Incomex AI Portal
KB-5006

C1 Staging Codex Review — Final Verdict

3 min read Revision 1
c1stagingcodex-reviewread-only2026-06-23

06 — FINAL VERDICT

Verdict

CODEX_REJECT_C1_STAGING_BAD_INPUT_FAIL_OPEN

Required final fields

  • top risks reviewed: official isolation, name/drop guard, file-based psql, argument injection, exact bad-input signals, prerequisite sequencing, evidence false-PASS, SBX propagation, TTL cleanup.
  • six primitives complete: NO — six artifacts exist and are invokable, but P4/P5/P6 enforcement is incomplete.
  • official runtime remains protected: YES, confirmed by fresh read-only counts and zero staging DBs.
  • P1 file-based psql fix valid: direction YES; deployed implementation NO until $*/shell reparsing is removed.
  • SBX capture/propagation correct: NO — placeholder only.
  • drop guard safe: YES for target protection; ledger ordering and automatic TTL cleanup still need fixes.
  • bad-input harness fails closed: NO.
  • evidence-readback cannot false-PASS: NO.
  • permission for T2 to run dry-run: NO.
  • ready for promotion: NO.
  • ready for production: NO.

Exact fixes required before review retry

  1. Replace sh -lc "... $* ..." with fixed command + positional argv; constrain purpose/owner/TTL and use unpredictable container temp paths with cleanup trap.
  2. Store typed expires_at; implement primary cleanup plus scheduled safety scanner.
  3. Make P4 exact-set/invariant failures raise and exit nonzero.
  4. Give each P5 case expected reject code and/or SQLSTATE; pass only exact matches; require exactly nine unique cases; raise on any mismatch/residue/acceptance.
  5. Make P6 require successful P3/P4/P5 ledger evidence, all three exact rows validated, exact P5 matrix, and complete orphan checks. Gate before digest; failure must exit nonzero and emit no PASS/digest/seal.
  6. Capture SBX programmatically under strict mode; install cleanup trap; verify final staging DB count returns to zero.
  7. Record drop-attempt and drop-success separately; do not claim retired/drop completion before readback.
  8. Redeploy through the staging lane, refresh SHA/registry/evidence, and request a new read-only Codex review.

Steps 0–6 status

  • Step 0 foundations: complete; direct KB reads/searches listed in 01.
  • Steps 1–2 read/design review: complete; prerequisite failures identified before execution.
  • Step 3 code: N/A by hard lock; no files modified.
  • Steps 4–5 two hats/deploy/production verify: N/A; review only, no dry-run/deploy.
  • Step 6 report: seven KB files uploaded and read back.

OR/TD/handoff: OR update not needed because no new operating principle beyond existing fail-closed/evidence rules. A separate TD/handoff mutation was not authorized by the read-only hard lock; blockers are fully captured in this report package.