KB-2033

Static / No-Write Validation

3 min read Revision 1

c1stagingcodex-r1-fixvalidation2026-06-23

08 — STATIC / NO-WRITE VALIDATION

All checks below are static or read-only. No sandbox DB was created; P1–P6/P2 primitives were NOT run.

bash -n (syntax) — deployed files

OK _common.sh   OK dot-staging-sandbox-create   OK dot-staging-sandbox-drop
OK dot-c1-staging-vocab-build   OK dot-c1-staging-verify   OK dot-c1-staging-bad-input-harness
OK dot-c1-staging-evidence-readback   OK plan/c1-staging-fast-dry-run.plan.sh   (8/8)

shellcheck

-S warning on the 3 changed bin scripts + plan → CLEAN (SC2034 on the version constant silenced with an intentional # shellcheck disable).

Injection grep (deployed bin/)

grep '\$[*@]'                         -> only _common.sh:76  … psql … "$@" …   (quoted argv passthrough)
grep 'eval|sh -c|sh -lc|bash -c'      -> no non-comment hits
grep 'docker exec.*sh -lc|.*sh -c'    -> no non-comment hits
grep '<SBX>|placeholder|TODO|FIXME'   -> none in executable paths (bin/sql/plan)

Guard self-tests (pure-bash helpers; NO primitive invoked; NO DB op)

9/9 matched expected: directus→4, postgres→4, c1_staging_2026→4, valid name→0, injection-style name→4, 24h/7d→0, 99x/24→4.

SQL static — dollar-quote & transaction balance

p1b: f$=0 d$=0 g$=0 $$=0  BEGIN=1 COMMIT=1
p3 : f$=4 d$=2 g$=2 $$=0  BEGIN=1 COMMIT=1
p4 : f$=2 d$=0 g$=2 $$=0  BEGIN=1 COMMIT=1
p5 : f$=2 d$=0 g$=2 $$=18 BEGIN=1 COMMIT=1   ($$=9 case-pairs)
p6 : f$=2 d$=0 g$=2 $$=0  BEGIN=2 COMMIT=2

All dollar tags even; BEGIN==COMMIT. Novel scalar SQL (expires_at interval) validated read-only.

sha256 — transfer integrity (local==remote) for all 11 patched files

1b2d13d0…  bin/_common.sh
5af96529…  bin/dot-staging-sandbox-create
8118848c…  bin/dot-staging-sandbox-drop
97fedfb8…  sql/p1b-meta.sql
cc3d1934…  sql/p3-vocab-build.sql
060d93ff…  sql/p4-verify.sql
0658ba62…  sql/p5-bad-input-harness.sql
189b9bcb…  sql/p6-evidence-readback.sql
eec41b1c…  plan/c1-staging-fast-dry-run.plan.sh
e426b44c…  README.md
8f119eb4…  ROLLBACK.md

Unchanged & verified: bin/dot-c1-staging-{vocab-build a4f…→075ce66c, verify a4f3b306, bad-input-harness 86029710, evidence-readback f34f118e}, sql/p1a a09d497e, admission 2a3f1779.

Registry / ledger

registry/primitives.jsonl (2dfd6b5e…) valid JSONL, 6 rows; recorded bin sha256 == deployed (6/6 OK).
ledger/dot_manage.jsonl (2042c9f4…) valid JSONL, 7 rows (5 original + seq6 patch_r1 + seq7 revalidation).

Secret scan

No credentials in any patched file (only false-positive: the word "token" in a comment). PG role resolved via printenv, not hardcoded; directus appears only in the off-limits guard list.