04 — INJECTION AND SANDBOX REVIEW

• Injection remains fixed: psql receives explicit argv and quoted "$@"; user data is not reparsed by a shell.
• sandbox_id regex is exact and enforced before DB use.
• sandbox_db is derived from sandbox_id and plan verifies both equal CAND.
• TTL syntax is validated.
• SANDBOX_JSON is emitted after P1 postconditions.
• R3-SELF-1 fix is valid: candidate existence is checked read-only; cleanup SBX stays empty until P1 returns zero; a same-minute losing run cannot drop the winner.
• P1 partial failure is safe for normal trappable failures: P1_CREATED_DB arms after CREATE and EXIT compensates until P1_DONE.
• --force is disabled.
• P2 rejects official/non-staging targets and requires active in-sandbox provenance.

No injection, SBX, P1 cleanup, target-ownership, or drop-guard rejection is warranted.