04 — Complete Plan Fingerprint v2

Function

fn_qt001_plan_fingerprint_v2() returns a content-addressed composite over every relevant control input. Components: scope_hash (all 74 snapshot rows: collection|delta|unresolvable|collision|divergence|strategy), scope_count, rules_hash (every governed registry_v2 rule incl version/approval/active/superseded), engine_hash (pg_get_functiondef of eval_predicate_v2 + eval_rule_core + machine_tier_v2), signal_hash (collection_signals_v2 def), signoff_hash (reviews + bindings), trigger_fingerprint (md5 of fn_birth_registry_auto + tga count), gateway_integrity, watermark_hash (per-collection src_rows), blocker_hash (hardcode inventory), engine_version. composite = md5 of all components.

Content-addressed plan id

fn_qt001_build_plan_registry now sets source_metadata_hash = composite and plan_id = PLAN-<first12 of composite> (no timestamp). The registry holds the FULL 74-row scope (not just the 13 positive-delta rows). Committed plan: PLAN-9bac30375765, version 3, 74 rows.

Sensitivity proof

fn_qt001_fp_compose replicates the composite formula. v_qt001_plan_fingerprint_negative_tests perturbs each component (append 'X' / +1) and asserts the composite changes; baseline_formula_matches asserts fp_compose(real components)=composite. All 11 cases sensitive=true. v_qt001_plan_fingerprint_guard: fingerprint_scope_count=74 = snapshot_rows=74, all_components_sensitive=true, pass=true.

Live confirmation of drift sensitivity

The rehearsal and the committed apply produced DIFFERENT composites (c7b9228... vs 9bac3037...) because live source row counts drifted between runs — the watermark_hash and scope_hash changed accordingly. A stale plan can no longer masquerade as current: any change to scope, rules, engine, signal, signoff, trigger, gateway, watermark or blockers changes the plan id and hash.