KB-47F1
T1 FIX7 Adversarial Review - 05 Signoff Principal Evidence (SUPERTRACK E)
3 min read Revision 1
QT001FIX7T1signoffprincipalevidencesupertrack-e
05 — Signoff / Principal / Evidence Lifecycle Review (SUPERTRACK E)
Source: 04-signoff-principal-evidence-lifecycle-spec.md.
| # | Requirement | Spec answer | Verdict |
|---|---|---|---|
| E.1 | principal schema | controlled principal manifest; seed classes OPERATOR_MIGRATION, CODEX_REVIEWER, T2_HUMAN_REVIEWER, VERIFIER, BINDER | PASS (classes concrete; column DDL → B) |
| E.2 | allowed principal types | exact 5 seed classes | PASS |
| E.3 | reviewer identity binding | exact LOGIN session_user; no SET ROLE/proxy/shared role |
PASS (PG-native identity, not string) |
| E.4 | evidence schema | controlled retrieval + hash + size; independent read-back; append-only | PASS (structure; column DDL → B) |
| E.5 | content hash binding | evidence content-hashed; signoff binds plan hash + scope hash + evidence hash | PASS |
| E.6 | valid_until | valid max 24h | PASS |
| E.7 | revoke/supersede | append-only revoke/supersede | PASS |
| E.8 | exact scope/tier/verdict/hash binding | binds exact target, plan hash, scope hash, tier/action IDs, reviewer/binder principals + evidence, epoch/times/hash | PASS |
| E.9 | self-sign block | self-signed rows fail; distinct principal classes; binder ≠ reviewer | PASS |
| E.10 | Directus cannot spoof | Directus rows fail; owner-only writable; LOGIN identity required | PASS (design) — LIVE-gated until cutover |
| E.11 | lifecycle create→approve→activate→supersede/revoke | append-only with revoke/supersede; bound to epoch/times | PASS |
Adversarial probes
- Can Directus INSERT a forged signoff? Live yes today (proven prior turn: Directus owns + has INSERT/DELETE on the signoff table). Design closes this only at owner cutover (FIX7b). Until then readiness must stay BLOCKED — and it is (signoff_plan_binding=0). The design's anti-spoof is sound; enforcement is operator-gated.
- Can a reviewer self-sign? No — reviewer/binder are distinct LOGIN classes; self-signed fails.
- Does adding a signoff stale the plan-content hash? No — plan_content_hash excludes signoff; signoff feeds control_state_hash (cross-ref doc 07). Correct (inherits FIX6 fixed-point).
Verdict: SIGNOFF_SPEC_COMPLETE (lifecycle)
The principal/evidence/signoff lifecycle and anti-spoof model are complete and correct — and notably fix the prior-round gap (expiry/supersede/revoke now explicit; LOGIN-identity principals not strings). Only the exact column DDL pends publication (B). No spoofable signoff in the design.