**Enterprise auto-learning governance + signed audit export (`plan-2026-06-01-enterprise-governance-audit-export`)**.

Enterprise auto-learning governance + signed audit export (plan-2026-06-01-enterprise-governance-audit-export). Generalizes the Phase-3 per-rule two-operator review into an org-level governance policy enforced at the server promotion chokepoint + role-aware RLS, and adds a cryptographically-signed compliance export. Enterprise orgs (plan='cloud_enterprise') can now set a promotion policy — minimum promoter role (rank-compared, never lexicographic), N-of-M distinct-approver requirement, allowed destinations, and a tighten-only hardened-review flag — that promoted_rule_upsert enforces before any promotion applies; a promotion below threshold is held pending and excluded from every seat's pull cursor until enough distinct operators (each other than the promoter) approve it. The new signed audit export streams the org's full governance history (policy, approvals, promotions, revocations) as a single Ed25519-signed FLAT envelope (records carried as a records_json STRING so the signature covers every record — no nested-array forgery hole), verifiable offline against the bundled public key. The audit-export edge function is the SOLE signer (single-signer, CR-46) for both the programmatic ms_live_ path (admin-scoped) and the dashboard path (which calls it server-side via a service-role bearer and holds no key). Backwards-compatible additive feature — off the Enterprise path, behavior is unchanged (approval_state defaults to applied) — minor per semver.

Added

• packages/core/src/security/governance-export-verifier.ts — Ed25519 verifier for the signed /audit-export envelope; a one-line wrapper over the consolidated verifyEd25519SignedEnvelope core (third signed-envelope artifact, no copy-pasted crypto), NO transition mode. Bundled pubkey via scripts/bundle-audit-export-pubkey.mjs (+ generate-audit-export-keypair.mjs), wired into prepublishOnly.
• packages/core/src/rule-candidate-hardened.ts — validateGovernanceGate(policy, approvals) (generalized N-of-M gate) + roleRank() ladder; validateHardenedApplyGate now delegates as the N=2 special case (CR-10: symbol + refs + exact messages preserved).
• packages/core/src/auto-learning-entitlement.ts — ENTERPRISE_GOVERNANCE_MIN_TIER + entitledForEnterpriseGovernance (reuses the existing tierLevel + PLAN_TO_TIER_MAP; no parallel tier scheme).
• /massu-rule approvals subcommand — surfaces the org policy + pending N-of-M approval state.
• pattern-scanner Check 37 + governance-gate-invariant.test.ts — the client-gate ↔ server-RPC ↔ RLS drift-guard (vitest ↔ scanner parity).
• Website (massu_prod + massu.ai): migration 049 (org_promotion_policy + promotion_approvals ledger + promoted_rules.approval_state + the promoted_rule_upsert governance branch + promotion_approval_record/promotion_policy_reconcile RPCs + role-aware RLS + widened activity_feed CHECK), the audit-export Enterprise-gated Ed25519-signing edge function (CR-58 verify_jwt=false), and the /dashboard/governance admin page (policy editor + approvals + signed-export download).

Changed

• promoted_rule_upsert re-defined (CREATE OR REPLACE of the 045 body + governance branch); /sync recognizes the new pending_approval status; /promoted-rules excludes approval_state='pending' rows from the differential-pull cursor.