08 — ATTACK SCENARIOS

Attack	Classification
A1 shell injection sandbox id	refuted by evidence
A2 sandbox_db mismatch	refuted by evidence
A3 plan without CODEX_R3_PASS	refuted; live rc64
A4 P1 partial orphan	refuted for trappable failures
A5 early JSON	refuted
A6 cleanup fail exit0	refuted by exit matrix
A7 P2 official drop	refuted; live rc4
A8 --force blind drop	refuted; live rc4
A9 same-minute foreign drop	refuted by delayed SBX arming
A10 accepted bad input PASS	refuted
A11 unexpected exception PASS	refuted
A12 P6 without P5 success	confirmed: pre-gate ledger can masquerade as DONE; fix required
A13 digest omits harness	refuted
A14 hidden official write	refuted
A15 official registry write	refuted
A16 hardcoded secret	refuted by evidence
A17 PASS after partial failure	confirmed for ignored P3/P4 fatal exits; reject
A18 automatic TTL overclaim	refuted; docs honest
A19 cleanup failure warning-only	refuted
A20 unstamped/ambiguous staging completion	confirmed: upstream ledger semantics are pre-gate; fix required

No-write hostile commands left staging_DBs=0.