@gitgov/core 1.6.3 → 1.7.0

package/dist/src/index.js

@@ -6,8 +6,10 @@ import * as yaml from 'js-yaml';
 import { generateKeyPair, createHash, sign, verify } from 'crypto';
 import { promisify } from 'util';
 import * as pathUtils from 'path';
+import { join, basename, dirname } from 'path';
 import { createRequire } from 'module';
 import { fileURLToPath } from 'url';
+import { readdir } from 'fs/promises';
 import { EventEmitter } from 'events';
 
 var __defProp = Object.defineProperty;
@@ -2706,7 +2708,7 @@ async function verifySignatures(record, getActorPublicKey) {
   for (const signature of record.header.signatures) {
     const publicKeyBase64 = await getActorPublicKey(signature.keyId);
     if (!publicKeyBase64) {
-      logger2.warn(`Public key not found for actor: ${signature.keyId}`);
+      logger2.debug(`Public key not found for actor: ${signature.keyId}`);
       return false;
     }
     const digest = `${record.header.payloadChecksum}:${signature.keyId}:${signature.role}:${signature.notes}:${signature.timestamp}`;
@@ -2788,51 +2790,6 @@ async function validateFullEmbeddedMetadataRecord(record, getActorPublicKey) {
     throw new SignatureVerificationError();
   }
 }
-function validateEmbeddedMetadataBusinessRules(data) {
-  const errors = [];
-  if (data.header.type === "custom") {
-    if (!data.header.schemaUrl) {
-      errors.push({
-        field: "header.schemaUrl",
-        message: 'schemaUrl is required when header.type is "custom"',
-        value: data.header.schemaUrl
-      });
-    }
-    if (!data.header.schemaChecksum) {
-      errors.push({
-        field: "header.schemaChecksum",
-        message: 'schemaChecksum is required when header.type is "custom"',
-        value: data.header.schemaChecksum
-      });
-    }
-  }
-  const sha256Pattern = /^[a-fA-F0-9]{64}$/;
-  if (!sha256Pattern.test(data.header.payloadChecksum)) {
-    errors.push({
-      field: "header.payloadChecksum",
-      message: "payloadChecksum must be a valid SHA-256 hash (64 hex characters)",
-      value: data.header.payloadChecksum
-    });
-  }
-  if (data.header.schemaChecksum && !sha256Pattern.test(data.header.schemaChecksum)) {
-    errors.push({
-      field: "header.schemaChecksum",
-      message: "schemaChecksum must be a valid SHA-256 hash (64 hex characters)",
-      value: data.header.schemaChecksum
-    });
-  }
-  if (!data.header.signatures || data.header.signatures.length === 0) {
-    errors.push({
-      field: "header.signatures",
-      message: "At least one signature is required",
-      value: data.header.signatures
-    });
-  }
-  return {
-    isValid: errors.length === 0,
-    errors
-  };
-}
 
 // src/validation/task_validator.ts
 function validateTaskRecordSchema(data) {
@@ -2899,7 +2856,7 @@ function generateFeedbackId(title, timestamp) {
 }
 
 // src/factories/task_factory.ts
-async function createTaskRecord(payload) {
+function createTaskRecord(payload) {
   const timestamp = Math.floor(Date.now() / 1e3);
   const task = {
     id: payload.id || generateTaskId(payload.title || "", timestamp),
@@ -2919,6 +2876,18 @@ async function createTaskRecord(payload) {
   }
   return task;
 }
+function loadTaskRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (TaskRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateTaskRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("TaskRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/validation/cycle_validator.ts
 var cycleSchema = Schemas.CycleRecord;
@@ -2957,7 +2926,7 @@ async function validateFullCycleRecord(record, getActorPublicKey) {
 }
 
