Single-Human Two-Login-Roles Control

Distinct PG logins do not prevent one human controlling two roles. Quorum binds login plus verified human identity.

human_identity_registry(human_identity_id PK,identity_provider_id,provider_subject_sha256 sha256,identity_evidence_id,active,valid_from,valid_until,revoked_at,UNIQUE(provider,subject hash)); principal_human_binding(principal_id PK,auth_db_role UNIQUE,human_identity_id FK,binding_evidence_id,validity,revoked_at). Human evidence is immutable independently read-back IdP assertion; display/email/free text diagnostic only. Shared/proxy/SET ROLE/inherited login/missing/stale evidence invalid.

Every approval records principal, exact session_user, current human ID. Enforce UNIQUE(activation_id,human_identity_id) and UNIQUE(activation_id,principal_class_id); exact class set and distinct human count equal required count. Separation pairs are ACTIVE manifest rows evaluated generically, no hidden CASE.

Same human second login rejected; binding drift/revoke/expiry invalidates approvals and increments epoch; emergency role cannot approve, only reviewed failclosed rollback; rollback appends revoke/supersede, increments epoch, readiness false.