C1 Staging Codex R2 Fixes Ready for R3 — Index
C1 STAGING — CODEX R2 FIXES READY FOR R3 — INDEX
Session: C1-STAGING-CODEX-R2-FIXES-2026-06-23
Date: 2026-06-23
Mode: patch-only under /opt/incomex/staging/c1/; static/no-write validation; no dry-run executed; no staging DB created; official runtime read-only (before==after).
Verdict
C1_STAGING_CODEX_R2_FIXES_READY_FOR_CODEX_R3
All four Codex R2 blockers (plus the related R2 finding #5) are patched, statically validated with zero writes, official runtime is unchanged (before==after), and staging_DBs remained 0 throughout.
Codex R2 input verdict (held)
CODEX_HOLD_C1_STAGING_R2_NEEDS_FIXES_BEFORE_DRY_RUN
What changed (exactly 4 source files + 3 governance docs, all under the staging path)
| File | Change | Blocker | New sha256 |
|---|---|---|---|
bin/dot-staging-sandbox-create |
partial-create self-cleaning EXIT trap; --force disabled |
R2-1, R2-4 | 3694a0b6…e33d23e |
plan/c1-staging-fast-dry-run.plan.sh |
cleanup exit matrix; preselected sandbox id; gate→CODEX_R3_PASS |
R2-2, R2-1(b) | f1f5475c…9e4cb033 |
sql/p6-evidence-readback.sql |
digest spans harness rows; gate+ledger+digest atomic under SHARE locks | R2-3 | 212ebc0e…77c4118 |
bin/_common.sh |
subshell-safe file tracker for remote temps | R2 #5 | c31a1e5d…aee758f |
registry/primitives.jsonl |
revision 3, current hashes, common_sh_sha256, r2 flags |
(evidence) | ccfad13a…b63437ca |
README.md / ROLLBACK.md |
R2 fail-closed contract + rollback notes | (docs) | d02b2d0c… / fb8bb6a3… |
ledger/dot_manage.jsonl |
seq 8 (patch_r2) + seq 9 (revalidation) | (evidence) | a2f2f68c… |
All other primitives/SQL are byte-identical to R1 (verified by sha256).
Reports
00 index; 01 R2 findings; 02 before snapshot; 03 fix P1 partial cleanup; 04 fix plan P2 not swallowed; 05 fix P6 digest harness; 06 fix P1 force; 07 static/no-write validation; 08 Codex-style self-review; 09 after snapshot; 10 final decision.
Hard locks honored
No dry-run; no P1→P3→P4→P5→P6→P2 run; no staging DB; no official dot_tools/CAT-006/dot_agent_api_contract change; no APR-0415 approve/execute; no dot-apr-approve; no promotion; no production. Scope stayed inside /opt/incomex/staging/c1/.