 // src/factories/cycle_factory.ts
-async function createCycleRecord(payload) {
+function createCycleRecord(payload) {
   const timestamp = Math.floor(Date.now() / 1e3);
   const cycle = {
     id: payload.id || generateCycleId(payload.title || "", timestamp),
@@ -2976,6 +2945,18 @@ async function createCycleRecord(payload) {
   }
   return cycle;
 }
+function loadCycleRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (CycleRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateCycleRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("CycleRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/store/index.ts
 var store_exports = {};
@@ -3159,7 +3140,9 @@ var RecordStore = class {
   recordType;
   recordsDir;
   fs;
-  constructor(recordType, rootPath, fsDeps = promises) {
+  loader;
+  constructor(recordType, loader, rootPath, fsDeps = promises) {
+    this.loader = loader;
     const foundRoot = rootPath || ConfigManager.findProjectRoot();
     if (!foundRoot) {
       throw new Error("Could not find project root. RecordStore requires a valid project root.");
@@ -3185,9 +3168,14 @@ var RecordStore = class {
     const filePath = this.getRecordPath(recordId);
     try {
       const content = await this.fs.readFile(filePath, "utf-8");
-      const record = JSON.parse(content);
-      return record;
+      const raw = JSON.parse(content);
+      const validatedRecord = this.loader(raw);
+      return validatedRecord;
     } catch (e) {
+      if (e instanceof DetailedValidationError) {
+        console.warn(`\u26A0\uFE0F  Invalid ${this.recordType} record ${recordId}:`, e.message);
+        return null;
+      }
       const error = e;
       if (error.code === "ENOENT") {
         return null;
@@ -3272,7 +3260,7 @@ async function validateFullActorRecord(record, getActorPublicKey) {
 }
 
 // src/factories/actor_factory.ts
-async function createActorRecord(payload) {
+function createActorRecord(payload) {
   const actor = {
     id: payload.id || generateActorId(payload.type || "human", payload.displayName || ""),
     type: payload.type || "human",
@@ -3288,6 +3276,18 @@ async function createActorRecord(payload) {
   }
   return actor;
 }
+function loadActorRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (ActorRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateActorRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("ActorRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/validation/agent_validator.ts
 function validateAgentRecordSchema(data) {
@@ -3343,7 +3343,7 @@ async function validateAgentActorRelationship(agentRecord, getEffectiveActor) {
 }
 
