04 — Independent Review Signoff Registry (SUPERTRACK D)

The literal independent_reaudit_signed_off = false (HC-02) is replaced by registry records. No positive apply signoff exists.

Objects

• Table qt001_independent_review_signoff — columns: review_id, reviewer_type, reviewer_name, reviewed_plan_checksum, verdict, scope, valid_until, evidence_path, superseded, superseded_by, created_at, notes.
• Table qt001_review_validated_collection — (review_id, collection_name, validation_kind, expected_delta_at_review, notes); FK to the signoff table. This is the DATA that replaces the code IN-list for Tier1 membership.
• Views v_qt001_independent_review_signoff_status, v_qt001_independent_review_no_go_guard.

Recorded reviews (Codex NOT_SAFE as data)

review_id	verdict	scope
CODEX-STAGE2.5-RUNTIME-HARDCODE-SCALE-2026-06-06	NOT_SAFE	apply runtime + permit + ledger + authority + hardcode + scale
CODEX-STAGE2.5-TIER1-DATA-VALIDITY-2026-06-06	DATA_VALID_APPLY_BLOCKED	TIER1 5-collection identity/parity DATA validity only (NOT apply authorization)

The second review's qt001_review_validated_collection rows (dot_domain_rules, apr_approvals, normative_relations, apr_action_types, field_type_equivalences) record that Codex confirmed the data is technically valid — explicitly NOT an apply authorization. This is the source the plan/tier registries read for Tier1 membership.

Signoff status

v_qt001_independent_review_signoff_status: active_reviews 2, not_safe_reviews 1, positive_apply_signoffs 0, signoff_safe = false. signoff_safe is true only when there is a valid positive APPLY signoff (verdict SAFE, scope mentions APPLY, not expired) AND no active NOT_SAFE — neither holds.

No-go guard

v_qt001_independent_review_no_go_guard.pass = true: the apply path is correctly NOT signed off (signoff_safe = false). Readiness can never green from this layer until an external reviewer records a SAFE verdict against the current plan checksum — by design, the agent cannot self-certify.