07 — STATIC / NO-WRITE VALIDATION

All checks are static or read-only. No staging DB was created; the dry-run/pipeline was not run; no SQL was executed against any created DB; official runtime was read-only.

Syntax

• bash -n on all 8 shell files: 8/8 OK (7 bin + plan).
• shellcheck -S warning -x (VPS): clean at warning/error level (only pre-existing info notes SC2015/SC1091, identical idioms to the R1-accepted originals).

Injection / shell-safety (unchanged guarantee preserved)

• grep -nE "eval|sh -lc|sh -c|\$*" over all shell files, excluding comments: NO non-comment hits.
• psql is invoked as explicit argv (docker exec postgres psql … "$@" -f "$rmt"); the only $@ is the quoted argv passthrough.

Guard self-tests (all exit BEFORE any CREATE DATABASE — read-only at most)

PASS [create-no-args->admission]      exit=3
PASS [create--force-DISABLED(R2-4)]   exit=4
PASS [create-offlimits-name]          exit=4
PASS [create-bad-ttl]                 exit=4
PASS [create-bad-name-regex]          exit=4
PASS [create-unknown-arg]             exit=2
PASS [drop-offlimits]                 exit=4
PASS [drop-nonexistent->NO_OP]        exit=0
PASS [vocab-nonexistent->deny]        exit=5
GUARD_SELF_TESTS: 9/9 PASS
staging_dbs after guard tests = 0

R2 #5 subshell-tracker proof (no DB)

OLD array seen by parent: 0 entries -> []                       (the bug)
NEW file  seen by parent: 2 entries -> [remote_tmp_A remote_tmp_B]  (fixed)

p1_on_exit references stg_cleanup_remote_tmps in both exit branches (chained because the P1 trap overrides the common one).

SQL structure (p6, static)

• dollar-quote tags balanced: $f$=2, $g$=2, $d$=0.
• BEGIN;/COMMIT; balanced 2/2.
• LOCK TABLE canonical_operation, c1_test_results IN SHARE MODE present.
• digest references c1_test_results; combined_md5 + harness_md5 present; persisted-digest INSERT present.
• harness column names match the P5 c1_test_results schema.

Hashes — exactly 4 source files changed; all else byte-identical to R1

CHANGED:
  bin/_common.sh                          1b2d13d0… -> c31a1e5d04eeb1b808c15ede0778dc67b492fb7124ee0f8423e2608b8aee758f
  bin/dot-staging-sandbox-create          5af96529… -> 3694a0b6d35cc761637826537bfb04375b12a2db4b98b13954beeec90e33d23e
  sql/p6-evidence-readback.sql            189b9bcb… -> 212ebc0e23c6f8996d76411f4f1e09a78b901dae1eb5bf1fd8f6c3da977c4118
  plan/c1-staging-fast-dry-run.plan.sh    eec41b1c… -> f1f5475c3a39d2aecfad6a0e263ee3b7925043851db7a2488385b18b9e4cb033
UNCHANGED (sha256 == R1): dot-staging-sandbox-drop, dot-c1-staging-vocab-build/-verify/-bad-input-harness/-evidence-readback,
  p1a-create-db.sql, p1b-meta.sql, p3-vocab-build.sql, p4-verify.sql, p5-bad-input-harness.sql
GOVERNANCE (regenerated): README.md d02b2d0c…, ROLLBACK.md fb8bb6a3…, registry/primitives.jsonl ccfad13a…, ledger a2f2f68c…

Local (scratchpad) sha256 == remote (deployed) sha256, 7/7 for the changed+regenerated files.

JSONL validity

• registry/primitives.jsonl: 6 lines, all valid JSON (jq -e).
• ledger/dot_manage.jsonl: 9 lines, all valid JSON, seq 1–9 contiguous (added seq 8 patch_r2, seq 9 static_no_write_revalidation_r2).

Boundary

No CREATE DATABASE; staging_dbs=0 before/during/after; no official dot_tools/CAT-006/dot_agent_api_contract write; no APR/quorum/grant; no /opt/incomex/dot/bin deploy. All edits under /opt/incomex/staging/c1/. Temp files used on the VPS were under /tmp and removed.