 // src/factories/agent_factory.ts
-async function createAgentRecord(payload) {
+function createAgentRecord(payload) {
   const agent = {
     id: payload.id || "",
     engine: payload.engine || { type: "local" },
@@ -3359,8 +3359,18 @@ async function createAgentRecord(payload) {
   }
   return agent;
 }
-
-// src/adapters/identity_adapter/index.ts
+function loadAgentRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (AgentRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateAgentRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("AgentRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 var IdentityAdapter = class {
   actorStore;
   agentStore;
@@ -3396,9 +3406,9 @@ var IdentityAdapter = class {
       status: payload.status || "active",
       ...payload
     };
-    const validatedPayload = await createActorRecord(completePayload);
+    const validatedPayload = createActorRecord(completePayload);
     const payloadChecksum = calculatePayloadChecksum(validatedPayload);
-    const signature = await signPayload(validatedPayload, privateKey, actorId, "author", "Actor registration");
+    const signature = signPayload(validatedPayload, privateKey, actorId, "author", "Actor registration");
     const record = {
       header: {
         version: "1.0",
@@ -3416,6 +3426,18 @@ var IdentityAdapter = class {
       return signerActor?.publicKey || null;
     });
     await this.actorStore.write(record);
+    try {
+      const projectRoot2 = ConfigManager.findProjectRoot();
+      if (projectRoot2) {
+        const actorsDir = pathUtils.join(projectRoot2, ".gitgov", "actors");
+        await promises.mkdir(actorsDir, { recursive: true });
+        const keyPath = pathUtils.join(actorsDir, `${actorId}.key`);
+        await promises.writeFile(keyPath, privateKey, "utf-8");
+        await promises.chmod(keyPath, 384);
+      }
+    } catch (error) {
+      console.warn(`\u26A0\uFE0F  Could not persist private key for ${actorId}: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
     if (this.eventBus) {
       const allActorIds = await this.actorStore.list();
       const isBootstrap = allActorIds.length === 1;
@@ -3433,7 +3455,6 @@ var IdentityAdapter = class {
       };
       this.eventBus.publish(event);
     }
-    console.warn(`Private key for ${actorId}: ${privateKey} (STORE SECURELY)`);
     return validatedPayload;
   }
   async getActor(actorId) {
@@ -3457,19 +3478,46 @@ var IdentityAdapter = class {
       throw new Error(`Actor not found: ${actorId}`);
     }
     const payloadChecksum = calculatePayloadChecksum(record.payload);
-    const mockSignature = {
-      keyId: actorId,
-      role,
-      notes: "Record signed",
-      signature: `mock-signature-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`,
-      timestamp: Math.floor(Date.now() / 1e3)
-    };
+    let privateKey = null;
+    try {
+      const projectRoot2 = ConfigManager.findProjectRoot();
+      if (projectRoot2) {
+        const keyPath = pathUtils.join(projectRoot2, ".gitgov", "actors", `${actorId}.key`);
+        const keyContent = await promises.readFile(keyPath, "utf-8");
+        privateKey = keyContent.trim();
+      }
+    } catch (error) {
+      console.warn(`\u26A0\uFE0F  Private key not found for ${actorId}, using mock signature`);
+    }
+    let signature;
+    if (privateKey) {
+      signature = signPayload(record.payload, privateKey, actorId, role, "Record signed");
+    } else {
+      signature = {
+        keyId: actorId,
+        role,
+        notes: "Record signed",
+        signature: `mock-signature-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`,
+        timestamp: Math.floor(Date.now() / 1e3)
+      };
+    }
+    const existingSignatures = record.header.signatures || [];
+    const hasPlaceholder = existingSignatures.some((sig) => sig.signature === "placeholder");
+    let finalSignatures;
+    if (hasPlaceholder) {
+      const replaced = existingSignatures.map(
+        (sig) => sig.signature === "placeholder" ? signature : sig
+      );
+      finalSignatures = replaced.length > 0 ? replaced : [signature];
+    } else {
+      finalSignatures = [...existingSignatures, signature];
+    }
     const signedRecord = {
       ...record,
       header: {
         ...record.header,
         payloadChecksum,
-        signatures: [...record.header.signatures || [], mockSignature]
+        signatures: finalSignatures
       }
     };
     return signedRecord;
@@ -3524,8 +3572,100 @@ var IdentityAdapter = class {
     const currentActorId = await this.resolveCurrentActorId(agentId);
     return this.getActor(currentActorId);
   }
-  async rotateActorKey(_actorId) {
-    throw new Error("rotateActorKey not implemented yet - complex operation");
+  async rotateActorKey(actorId) {
+    const oldActor = await this.getActor(actorId);
+    if (!oldActor) {
+      throw new Error(`ActorRecord with id ${actorId} not found`);
+    }
+    if (oldActor.status === "revoked") {
+      throw new Error(`Cannot rotate key for revoked actor: ${actorId}`);
+    }
+    const { publicKey: newPublicKey, privateKey: newPrivateKey } = await generateKeys();
