07 — FIX 5: TTL / CLEANUP POLICY (truthful)

Root cause (Codex A7)

Rev-1 stored TTL as free text and docs implied "after TTL it retires"; no cron/scanner exists, so expiry was manual. P2 also logged a sandbox_drop ledger entry BEFORE the drop succeeded.

Fix — honest model

• Stated truthfully in README.md and ROLLBACK.md:

  "TTL is advisory/manual fallback. Cleanup is performed by P2 — invoked by the dry-run plan's EXIT trap (primary) or run manually — NOT by an automatic timer. No cron/systemd/timer is installed."

• Typed expires_at: p1b-meta.sql now stores expires_at timestamptz NOT NULL in both sbx_meta.birth_certificate and sbx_meta.sandbox_registry, derived from the validated TTL: now() + (substring(:'ttl' from '^[0-9]+') || (CASE WHEN :'ttl' ~ 'h$' THEN ' hours' ELSE ' days' END))::interval. Verified read-only: 24h→ +1 day, 7d→ +7 days. This makes a future scanner POSSIBLE, but no scanner is claimed to exist.
• Primary cleanup is the dry-run plan's trap cleanup EXIT which always runs P2 (even on failure).
• P2 ledger ordering (bin/dot-staging-sandbox-drop): records sandbox_drop_attempt BEFORE the drop, then DROP DATABASE … WITH (FORCE), then a fail-closed readback (stg_die if still present), and only then sandbox_drop_success. No completed-sounding evidence before success.

No overclaim

There is NO automatic TTL timer. Do not rely on TTL to remove a sandbox. This is the explicitly "acceptable model" from Codex review §Fix 5.