KB-5629
02 — Staging-lite admission proof
5 min read Revision 1
c1staging-liteadmission-proof8-facet-lifecycle2026-06-23
02 — STAGING-LITE ADMISSION PROOF
Admission record
- Admission ID:
ADM-C1-STAGING-LITE-2026-06-23 - Policy:
DOT-100-staging-litevia the staging-auto machine gate (WF-draft 06 §4). NOT president quorum · NOT APR-0415 · NOTdot-apr-approve· NOT official-runtime promotion. - Owner authorization: nmhuyen@gmail.com — T2 macro "C1 STAGING-LITE ADMISSION TO DRY-RUN READY" (2026-06-23): "We are using the LEGO staging lane." This is the one-time owner admission that the prior package named as its single residual; the agent could not self-grant it.
- Executed by: operator-root-ssh → root@vmi3080463 (staging-auto gate).
- On-disk record:
/opt/incomex/staging/c1/admission/DOT-100-staging-lite-admission.md
Staging-auto gate (WF-draft 06 §3) — all 9 PASS
| # | check | result |
|---|---|---|
| 1 | target explicitly temporary | PASS — disposable c1_staging_* DB + sbx_meta + /opt/incomex/staging/c1 |
| 2 | no official / current-corpus target | PASS — stg_assert_sandbox_name off-limits guard; cross-DB writes impossible in PG |
| 3 | no official dot_tools/CAT-006/dot_agent_api_contract mutation |
PASS — staging path (not dot/bin); staging JSONL registry (not dot_tools) |
| 4 | no irreversible mutation | PASS — disposable lane; DROP DATABASE ... WITH (FORCE) retire |
| 5 | no hardcoded secret / authority row | PASS — none; admission is staging-auto, not an authority row |
| 6 | no manual SQL into official tables | PASS — payload SQL targets sandbox DB only; P5 case 8 dot_tools ref is a NEGATIVE isolation test (expects 42P01) |
| 7 | TTL / cleanup / rollback exists | PASS — TTL 24h; dot-staging-sandbox-drop; ROLLBACK.md |
| 8 | evidence package written / read back | PASS — this KB package |
| 9 | final state | STAGING_READY |
Per-primitive lifecycle proof (8-facet, design-level)
Each primitive carries the full 8-facet lifecycle (reuse-first / birth / admission / registration /
DOT-manage-ledger / rollback-retire / readback / orphan-check). At admission time the lifecycle is
proven at the code+record level (the in-sandbox facets execute at dry-run time inside sbx_meta).
| primitive | reuse-first | admission gate | registry | ledger | rollback/retire | readback | orphan |
|---|---|---|---|---|---|---|---|
| dot-staging-sandbox-create | refuse dup DB unless --force |
--purpose/--owner/--ttl required (exit 3) + name guard |
sbx_meta.sandbox_registry + staging JSONL |
sandbox_create |
compensating drop on meta failure | birth/admission/registry rows | scan c1_staging_% |
| dot-staging-sandbox-drop | refuse unknown/retired id | must be active registered sandbox (exit 5) + name guard (exit 4) | sets status=retired (tombstone) |
sandbox_drop |
DROP DATABASE ... WITH (FORCE) |
confirms DB gone | orphan DB + orphan record sweep |
| dot-c1-staging-vocab-build | CREATE ... IF NOT EXISTS + load-only-if-empty |
requires active sandbox (exit 5) | object_registry (6 objs) |
c1_vocab_build |
one-txn rollback / P2 teardown | vocab + object_registry | object_registry vs actual |
| dot-c1-staging-verify | idempotent set status=validated | requires active sandbox | object_registry (c1_verify) |
c1_verify |
one-txn | validated rows | invariant check |
| dot-c1-staging-bad-input-harness | TRUNCATE results on re-run |
requires active sandbox | object_registry (c1_test_results, c1_run) |
c1_bad_input_harness |
sub-txn per case | case outcomes | residue/bad-accepted asserts |
| dot-c1-staging-evidence-readback | idempotent | requires active sandbox | object_registry (c1_digest) |
c1_evidence_readback |
one-txn | digest + readbacks | final orphan sweep + gate |
Staging registry + ledger (NOT official)
registry/primitives.jsonl— 6 rows, each withsha256,path,status=admitted,official_runtime:false,deployed_to_dot_bin:false,registered_in_dot_tools:false.ledger/dot_manage.jsonl— 5 seeded ops:staging_lane_init,primitive_admission,primitive_deploy,primitive_register,reuse_first_reconfirm.