08 — PLAN / DROP / TTL / OFFICIAL RUNTIME REVIEW

Plan gate

PASS: requires exact C1_STAGING_DRY_RUN_CONFIRM=CODEX_R2_PASS; strict mode and pipefail are enabled; without gate rc=64 and no evidence path is created.

Blocking cleanup status

EXIT cleanup uses:

local rc=$?
P2 ... || echo CLEANUP_WARN
exit "$rc"

If primitives succeeded (rc=0) but P2 fails, the plan prints DRY_RUN_PRIMITIVES_OK, warns, and exits 0 with a live sandbox. This explicitly hides cleanup failure.

Required fix: normal success must include successful P2 plus final staging-DB-count=0 before emitting overall success. Trap remains fallback for abnormal exit, and cleanup failure must force nonzero.

Drop guard

P2 itself is safe: empty/off-limits/bad names rejected; strict regex; DB must have active sbx_meta registry; success ledger only after readback.

However P1 --force calls stg_drop_db directly for any existing regex-matching DB, bypassing active registry/provenance. Remove --force or require the same P2 provenance gate before destructive action.

TTL

Honest: typed expires_at exists; docs clearly state no timer and cleanup=P2/trap/manual. No automatic TTL is claimed.

Fresh official output at 08:56:57Z

dot_tools=309; contracts=2; table_registry=21; gba=0; approval_requests=231; apr_action_types=14; official C1 dot rows=0; contracts=0; canonical_operation tables=0; authorize_build_step=unimplemented; APR-0415=pending; staging DBs=0; database list unchanged.