SUPERTRACK D. Goal: a signoff cannot be spoofed or loosely scoped.

fn_qt001_signoff_row_valid_v3 returns true only when ALL hold: binding not superseded, review not superseded, verdict=SAFE, current fingerprint composite not null, signoff fingerprint not null AND equal to the current composite (content-addressed plan binding — the strongest possible binding: any control-input change invalidates a stale review), plan_id present, plan_version present and >=1, scope equals target collection, tier equals target tier, reviewer_type in the ALLOWLIST {CODEX, INDEPENDENT_EXTERNAL, EXTERNAL_AUDITOR, HUMAN_INDEPENDENT}, reviewer_name present, evidence present, valid_until present AND in the future. Reviewer is now an allowlist, so OTHER, self, machine, and any unknown type are rejected; open-ended (null) expiry is rejected.

fn_qt001_signoff_satisfies_v3(collection,tier) joins qt001_signoff_plan_binding to qt001_independent_review_signoff and returns true iff some bound+reviewed row is exactly valid for the CURRENT plan composite. There are zero bindings, so it returns false for every candidate — fail-closed.

Negative tests: v_qt001_exact_signoff_v3_negative_tests — fifteen behavioral cases. A fully-correct row returns true; each single defect flips to false: wrong fingerprint, wrong/absent plan_id, absent version, wrong collection, wrong tier, reviewer OTHER, reviewer SELF, null reviewer name, missing evidence, expired, open-ended expiry, NOT_SAFE verdict, binding superseded, review superseded. All fifteen pass.

Guard: v_qt001_exact_signoff_v3_guard — bindings_total 0, safe_reviews 0, candidates_with_exact_signoff 0, current_apply_signoff_safe false, pass true (the exact-signoff LOGIC is sound; no stale or loose review can influence tier or readiness). The two existing reviews are CODEX NOT_SAFE and CODEX DATA_VALID_APPLY_BLOCKED — neither authorizes apply, and neither is plan-bound, so neither can grant a tier.