05 — Exact Signoff Binding

Predicate (fn_qt001_signoff_row_valid)

A binding satisfies an apply candidate only when ALL hold: not superseded (binding and review); verdict = SAFE; binding plan_checksum = current plan checksum (non-null); scope_collection = the target collection; tier_intended = the target tier; reviewer_type present and not self/self_certified/machine (external authority); evidence_path non-empty; valid_until null or in the future. NOT_SAFE blocks; a stale checksum invalidates; there is no wildcard.

Satisfies wrapper (fn_qt001_signoff_satisfies)

EXISTS a binding joined to its review for which the predicate holds for (collection, tier, current checksum). The plan-bound apply signal and the writer both consume this. Global apply-safe requires EVERY positive-delta candidate to have its own exact binding — one binding can no longer satisfy a global count.

Guard + negative tests

v_qt001_signoff_negative_tests (10 cases): all_correct -> true; wrong_checksum, wrong_tier, wrong_collection, not_safe, expired, binding_superseded, review_superseded, self_reviewer, missing_evidence -> false. All pass. v_qt001_exact_signoff_binding_guard: logic_exact=true, failed_cases=0, total_bindings=0, apply_candidates_unsigned=13, current_apply_signoff_safe=false, pass=true. Zero bindings exist, so apply stays blocked; the logic is proven exact for the day a real external SAFE binding is added.