01 — Input state + Role A (Builder) R2-fix summary

Role A — Builder summary (what the R2 patch claims to deliver)

The C1 staging-lite lane at /opt/incomex/staging/c1/ is a disposable LEGO staging warehouse (lane A, DOT-100-staging-lite). 6 admitted primitives + _common.sh + 6 SQL payloads + plan + registry + ledger + admission + docs. The fast dry-run chains P1 create → P3 vocab → P4 verify → P5 bad-input → P6 evidence → P2 drop inside a throwaway c1_staging_<ts> DB and proves valid-pass / bad-fail-closed, then destroys the sandbox. Nothing is deployed to dot/bin, registered in dot_tools, or written to official runtime.

R2 fixes (from C1_STAGING_CODEX_R2_FIXES_READY_FOR_CODEX_R3):

• R2-1 P1 partial-create self-cleaning EXIT trap (compensating drop; exit 70 on cleanup failure; created=true/SANDBOX_JSON only after all postconditions). Plan preselects the sandbox id.
• R2-2 plan never swallows a P2 failure (primary rc + cleanup rc 4-way exit matrix; residual-DB check; DRY_RUN_OK only after P2 + c1_staging_% count = 0).
• R2-3 P6 digest spans canonical_operation AND c1_test_results; gate + ledger + digest in ONE SHARE-locked txn; persisted then read back.
• R2-4 P1 --force DISABLED (existing sandbox fails closed → governed P2 cleanup).
• R2-5 remote-temp tracker = host file (subshell-safe), replacing the lost bash array.

Role B does NOT trust the above

Everything below in this package was re-derived from the actual artifacts (read with line numbers, greps, live no-write tests), not from this summary.

Authoritative artifact inventory (pre-fix sha256, remote = local)

19 files. Local copy byte-identical to deployed (LOCAL_BYTES_==_REMOTE). Key hashes:

bin/_common.sh                       c31a1e5d04eeb1b808c15ede0778dc67b492fb7124ee0f8423e2608b8aee758f
bin/dot-staging-sandbox-create       3694a0b6d35cc761637826537bfb04375b12a2db4b98b13954beeec90e33d23e
bin/dot-staging-sandbox-drop         8118848c45d5cb0aaf523b6a0066c356e6c272c069d5af103136d5ccec159e85
bin/dot-c1-staging-vocab-build       075ce66c67a7ad13b99436faf92b62c85fe725143d810006c14cacf1da40146f
bin/dot-c1-staging-verify            a4f3b30656cabd6f21583d3d84b8737f9c2f549f0dd8499f4d4f70c245e7e5ad
bin/dot-c1-staging-bad-input-harness 86029710b0fd6696fa44cec9b808c80a25e75ec10f65706dd1d6e79cbf4da76b
bin/dot-c1-staging-evidence-readback f34f118e865315b54c0bdcd5ac840246114c799ebfc6e75e3a632019a1e6a12f
plan/...plan.sh (PRE-fix)            f1f5475c3a39d2aecfad6a0e263ee3b7925043851db7a2488385b18b9e4cb033
sql/p1a..p6                          (a09d49 / 97fedf / cc3d19 / 060d93 / 0658ba / 212ebc)
registry/primitives.jsonl            ccfad13ac2ca1d5c2b2b9e2f7bda0b6669585bc08bd27c6503f26908b63437ca

Official runtime BEFORE snapshot (DB directus, container postgres, PG16)

dot_tools                      = 309
dot_agent_api_contract         = 2
table_registry                 = 21
governance_build_authorization = 0
approval_requests              = 231
apr_action_types               = 14
authorize_build_step.handler_ref = unimplemented (risk high)
APR-0415                       = pending ; approvals = 0
canonical_operation (in directus) = relation does NOT exist  (=> C1 vocab is sandbox-only)
staging_DBs (c1_staging_% / %staging%) = 0
db_count = 7 ; db_list_hash = dfc368f6eb899ad5b0006466195fb4ab
db list = directus, directus_gov_test_20260602, incomex_metadata, postgres, template0, template1, workflow

This matches the documented baseline exactly and is the before for the before==after proof (file 07).