SUPERSEDED (2026-06-20, Macro-9B2). This rev1 37/37 evidence proved only its listed cases and was found by Codex review to leave fail-open paths (missing channel/actor, trailing-newline schema/run_id, truthy gate, Guard 3 plan-only). It is retained ONLY as the historical pre-remediation record. The authoritative evidence is now dot-r2-b2-validator-test-run-v2.txt (64/64 PASS, 0 fail-open; all 7 Codex HOLD findings closed). Do NOT cite this rev1 file as current fail-closed proof.

Captured stdout of python3 run_validator_tests.py (local, no runtime touch), 2026-06-19. EXIT=0.

====================================================================================================
DOT_R2_B2_STAGING_SCHEMA_SHELL — BAD-INPUT VALIDATION RUN (local, no runtime touch)
====================================================================================================
ID   VERDICT DECISION WR  REJECT_CODES                      DESC
----------------------------------------------------------------------------------------------------
T01  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = public
T02  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = iu_core
T03  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = cutter_governance
T04  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = sandbox_tac
T05  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = information_schema
T06  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  target = pg_catalog
T07  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               non-allowlist 'scratch'
T08  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               prefix only 'r2_b2_wb'
T09  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               malformed prefix 'r2b2wb_...'
T10  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               uppercase target
T11  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               SQL-injection in name
T12  PASS    REJECT  0   SCHEMA_RUNID_MISMATCH              allowlist prefix but not run-scoped 'r2_b2_wb_public'
T13  PASS    REJECT  0   MISSING_TARGET_SCHEMA              empty target
T14  PASS    REJECT  0   NON_ALLOWLIST_SCHEMA               whitespace-padded target
T15  PASS    REJECT  0   MISSING_RUN_ID                     empty run_id
T16  PASS    REJECT  0   MISSING_RUN_ID                     missing run_id key
T17  PASS    REJECT  0   BAD_RUN_ID,SCHEMA_RUNID_MISMATCH   bad-format run_id
T18  PASS    REJECT  0   MISSING_OWNER_AUTH                 empty owner_authorization_ref
T19  PASS    REJECT  0   MISSING_OWNER_AUTH                 missing owner_authorization_ref
T20  PASS    REJECT  0   UNKNOWN_MODE                       unknown mode
T21  PASS    REJECT  0   UNKNOWN_MODE                       missing mode
T22  PASS    REJECT  0   WRONG_DOT_CODE                     wrong dot_code
T23  PASS    REJECT  0   DIRECTUS_GENERIC_FORBIDDEN         use_directus_generic_create=true
T24  PASS    REJECT  0   FORBIDDEN_MANUAL_CHANNEL           channel=directus_generic
T25  PASS    REJECT  0   FORBIDDEN_MANUAL_CHANNEL           channel=psql
T26  PASS    REJECT  0   FORBIDDEN_MANUAL_CHANNEL           channel=manual_sql
T27  PASS    REJECT  0   FORBIDDEN_MANUAL_CHANNEL           channel=docker_exec_psql
T28  PASS    REJECT  0   UNKNOWN_CHANNEL                    channel=unknown
T29  PASS    REJECT  0   PROD_DATA_COPY_FORBIDDEN           copy_production_data=true
T30  PASS    REJECT  0   REAL_RUN_GATE_CLOSED               real_run while gate closed
T31  PASS    REJECT  0   REAL_RUN_GATE_CLOSED               teardown_real_run gate closed
T32  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  teardown_real_run target=public
T33  PASS    REJECT  0   PROTECTED_SCHEMA_TARGET,NON_ALLOW  real_run target=public
A01  PASS    ACCEPT  0   -                                  VALID validate_only
A02  PASS    ACCEPT  0   -                                  VALID dry_run_plan -> plan only
A03  PASS    ACCEPT  0   -                                  VALID verify (read-only)
A04  PASS    ACCEPT  0   -                                  VALID teardown_plan
----------------------------------------------------------------------------------------------------
ROWS: 37   PASS: 37   FAIL: 0
FAIL-OPEN (invalid accepted): NONE
DRY-RUN plan = 1 CREATE SCHEMA + 7 CREATE TABLE, zero writes: OK
VALIDATOR no-DB-IO meta-check: OK (pure function)

OVERALL: PASS — fail-closed verified

Interpretation: every invalid input is rejected (no fail-open); the only ACCEPTed rows are the four no-write modes and each produced 0 writes; the valid dry_run_plan returns a plan of exactly 1 CREATE SCHEMA + 7 CREATE TABLE (a plan, not a write); real_run/teardown_real_run reject with REAL_RUN_GATE_CLOSED (HOLD_FOR_OWNER_REAL_RUN). The validator imports no DB/network/exec library — it cannot mutate runtime.