04 Plan-Bound Signoff (SUPERTRACK D)

A review can only unlock TIER1/apply once it is bound to the EXACT current plan checksum and scope. Free-text scope no longer unlocks anything.

Object: qt001_signoff_plan_binding (table)

binding_id, review_id, plan_id, plan_version, plan_checksum, scope_collection, tier_intended, verdict_at_binding (CHECK in SAFE / DATA_VALID_APPLY_BLOCKED), evidence_path, bound_by, valid_until, superseded. Empty today by design: the two existing Codex reviews have reviewed_plan_checksum NULL and therefore produce NO binding -> no plan-bound positive signoff exists.

Codex NOT_SAFE preserved

qt001_independent_review_signoff is untouched. The active NOT_SAFE review remains recorded; v_qt001_plan_bound_signoff_status.active_not_safe=1.

Views

• v_qt001_plan_bound_signoff_status: current_plan_checksum=f8d2272f; positive_plan_bound_apply_signoffs=0; total_bindings=0; active_not_safe=1; plan_bound_safe=false. plan_bound_safe requires a SAFE binding to the current checksum AND zero active NOT_SAFE.
• v_qt001_signoff_scope_guard: surfaces unbound_reviews and stale_checksum_bindings; pass=true (apply path closed).
• v_qt001_signoff_no_go_guard: pass=true (plan_bound_safe=false).

Completion criterion met

No review can unlock TIER1 unless it signs the exact current plan checksum and scope. To flip apply-eligibility in a future layer, an external reviewer must insert a SAFE binding whose plan_checksum equals the live current plan checksum — and the active NOT_SAFE must first be superseded. No literal true/false controls this.