KB-4371
Self-Review Command Outputs
4 min read Revision 1
c1stagingcodex-r1-fixself-reviewcommand-outputs2026-06-23
12 — SELF-REVIEW COMMAND OUTPUTS (verbatim)
1. Injection grep (deployed bin/)
grep -RnE '\$[*@]' /opt/incomex/staging/c1/bin/
/opt/incomex/staging/c1/bin/_common.sh:76: docker exec "${PG_CONTAINER}" psql -U "$(stg_pg_user)" -v ON_ERROR_STOP=1 "$@" -d "$db" -f "$rmt" </dev/null || rc=$?
grep -RnE 'eval|sh -c|sh -lc|bash -c' bin/ (non-comment) -> (no non-comment hits)
grep -RnE 'docker exec.*sh -lc|docker exec.*sh -c' bin/ (non-comment) -> (no non-comment hits)
grep -RnE '<SBX>|placeholder SBX|TODO|FIXME' bin sql plan -> (none in executable paths)
2. Guard self-tests (source _common.sh; helper functions only; no primitive; no DB)
rc=4 (expect 4) :: stg_assert_sandbox_name directus
rc=4 (expect 4) :: stg_assert_sandbox_name postgres
rc=4 (expect 4) :: stg_assert_sandbox_name c1_staging_2026
rc=0 (expect 0) :: stg_assert_sandbox_name c1_staging_20260623_0711
rc=4 (expect 4) :: stg_assert_sandbox_name 'c1_staging_20260623_0711; DROP DATABASE directus'
rc=0 (expect 0) :: stg_assert_ttl 24h
rc=0 (expect 0) :: stg_assert_ttl 7d
rc=4 (expect 4) :: stg_assert_ttl 99x
rc=4 (expect 4) :: stg_assert_ttl 24
3. bash -n (deployed) + shellcheck
OK _common.sh; OK dot-staging-sandbox-create; OK dot-staging-sandbox-drop;
OK dot-c1-staging-vocab-build; OK dot-c1-staging-verify; OK dot-c1-staging-bad-input-harness;
OK dot-c1-staging-evidence-readback; OK plan/c1-staging-fast-dry-run.plan.sh (8/8)
shellcheck -S warning (changed bin + plan) -> SHELLCHECK_CLEAN
4. PostgreSQL short-circuit + extraction (read-only, no table touched)
SELECT true OR (jsonb_array_length('null'::jsonb)<1) -> or_shortcircuits = true
SELECT (('null'::jsonb IS NULL) OR (jsonb_typeof('null'::jsonb)<>'array') OR (jsonb_array_length('null'::jsonb)<1)) -> case5 = true (no error)
SELECT (('{"k":"v"}'::jsonb IS NULL) OR (jsonb_typeof('{"k":"v"}'::jsonb)<>'array') OR (jsonb_array_length(...)<1)) -> case6 = true (no error)
SELECT split_part('C1_REJ_MISSING_CODE | required',' |',1) -> C1_REJ_MISSING_CODE
SELECT split_part('C1_REJ_PRODUCTION_READY_FORBIDDEN | production_ready',' |',1) -> C1_REJ_PRODUCTION_READY_FORBIDDEN
5. expires_at interval math (read-only)
now() + (substring('24h' from '^[0-9]+') || ' hours')::interval -> 2026-06-24 08:16Z (+1 day)
now() + (substring('7d' from '^[0-9]+') || ' days')::interval -> 2026-06-30 08:16Z (+7 days)
6. Official runtime BEFORE / AFTER / AFTER-AFTER (query_pg, database=directus)
ALL THREE IDENTICAL:
dot_tools=309 contracts=2 table_registry=21 gba=0 appr=231 apr_action_types=14
authorize_build_step.handler_ref=unimplemented c1/staging-in-dot_tools=0
APR-0415=pending staging_dbs=0
databases=directus,directus_gov_test_20260602,incomex_metadata,postgres,template0,template1,workflow
docker exec postgres printenv POSTGRES_USER -> directus ; staging_dbs (direct) -> 0
7. SQL balance + registry/ledger validity
p1b f$0/d$0/g$0/$$0 B1/C1 ; p3 f$4/d$2/g$2 B1/C1 ; p4 f$2/g$2 B1/C1 ; p5 f$2/g$2/$$18 B1/C1 ; p6 f$2/g$2 B2/C2
jq -c registry -> VALID JSONL (6 rows); recorded bin sha256 == deployed (6/6 OK)
jq -c ledger -> VALID JSONL (7 rows)
8. Secret scan
grep -rniE 'password|secret|token|api_key|PGPASSWORD|BEGIN (RSA|PRIVATE)|AKIA…' patched files
-> only false positive: _common.sh comment containing the word "token"
PG role resolved via 'docker exec postgres printenv POSTGRES_USER' (not hardcoded);
'directus' present only in STG_OFFLIMITS_DBS guard list.