CP-09 Level-B Actor And Reviewer Manifest Binding
10 - CP-09 Level-B Actor And Reviewer Manifest Binding
No Level-B actor/reviewer is accepted from a CI string.
CREATE TABLE qt001_cp.human_identity_registry (
human_identity_id uuid PRIMARY KEY,
identity_provider_item_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
ON UPDATE RESTRICT ON DELETE RESTRICT,
provider_subject_sha256 qt001_cp.sha256 NOT NULL,
identity_evidence_id uuid NOT NULL,
valid_from timestamptz NOT NULL,
valid_until timestamptz NOT NULL,
revoked_at timestamptz NULL,
UNIQUE(identity_provider_item_id,provider_subject_sha256),
CHECK(valid_until>valid_from),
CHECK(revoked_at IS NULL OR revoked_at>=valid_from)
);
CREATE TABLE qt001_cp.principal_registry (
principal_id uuid PRIMARY KEY,
principal_class_item_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
ON UPDATE RESTRICT ON DELETE RESTRICT,
auth_db_role name NOT NULL UNIQUE,
human_identity_id uuid NOT NULL REFERENCES qt001_cp.human_identity_registry(human_identity_id)
ON UPDATE RESTRICT ON DELETE RESTRICT,
binding_evidence_id uuid NOT NULL,
valid_from timestamptz NOT NULL,
valid_until timestamptz NOT NULL,
revoked_at timestamptz NULL,
CHECK(valid_until>valid_from),
CHECK(revoked_at IS NULL OR revoked_at>=valid_from)
);
ALTER TABLE qt001_cp.human_identity_registry
ADD CONSTRAINT fk_human_identity__evidence
FOREIGN KEY(identity_evidence_id) REFERENCES qt001_cp.evidence_registry(evidence_id)
ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;
ALTER TABLE qt001_cp.principal_registry
ADD CONSTRAINT fk_principal__binding_evidence
FOREIGN KEY(binding_evidence_id) REFERENCES qt001_cp.evidence_registry(evidence_id)
ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;
| Level-B element | Exact authority binding |
|---|---|
| GitHub workload identity | ACTIVE AUTHORITY_SCOPE item for workflow identity plus principal binding |
| DB migrator/owner login | principal_registry.human_identity_id binding; class from ACTIVE PRINCIPAL_CLASS manifest |
| environment reviewer | verified human_identity_registry identity bound to required principal class |
| permitted action/mode | ACTIVE AUTHORITY_ACTION + SIGNOFF_REQUIREMENT manifest |
| quorum slots/counts | ACTIVE QUORUM_REQUIREMENT manifest |
| separation | ACTIVE PRINCIPAL_SEPARATION manifest plus unique human identity per activation |
| object/action scope | ACTIVE AUTHORITY_SCOPE and PRIVILEGE_SET manifests |
| packet/proof | immutable evidence_registry rows bound to commit, packet, identities, epoch, hashes |
infra-preflight resolves GitHub OIDC subject, environment reviewer, operator login, and DB
session_user to active principal/human IDs and compares the exact required class/human set in
both EXCEPT directions. The Level-B operator occupies only its manifest-required quorum slot; the
same human cannot occupy reviewer/Codex/T2 or another required slot. Unknown/shared/proxy/stale
identity or extra reviewer blocks.
Same-human control is slot-scoped, not blanket per activation. signoff_binding and quorum_vote
have one-occupant-per-slot UNIQUE constraints keyed by activation, quorum profile, required
principal class, slot ordinal, and signoff action/scope where applicable. A generic PG constraint
trigger/readiness guard joins occupied slots to ACTIVE principal_separation_manifest; the same
human may not occupy both sides of a must_differ pair in the same activation/action scope.
Non-separated roles may legitimately repeat. No class pair is hardcoded.
Credential/environment rotation, role binding drift, human identity revoke/expiry, manifest activation, or epoch change invalidates Level-B evidence immediately.