05 — DRY-RUN PLAN REVIEW

The intended order P1 → P3 → P4 → P5 → P6 → P2 is correct. The published command block is not exact/runnable.

Blocking plan defects

1. SBX=c1_staging_<ts> is a placeholder, not capture from P1.
2. No set -euo pipefail; later stages may run after an earlier logical failure.
3. No cleanup trap; a failed P3/P4/P5/P6 can leave the DB until manual action.
4. “or let the 24h TTL retire it” is false; no automatic TTL worker exists.
5. P4/P5/P6 return success for logical failure because their sentinels are output only.

Required command-plan shape

set -euo pipefail
BIN=/opt/incomex/staging/c1/bin
SBX=
cleanup() {
  [ -z "$SBX" ] || "$BIN/dot-staging-sandbox-drop" --sandbox-id "$SBX"
}
trap cleanup EXIT

P1_OUT=$("$BIN/dot-staging-sandbox-create" --purpose "C1 fast dry-run" --owner nmhuyen@gmail.com --ttl 24h)
printf '%s\n' "$P1_OUT"
SBX=$(printf '%s\n' "$P1_OUT" | sed -n 's/^SANDBOX_READY: //p' | tail -n 1)
[[ "$SBX" =~ ^c1_staging_[0-9]{8}_[0-9]{4}$ ]] || exit 70

"$BIN/dot-c1-staging-vocab-build" --sandbox-id "$SBX"
"$BIN/dot-c1-staging-verify" --sandbox-id "$SBX"
"$BIN/dot-c1-staging-bad-input-harness" --sandbox-id "$SBX"
"$BIN/dot-c1-staging-evidence-readback" --sandbox-id "$SBX"

This shape is acceptable only after each primitive has machine-fatal gates. The production plan should capture evidence before the EXIT trap drops the sandbox and should prove cleanup/readback afterward.

Dual-trigger cleanup requirement

Primary cleanup: EXIT trap/P2. Safety trigger: scheduled scanner discovers expired c1_staging_* DBs from typed expires_at metadata, invokes governed P2, and alerts on failure. Until both exist, TTL/cleanup is not automatic.