KB-7B05
Codex R2 Findings → Fix Mapping
3 min read Revision 1
c1stagingcodex-r2-fixfindings2026-06-23
01 — CODEX R2 FINDINGS → FIX MAPPING
Source: knowledge/dev/laws-new/reports/c1-staging-codex-r2-review-before-dry-run/ (verdict CODEX_HOLD_C1_STAGING_R2_NEEDS_FIXES_BEFORE_DRY_RUN).
| # | Codex R2 finding (verbatim sense) | Fix | Status |
|---|---|---|---|
| R2-1 | "P1 partial failure can leave DB while trap lacks SBX." P1 assigns SBX only after success; a post-create failure before SANDBOX_JSON leaves a live DB the plan cannot clean. |
P1 derives+validates the candidate id before any DB op, arms P1_CREATED_DB the instant the DB exists, and an EXIT trap compensating-drops it on any failure before P1_DONE; created=true only after all postconditions; cleanup failure → exit 70. Plan also preselects the id and passes it to P1 (report 05 option b). |
FIXED |
| R2-2 | "P2 failure can be swallowed and plan exit 0." cleanup did `P2 … |
echo CLEANUP_WARN; exit "$rc"`, so a P2 failure on a passing run still exited 0 with a live sandbox. | |
| R2-3 | "P6 false-PASS PARTIAL — digest omits harness rows." c1_digest() hashed only canonical_operation; gate and digest were separate statements (TOCTOU). |
c1_digest() now hashes canonical_operation and c1_test_results (case_no, expect_code, expect_state, outcome, reject_code, sqlstate, pass); gate + evidence-ledger + digest run in one txn under SHARE locks; digest persisted in-txn then read back; no digest on gate failure. |
FIXED |
| R2-4 | "P1 --force bypasses active-registry provenance." --force called stg_drop_db on any regex-matching DB with no registry/provenance check. |
--force is disabled (fails closed at parse); a pre-existing sandbox fails closed and instructs governed P2 cleanup, which enforces the active sbx_meta registry/provenance gate. No blind drop in the create path. |
FIXED |
| R2-#5 | "remote-temp tracking is lost through command substitution, so claimed EXIT cleanup is ineffective on early failure." STG_REMOTE_TMPS+=() ran inside the rmt="$(stg_remote_mktemp)" subshell and was discarded. |
_common.sh tracks remote temp paths in a host-side file (inherited across $(...)), so the EXIT trap reliably removes them. Proven: old array=0 entries, new file=2 entries. |
FIXED |
The R2 report also confirmed R1 fixes held (injection removed, SBX JSON capture, P5 exact/fatal oracle, P6 fatal gate, honest TTL). Those were not regressed by this round (the corresponding files are byte-identical except where a blocker required change).