Supertrack B — P-02 H04_SCOPE_V1 Scope-Hash Review
02 — Supertrack B: P-02 H04_SCOPE_V1 Scope-Hash Review
Verdict: P02_VERIFIED
What P-02 demanded
Pin signoff_binding.scope_hash canonical composition: a canonical SHA-256 over an explicit ordered key list — minimally {quorum_profile_id, required_principal_class_id, slot_ordinal, action_id} — explicitly state whether target_id/plan_content_hash are included; OR add the slot keys directly to H04. Make the slot provably hash-bound (closes the RP-06 same-human/slot bypass) and the signoff write path deterministic.
What Codex delivered (patch doc 02)
H04_SCOPE_V1, domain incomex.qt001.signoff-scope.v1, exactly EIGHT ordered keys, all from the same signoff_binding row, all required, canonical PG16 JSONB + SHA-256:
1 activation_id · 2 target_manifest_id · 3 plan_content_hash · 4 quorum_profile_id · 5 required_principal_class_id · 6 slot_ordinal · 7 action_id · 8 control_epoch.
Stronger than T1's 4-key minimum; explicitly answers the open question (target + plan ARE included) and adds activation_id + control_epoch for replay protection. Declared to define the EXISTING scope_hash sub-payload — NOT a new 8th top-level contract; H01..H07 remain the exact set.
Verification — every key resolves to a real NOT NULL signoff_binding column (DDL doc 02 rev 2)
| # | scope key | signoff_binding column | type / nullability |
|---|---|---|---|
| 1 | activation_id | activation_id | uuid NOT NULL (FK manifest_activation) |
| 2 | target_manifest_id | target_manifest_id | uuid NOT NULL (FK manifest_set) |
| 3 | plan_content_hash | plan_content_hash | qt001_cp.sha256 NOT NULL |
| 4 | quorum_profile_id | quorum_profile_id | uuid NOT NULL (FK code_catalog_item) |
| 5 | required_principal_class_id | required_principal_class_id | uuid NOT NULL (FK principal_class_manifest) |
| 6 | slot_ordinal | slot_ordinal | qt001_cp.positive_bigint NOT NULL |
| 7 | action_id | action_id | uuid NOT NULL (FK authority_action_manifest) |
| 8 | control_epoch | control_epoch | qt001_cp.nonnegative_bigint NOT NULL |
All 8 present, all NOT NULL → "is required" is structurally enforced; no implicit 9th key; no free-text. Canonical PG16 JSONB key ordering + the global CP-06 encoding (hex / COLLATE "C" / UTC / trim_scale / JSON-null) make the digest deterministic; all 8 are deterministically encodable (uuid lowercase text, sha256 hex, bigint integer).
Checklist:
- exactly 8 pinned keys / explicit order — PASS.
- source table.columns explicit — PASS (all
signoff_binding; key names match column names 1:1 per DDL). - NULL handling explicit — PASS (all NOT NULL + global CP-06 JSON-null rule).
- canonical JSONB / order rule clear — PASS.
- any slot/scope field change ⇒ scope_hash change — PASS (all 8 hashed).
- same-human slot-scoped binding consumes the same definition — PASS (consumers below).
- no 9th implicit / free-text key — PASS (closed set; "Every value comes from the same signoff_binding row").
Consumed consistently (no divergent recompute)
signoff_bindingUNIQUE(activation_id, quorum_profile_id, required_principal_class_id, slot_ordinal, action_id, scope_hash)— scope_hash is part of slot uniqueness.- H04 payload hashes the stored
scope_hashsub-payload. - RP-06 same-human (design-correction doc 03): one-occupant-per-slot via the UNIQUE keys + ACTIVE
principal_separation_manifestjoin — now provably hash-bound by scope_hash. No party recomputes scope_hash differently; all treat it as the deterministic SHA-256 of the 8-key canonical JSONB.
Law check (§4F / §4G)
Codex is the design owner; the 8-key choice answers T1's explicitly-invited open question (whether target/plan are included) and strengthens replay-resistance over columns the binding ALREADY stores NOT NULL. It pins previously-underspecified composition — not a business-meaning change — consistent with the surgical-follow-up rule, not silent semantic drift.
Result: P02_VERIFIED.