07 - SUPERTRACK G — RP-06 Same-Human Uniqueness Scope (REFINED_ADVISORY)

Refinement: slot-scoped uniqueness + manifest-driven separation, NOT a blanket constraint

A blanket UNIQUE(activation_id, human_identity_id) over-blocks: it forbids the same human from appearing in two NON-conflicting roles even when no separation rule requires them to differ. The correct control has two parts, both keyed to the RP-01 signoff_binding / quorum_vote instance tables.

Slot dimensions

A required slot is identified by: activation_id; quorum_profile_id; required_principal_class_id; slot_ordinal (1..required_count). Optionally signoff_scope (target/tier/action) for signoff slots.

Recommended constraints/rules

1. One occupant per defined slot: UNIQUE(activation_id, quorum_profile_id, required_principal_class_id, slot_ordinal) on signoff_binding (and analogously on quorum_vote). This prevents double-filling a single slot without forbidding cross-role participation.
2. Manifest-driven separation (the real same-human control): for every principal_separation_manifest(action_id, left_class_id, right_class_id, must_differ=true), enforce that NO single human_identity_id occupies both a left_class slot and a right_class slot within the same activation/action scope. Enforce PG-natively via either (a) a constraint trigger that consults principal_separation_manifest (manifest-driven, no hardcoded class pair), or (b) a readiness/seal check joining signoff_binding to principal_separation_manifest that fails closed on any shared human across a must_differ pair.
3. Where separation is universal for required reviewer roles, a partial UNIQUE / EXCLUSION scoped to the separation-relevant class set MAY be added, but it must be derived from the separation manifest, not a fixed class list.

When same human may legitimately repeat

Only in roles NOT linked by any must_differ separation rule (e.g. a non-required observer alongside a required role). The separation manifest is the single source of truth for which roles must differ; the control must not over-block beyond it.

Cross-impact (required fields)

• Affected docs: 10 (CP-09), and the RP-01 signoff_binding/quorum_vote DDL.
• Affected contracts/tables/manifests: signoff_binding, quorum_vote (RP-01); principal_separation_manifest #08; quorum_requirement_manifest #19; principal_class_manifest #06; principal_registry; human_identity_registry.
• Affected hashes: H04 signoff_binding (binds reviewer/binder human identities) — uniqueness/separation outcome is reflected in the bound identities.
• Affected readiness gates: SIGNOFF_AUTHENTIC; the activation quorum evaluation (feeds H07).
• Affected bypass vectors: same-human-fills-two-required-slots is a separation bypass; manifest-driven enforcement closes it without over-blocking.
• Affected rollback path: none new.
• Affected Directus/read path: none.
• Affected PG-native enforcement: slot UNIQUE + manifest-driven separation (trigger/seal-check joining principal_separation_manifest) — no hardcoded class pairs.
• Affected no-hardcode proof: separation policy stays data (must_differ rows), not a hardcoded constraint.
• Verification after Codex edits: same human in two must_differ slots → blocked; same human in two non-separated roles → allowed; double-filling one slot → UNIQUE violation.

Dependency / status

Depends on RP-01 (defines signoff_binding/quorum_vote). Remains ADVISORY: it does not independently block, but should land in the same Codex pass as RP-01 since it constrains those tables.

Refined verdict: REFINED_ADVISORY (slot-scoped + manifest-driven separation).