04 — SAFETY / ATTACK CASES

Case	Result	Evidence
A1 manual SQL bypass	PASS	Load-bearing SQL is invoked only by named staging primitives.
A2 official table write	PASS	Separate DB; current official C1 rows=0.
A3 official registry write	PASS	JSONL staging registry; official dot_tools unchanged at 309.
A4 hidden APR/quorum path	PASS	No such calls in runners/SQL; APR-0415 remains pending.
A5 weak sandbox guard	PASS	Exact ^c1_staging_[0-9]{8}_[0-9]{4}$.
A6 unsafe drop guard	PASS	Regex + active in-DB registry + guard at drop helper.
A7 create not cleanable	PARTIAL	P2 can drop intended DB, but TTL is manual and ledger can claim drop before success.
A8 SBX capture	FAIL	Plan uses literal placeholder SBX=c1_staging_<ts>; not executable capture.
A9 bad-input false pass	FAIL	Any exception is marked pass; sentinel assertions are non-fatal.
A10 P6 after missing/failed stage	FAIL	P6 does not require P4 evidence or exact P5 signals and returns exit 0 on FAIL string.
A11 before/after proof	PASS	Fresh counts match both snapshots; staging DBs=0.
A12 secrets	PASS	Static secret-pattern scan found none.
A13 unsafe assumptions	FAIL	$* is reparsed by sh -lc; TTL/owner/purpose are not constrained.
A14 generic bypass	PASS	Scope is C1 staging-only and separate from official registries.
A15 mutation already happened	PASS for official runtime	Only staging files/KB records exist; no sandbox/official DB mutation found.

Additional evidence integrity defects

• P4, P5, and P6 use output sentinels where fatal gates are required.
• P6 orphan scan checks only public tables (relkind='r'), not registered functions/triggers, and its result cannot block the verdict.
• P2 durable ledger records a completed-sounding drop operation before the drop/readback succeeds.