KB-1662

C1 Staging Codex Review — Code Path Inspection

3 min read Revision 1

c1stagingcodex-reviewread-only2026-06-23

02 — CODE PATH INSPECTION

Fresh VPS evidence

Host: vmi3080463; reviewer used read-only SSH inspection.

Present and executable (0755):

P1 bin/dot-staging-sandbox-create
P2 bin/dot-staging-sandbox-drop
P3 bin/dot-c1-staging-vocab-build
P4 bin/dot-c1-staging-verify
P5 bin/dot-c1-staging-bad-input-harness
P6 bin/dot-c1-staging-evidence-readback

Helper is bin/_common.sh, not root-level _common.sh. All six runners source the actual location correctly. Six SQL payloads are present. bash -n passed.

Staging registry=6 rows; staging ledger=5 rows. Every registry SHA-256 matched the deployed runner. Secret-pattern scan found no hardcoded key/password/token/credential. Official /opt/incomex/dot/bin had 0 staging/sandbox filename matches.

Official runtime protection

Fresh read-only transaction output at 07:44Z:

dot_tools=309
dot_agent_api_contract=2
table_registry=21
governance_build_authorization=0
approval_requests=231
apr_action_types=14
official_c1_dot_tools_rows=0
official_c1_contracts=0
official_canonical_operation_tables=0
authorize_build_step.handler_ref=unimplemented
APR-0415=pending
staging_dbs=0
databases=directus,directus_gov_test_20260602,incomex_metadata,postgres,template0,template1,workflow

This independently confirms official runtime remained protected and no dry-run DB exists.

P1 file-based psql change

The direction is valid: deployed execution uses docker cp + psql -f + </dev/null, so it does not depend on the broken no--i heredoc pattern. Identifier use :"sbx" and literal use :'var' are appropriate.

Implementation is not yet safe enough: stg_run_sql_file interpolates unquoted $* into a new sh -lc command. User-controlled purpose/owner/ttl therefore become shell syntax in the container. Pass arguments as positional argv to a fixed shell program (or invoke psql directly), never by constructing a command string. Remote temp paths should also be created unpredictably inside the container and cleanup trapped.

Drop/TTL observations

The name regex and active registry check prevent a non-staging DB drop. However:

TTL is unvalidated text, not an expires_at timestamp.
No cron/scanner invokes P2; documentation says “After TTL, run A,” so expiry is manual.
P2 records sandbox_drop before drop success; a failed drop creates misleading completion evidence.
The admission report claims registry status is set retired, but deployed P2 does not perform that update.