FIX7 Signoff Principal Evidence Lifecycle Spec

Allowed seed classes: OPERATOR_MIGRATION, CODEX_REVIEWER, T2_HUMAN_REVIEWER, VERIFIER, BINDER; exact LOGIN session_user, no SET ROLE/proxy/shared role. Evidence registered by controlled retrieval/hash/size, independent read-back, append-only revoke/supersede. Signoff binds exact target, plan hash, scope hash, tier/action IDs, reviewer/binder principals/evidence, epoch/times/hash; valid max 24h and exact required class set. Wrong/stale/expired/revoked/spoof/self-signed/Directus rows fail.