T1 FIX7 Design Verification - 06 Signoff Principal Evidence (SUPERTRACK F)
06 — Signoff / Principal / Evidence Review (SUPERTRACK F)
| # | Requirement | Design answer | Verdict |
|---|---|---|---|
| F.1 | Principal identity is not arbitrary string | "manifest/FK principal/action/tier contracts" (10) |
INTENT-OK; principal table + FK DDL not specified → NEEDS_CLARIFICATION |
| F.2 | Reviewer bound to controlled principal | FK principal contract (10); FIX6 lineage qt001_irs_reviewer_strict_fix6 CHECK (no OTHER/OWNER) |
INTENT-OK; FIX7 not restated concretely |
| F.3 | Evidence is content-addressed | "content-addressed evidence read-back" (10, 02) |
INTENT-OK; content-address scheme (hash algo, what is hashed) not specified |
| F.4 | Evidence source immutable / owner-controlled | append-only sealed; owner-only; runtime zero DML (02) |
INTENT-OK (target); LIVE-FAIL — Directus owns + INSERT/DELETE proven |
| F.5 | Signoff binds exact scope/tier/verdict/hash | FIX6 lineage fn_qt001_signoff_*_v6 content-hash-bound; FIX7 "content-addressed evidence" |
INTENT-OK; FIX7 binding schema not specified |
| F.6 | Self-signing blocked | "independent principals" (02); "no caller PASS" (10) |
INTENT-OK; independence predicate + self-sign rejection rule not specified → NEEDS_CLARIFICATION |
| F.7 | Expired/superseded/revoked signoff fails | not addressed in FIX7 docs (FIX3/FIX6 had strict-future-expiry + supersede) | GAP — FIX7 docs are silent on expiry/supersede/revoke lifecycle → NEEDS_CLARIFICATION |
| F.8 | Adding signoff does not stale plan content hash | FIX6 fixed-point: v_qt001_plan_content_hash (pg_depend-proven to EXCLUDE signoff) vs v_qt001_control_state_hash |
INTENT-OK; FIX7 must explicitly inherit the content-hash-excludes-signoff fixed-point (see doc 08) |
Live state
qt001_independent_review_signoff = 2 rows exist (from earlier stages), but qt001_signoff_plan_binding = 0 → no plan-bound signoff → readiness fail-closed today. Critically, Directus can INSERT a new signoff and DELETE existing ones (proven). So today the signoff table is spoofable by the app role; the only thing preventing a false-green is the global block, not the signoff machinery itself.
Is the design spoofable?
Target design: not spoofable — FK-bound principal, content-addressed evidence under owner-only append-only storage, independent quorum, no self-sign, no caller PASS. This is the correct anti-spoof model and answers FIX4's "controlled identities/evidence are Directus-mutable rows" finding.
As written: unverifiable + one explicit gap. No concrete principal/evidence schema; and F.7 (expiry/supersede/revoke) is not mentioned at all in the FIX7 docs, although prior fixes (FIX3 strict-future-expiry, FIX6 supersede) treated it as load-bearing. A signoff that never expires/cannot be revoked is itself a spoof vector. Required correction: FIX7 must specify the signoff row schema (plan-content-hash + scope + tier + verdict + reviewer-FK + evidence-content-hash + expiry + supersede/revoke columns), the independence predicate, and the self-sign rejection.
Signoff/evidence verdict
No spoofable signoff in the design intent; live signoff table is app-spoofable until cutover; FIX7 spec is incomplete (principal/evidence schema undefined) and silent on the expiry/supersede/revoke lifecycle. → NEEDS_CLARIFICATION + LIVE-FAIL-until-cutover. Contributes to the block.