05 - Plan Fingerprint Audit

Verdict: PLAN_FINGERPRINT_FAIL.

Rules hash omits approved_by, authority_lock, provenance, rule_checksum. Signoff hash omits binding plan_id, plan_version, evidence_path, bound_by, valid_until and review checksum/scope/evidence/expiry/identity. Trigger fingerprint is only fn_birth_registry_auto plus alert count. Gateway is only bool_and(all_ok). Watermark is current collection=src_rows, not immutable source fingerprint.

Read-only proof: live/current-formula rules hash=0fbcb7719cdce0ade1a9573e6b44998f; governance-complete hash=807fa91c9a1093adb2a125844b35e7c2; governance_fields_covered=false.

Negative tests append X to already-computed component hashes; they do not recompute source changes and cannot detect omitted fields.