (-> is "the ci server has nix" reachable from steps?)
+#   * Is `nix` on PATH where steps run, and does a /nix store persist?
+#   * Is a docker client/daemon reachable from a plain job (no DinD service)?
+#   * Does a custom job `container:` work on this rootless runner, and can it pull
+#     an image (nixos/nix) — i.e. is the "reusable nix image" model viable?
+#
+# Trigger: push to this branch, or run manually from the Actions UI.
+name: ci-probe
+on: [push, workflow_dispatch]
+
+jobs:
+  # --- Job 1: DEFAULT execution -------------------------------------------
+  # No `container:` override — this is whatever environment the runner gives a
+  # plain job. Tells us where steps actually run and what's already there.
+  host:
+    runs-on: ci-public
+    steps:
+      - name: identity & environment
+        run: |
+          echo "=== uname ==="; uname -a
+          echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)"
+          echo "=== whoami / id ==="; whoami; id
+          echo "=== containerized? ==="
+          if [ -f /.dockerenv ]; then
+            echo "/.dockerenv PRESENT -> steps run INSIDE a container"
+          else
+            echo "/.dockerenv absent"
+          fi
+          echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)"
+
+      - name: nix availability (the decisive check)
+        run: |
+          echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH"
+          echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)"
+          echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)"
+          echo "=== store path count (persistence hint; high => warm/shared) ==="
+          ls /nix/store 2>/dev/null | wc -l
+
+      - name: docker availability (without a DinD service)
+        run: |
+          echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH"
+          docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)"
+
+      - name: checkout — does the flake land here?
+        uses: actions/checkout@v4
+
+      - name: flake present in this checkout?
+        run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)"
+
+  # --- Job 2: CUSTOM CONTAINER --------------------------------------------
+  # Tests the "reusable nix image" model: run steps inside a pinned nix image.
+  # Deliberately minimal — no checkout (the checkout action needs node, which a
+  # bare nixos/nix image lacks; that's a separate concern). If this job's steps
+  # run at all, custom job containers are viable on this runner.
+  nix-container:
+    runs-on: ci-public
+    container:
+      image: nixos/nix:latest
+    steps:
+      - name: nix inside a pinned container
+        run: |
+          echo "=== inside nixos/nix container ==="
+          nix --version
+          echo "--- identity ---"; whoami; id; uname -a
+          echo "--- flakes enabled? ---"
+          nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \
+            && echo "flakes usable (with --extra-experimental-features)" \
+            || echo "flake subcommand not usable as invoked"