04 — FIX 2: REAL SBX PROPAGATION (P1 → P3/P4/P5/P6/P2)

P1 machine-readable output

bin/dot-staging-sandbox-create now emits, after SANDBOX_READY:

SANDBOX_JSON: {"sandbox_id":"c1_staging_<ts>","sandbox_db":"c1_staging_<ts>","created":true}

sandbox_db is derived from sandbox_id (same value), not arbitrary input.

Reviewed run-plan (NOT executed by this macro)

plan/c1-staging-fast-dry-run.plan.sh (sha256 eec41b1ce968c2660b3f80999650aaeb3a04f795214cdd206779a1984a8cdd3d):

• set -euo pipefail.
• Hard confirmation gate: refuses to run unless C1_STAGING_DRY_RUN_CONFIRM=CODEX_R2_PASS (exit 64). Cannot run before Codex R2.
• Captures SBX programmatically:

  P1_OUT="$(… dot-staging-sandbox-create …)"P1_JSON="$(printf '%s\n' "$P1_OUT" | sed -n 's/^SANDBOX_JSON: //p' | tail -n1)"SBX="$(printf '%s' "$P1_JSON" | jq -r '.sandbox_id')"SBX_DB="$(printf '%s' "$P1_JSON" | jq -r '.sandbox_db')"[ -n "$SBX" ] && [ "$SBX" != "null" ] || exit 70[[ "$SBX" =~ ^c1_staging_[0-9]{8}_[0-9]{4}$ ]] || exit 71[ "$SBX" = "$SBX_DB" ] || exit 72
  

• Runs P3→P4→P5→P6 with --sandbox-id "$SBX", tee-ing each stage's stdout to evidence/ before the EXIT trap drops the sandbox (so the P6 digest is durably captured before destruction).
• EXIT-trap cleanup (primary): runs P2 even on failure; preserves exit code.

Forbidden patterns eliminated

• No placeholder SBX=c1_staging_<ts>; no manually typed id; no operator copy/paste. grep -RnE '<SBX>|placeholder…|TODO' bin sql plan → none in executable paths.
• jq is present on the host (/usr/bin/jq).

Static only: the plan is reviewed and deployed but not run (hard lock). Runtime propagation is proven by construction: P1 emits the JSON (verified by reading the deployed P1), and the plan's parse+validate chain is syntactically verified (bash -n OK).