FIX6 03 — Fixed-point fingerprint/signoff (SUPERTRACK D) + signoff identity (SUPERTRACK E)

D — Break the fingerprint/signoff loop (fixed-point)

The FIX5 circularity: fn_qt001_plan_fingerprint_v5 folds signoff state into the composite, so adding a binding restates the plan it signs. FIX6 separates hashes:

• v_qt001_plan_content_hash — STABLE: md5 over scope (snapshot) + ruleset (qt001_tier_rule_registry_v2) + tier registry + ruleset_version. Excludes signoff/capability/scale/identity. Proven natively: pg_depend of this view references ONLY {qt001_plan_snapshot, qt001_tier_registry, qt001_tier_rule_registry_v2} — NO signoff tables.
• v_qt001_control_state_hash — includes content_hash + signoff bindings + reviews + readiness + scale + directus. pg_depend DOES include signoff tables. May change after signoff (fine).
• qt001_plan_content_binding(plan_id,plan_version,content_hash) — stores the stable hash for CURRENT (1 row); builder repopulates on rebuild.
• v_qt001_signoff_target_hash_guard — a binding must target plan_content_hash (not the circular composite). pass=true.
• v_qt001_fixed_point_hash_negative_tests (5/5 pass): content_hash_excludes_signoff_bindings; content_hash_excludes_independent_reviews; content_hash_includes_ruleset; control_hash_includes_signoff_bindings; wrong_content_hash_makes_signoff_invalid.

Result: adding a signoff changes control_state_hash but NOT plan_content_hash → the signed plan stays valid. Loop broken (proven by pg_depend, not by mutating data).

E — Signoff identity made schema-enforceable

FIX5 defect: signoff_row_valid_v5 required identity_class IN ('EXTERNAL_REVIEWER','INDEPENDENT_REVIEWER','EXTERNAL_AUDITOR') but the CHECK on qt001_authority_identity_registry.identity_class only permits ('APPROVER','REVIEWER') → could never be true; and no FK from binding→review. FIX6:

• ADD FK qt001_signoff_plan_binding_review_fk_fix6 (binding.review_id → qt001_independent_review_signoff.review_id). 0 rows → safe.
• ADD strict CHECK qt001_irs_reviewer_strict_fix6: reviewer_type IN ('CODEX','T2_HUMAN') (intersects the table's existing CHECK → effectively forbids OTHER/OWNER at the schema level).
• fn_qt001_signoff_row_valid_v6 / fn_qt001_signoff_satisfies_v6: join the FK; require reviewer_type IN (CODEX,T2_HUMAN); verdict='SAFE'; NOT superseded; valid_until>now; not self-signed (reviewer_name <> bound_by); immutable evidence; AND bind the stable content_hash (b.plan_checksum = cb.content_hash AND r.reviewed_plan_checksum = cb.content_hash).
• v_qt001_signoff_identity_constraint_guard.pass=true (binding_review_fk_count=1, strict_forbids_other_owner=true). Neg tests 3/3 (strict check excludes OTHER/OWNER; FK present; zero-bindings validator fail-closed).

ADD CONSTRAINT/FK confirmed tga-neutral (trigger_guard_alerts unchanged at 129).