+    const baseId = generateActorId(oldActor.type, oldActor.displayName);
+    let newActorId;
+    const versionMatch = baseId.match(/^(.+)-v(\d+)$/);
+    if (versionMatch && versionMatch[1] && versionMatch[2]) {
+      const baseWithoutVersion = versionMatch[1];
+      const currentVersion = parseInt(versionMatch[2], 10);
+      newActorId = `${baseWithoutVersion}-v${currentVersion + 1}`;
+    } else {
+      newActorId = `${baseId}-v2`;
+    }
+    const newActorPayload = {
+      id: newActorId,
+      type: oldActor.type,
+      displayName: oldActor.displayName,
+      publicKey: newPublicKey,
+      roles: oldActor.roles,
+      status: "active"
+    };
+    const validatedNewPayload = createActorRecord(newActorPayload);
+    const payloadChecksum = calculatePayloadChecksum(validatedNewPayload);
+    const signature = signPayload(validatedNewPayload, newPrivateKey, newActorId, "author", "Key rotation");
+    const newRecord = {
+      header: {
+        version: "1.0",
+        type: "actor",
+        payloadChecksum,
+        signatures: [signature]
+      },
+      payload: validatedNewPayload
+    };
+    await validateFullActorRecord(newRecord, async (keyId) => {
+      if (keyId === newActorId) {
+        return newPublicKey;
+      }
+      const signerActor = await this.getActor(keyId);
+      return signerActor?.publicKey || null;
+    });
+    await this.actorStore.write(newRecord);
+    const revokedOldActor = await this.revokeActor(
+      actorId,
+      "system",
+      "rotation",
+      newActorId
+      // Mark succession
+    );
+    try {
+      const configManager = new ConfigManager();
+      const session = await configManager.loadSession();
+      if (session) {
+        session.lastSession = {
+          actorId: newActorId,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        if (session.actorState && session.actorState[actorId]) {
+          const oldState = session.actorState[actorId];
+          session.actorState[newActorId] = {
+            ...oldState,
+            lastSync: (/* @__PURE__ */ new Date()).toISOString()
+          };
+        } else if (!session.actorState) {
+          session.actorState = {};
+        }
+        const projectRoot2 = ConfigManager.findProjectRoot() || process.cwd();
+        const sessionPath = pathUtils.join(projectRoot2, ".gitgov", ".session.json");
+        await promises.writeFile(sessionPath, JSON.stringify(session, null, 2), "utf-8");
+      }
+    } catch (error) {
+      console.warn(`\u26A0\uFE0F  Could not update session for ${newActorId}: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+    try {
+      const projectRoot2 = ConfigManager.findProjectRoot();
+      if (projectRoot2) {
+        const actorsDir = pathUtils.join(projectRoot2, ".gitgov", "actors");
+        await promises.mkdir(actorsDir, { recursive: true });
+        const keyPath = pathUtils.join(actorsDir, `${newActorId}.key`);
+        await promises.writeFile(keyPath, newPrivateKey, "utf-8");
+        await promises.chmod(keyPath, 384);
+      }
+    } catch (error) {
+      console.warn(`\u26A0\uFE0F  Could not persist private key for ${newActorId}: ${error instanceof Error ? error.message : "Unknown error"}`);
+    }
+    return {
+      oldActor: revokedOldActor,
+      newActor: validatedNewPayload
+    };
   }
   async revokeActor(actorId, revokedBy = "system", reason = "manual", supersededBy) {
     const existingRecord = await this.actorStore.read(actorId);
@@ -3589,9 +3729,26 @@ var IdentityAdapter = class {
       prompt_engine_requirements: payload.prompt_engine_requirements || {},
       ...payload
     };
-    const validatedPayload = await createAgentRecord(completePayload);
+    const validatedPayload = createAgentRecord(completePayload);
     const payloadChecksum = calculatePayloadChecksum(validatedPayload);
-    const signature = signPayload(validatedPayload, "placeholder-private-key", payload.id, "author", "Agent registration");
+    let privateKey;
+    try {
+      const projectRoot2 = ConfigManager.findProjectRoot();
+      if (!projectRoot2) {
+        throw new Error("Project root not found. Cannot locate private key.");
+      }
+      const keyPath = pathUtils.join(projectRoot2, ".gitgov", "actors", `${payload.id}.key`);
+      const keyContent = await promises.readFile(keyPath, "utf-8");
+      privateKey = keyContent.trim();
+      if (!privateKey) {
+        throw new Error(`Private key file is empty for ${payload.id}`);
+      }
+    } catch (error) {
+      throw new Error(
+        `Private key not found for actor ${payload.id}. AgentRecord requires a valid private key for cryptographic signing. If this is a legacy actor, you may need to regenerate the actor with 'gitgov actor new'. Original error: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+    const signature = signPayload(validatedPayload, privateKey, payload.id, "author", "Agent registration");
     const record = {
       header: {
         version: "1.0",
@@ -3689,7 +3846,7 @@ async function validateFullFeedbackRecord(record, getPublicKey) {
 }
 
