03 Rule Governance Audit

Verdict RULE_GOVERNANCE_FAIL. Any nonblank approved_by/provenance passes; no trusted authority registry/FK/version lifecycle/write restriction. Invalid GRANT blocks, but invalid BLOCK governance returns NOT_PARTICIPATING_GOVERNANCE and is ignored by machine tier, allowing fail-open tier promotion. Directus retains full DML. Negative tests do not test invalid BLOCK through machine tier.