09 - SUPERTRACK I — CP-09 Level-B Actor / Reviewer Manifest Binding Review

Source reviewed: doc 10-cp09-level-b-identity-reviewer-binding.md (revision 2).

Verdict: CP09_VERIFIED

Checklist evidence

• Level-B actor identity binding clear — VERIFIED. "No Level-B actor/reviewer is accepted from a CI string." Byte-level DDL for human_identity_registry (provider item + provider_subject_sha256, validity, revoke; UNIQUE(identity_provider_item_id,provider_subject_sha256)) and principal_registry.
• principal_registry.human_identity_id binding correct — VERIFIED. principal_registry(principal_id, principal_class_item_id→principal_class_manifest, auth_db_role name NOT NULL UNIQUE, human_identity_id→human_identity_registry, binding_evidence_id→evidence_registry, validity, revoke). Self-review item 10 confirms the prior mis-named DB-role binding was corrected to this actually-defined column.
• Reviewer manifest reference clear — VERIFIED. The Level-B binding table maps each element to an ACTIVE manifest: GitHub workload identity → AUTHORITY_SCOPE + principal binding; migrator/owner login → principal_registry + PRINCIPAL_CLASS; environment reviewer → human_identity_registry bound to required principal class; permitted action/mode → AUTHORITY_ACTION + SIGNOFF_REQUIREMENT; quorum → QUORUM_REQUIREMENT; separation → PRINCIPAL_SEPARATION; scope → AUTHORITY_SCOPE + PRIVILEGE_SET; packet/proof → immutable evidence_registry rows.
• Evidence binding clear — VERIFIED (FK cycle human_identity_registry.identity_evidence_id→evidence_registry and principal_registry.binding_evidence_id→evidence_registry added via ALTER, correctly breaking the evidence↔principal↔identity cycle).
• Same-human-two-login control applies — VERIFIED at the logic + hash level. "The Level-B operator occupies only its manifest-required quorum slot; the same human cannot occupy reviewer/Codex/T2 or another required slot. Unknown/shared/proxy/stale identity or extra reviewer blocks." infra-preflight resolves OIDC subject / environment reviewer / operator login / DB session_user to active principal/human IDs and compares the required class/human set in both EXCEPT directions. H04 binds reviewer_human_identity_id and binder_human_identity_id into the signoff hash.
• Quorum binding clear — VERIFIED (QUORUM_REQUIREMENT + unique human identity per activation; PRINCIPAL_SEPARATION). Invalidation on rotation/drift/revoke/expiry/activation/epoch change.

Residuals (carried to RP)

• RP-06 (advisory): the same-human-one-slot-per-activation control is enforced by preflight logic + hash binding, but is not backed by a DB-level UNIQUE constraint on the signoff/binding instance table (e.g. UNIQUE(activation_id, human_identity_id)). Add that constraint so separation is PG-native fail-closed, not only preflight-evaluated. (Depends on RP-01 defining the signoff/binding instance table; doc 09 already lists an index (activation_id,human_identity_id) but an index is not a uniqueness guarantee.)
• RP-01 (blocking): the actual per-activation signoff/binding INSTANCE table (where reviewer/binder rows live, consumed by H04) is referenced (indexes, H04) but never defined byte-level. Resolve with RP-01.

Conclusion

Level-B actor/reviewer identity is bound to sealed manifest authority with byte-level identity/principal DDL and a working same-human control. CP09_VERIFIED; the DB-level same-human UNIQUE (RP-06) and the signoff instance table (RP-01) are carried as residuals.