 // src/factories/feedback_factory.ts
-async function createFeedbackRecord(payload) {
+function createFeedbackRecord(payload) {
   const timestamp = Math.floor(Date.now() / 1e3);
   const feedback = {
     id: payload.id || generateFeedbackId(payload.content || "feedback", timestamp),
@@ -3708,6 +3865,18 @@ async function createFeedbackRecord(payload) {
   }
   return feedback;
 }
+function loadFeedbackRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (FeedbackRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateFeedbackRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("FeedbackRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/adapters/feedback_adapter/index.ts
 var FeedbackAdapter = class {
@@ -3758,7 +3927,7 @@ var FeedbackAdapter = class {
       // Allows payload.status to override default
     };
     try {
-      const validatedPayload = await createFeedbackRecord(enrichedPayload);
+      const validatedPayload = createFeedbackRecord(enrichedPayload);
       const unsignedRecord = {
         header: {
           version: "1.0",
@@ -3966,7 +4135,7 @@ async function validateFullExecutionRecord(record, getPublicKey) {
 }
 
 // src/factories/execution_factory.ts
-async function createExecutionRecord(payload) {
+function createExecutionRecord(payload) {
   const timestamp = Math.floor(Date.now() / 1e3);
   const execution = {
     id: payload.id || generateExecutionId(payload.title || "execution", timestamp),
@@ -3984,6 +4153,18 @@ async function createExecutionRecord(payload) {
   }
   return execution;
 }
+function loadExecutionRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (ExecutionRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateExecutionRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("ExecutionRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/adapters/execution_adapter/index.ts
 var ExecutionAdapter = class {
@@ -4013,7 +4194,7 @@ var ExecutionAdapter = class {
       }
     }
     try {
-      const validatedPayload = await createExecutionRecord(payload);
+      const validatedPayload = createExecutionRecord(payload);
       const unsignedRecord = {
         header: {
           version: "1.0",
@@ -4155,7 +4336,7 @@ async function validateFullChangelogRecord(record, getPublicKey) {
 }
 
 // src/factories/changelog_factory.ts
-async function createChangelogRecord(payload) {
+function createChangelogRecord(payload) {
   const timestamp = Math.floor(Date.now() / 1e3);
   const changelog = {
     // Required fields
@@ -4179,6 +4360,18 @@ async function createChangelogRecord(payload) {
   }
   return changelog;
 }
+function loadChangelogRecord(data) {
+  const embeddedValidation = validateEmbeddedMetadataDetailed(data);
+  if (!embeddedValidation.isValid) {
+    throw new DetailedValidationError("GitGovRecord (ChangelogRecord)", embeddedValidation.errors);
+  }
+  const record = data;
+  const payloadValidation = validateChangelogRecordDetailed(record.payload);
+  if (!payloadValidation.isValid) {
+    throw new DetailedValidationError("ChangelogRecord payload", payloadValidation.errors);
+  }
+  return record;
+}
 
 // src/adapters/changelog_adapter/index.ts
 var ChangelogAdapter = class {
@@ -4233,7 +4426,7 @@ var ChangelogAdapter = class {
       if (!payload.id) {
         payload.id = generateChangelogId(payload.title, timestamp);
       }
-      const validatedPayload = await createChangelogRecord(payload);
+      const validatedPayload = createChangelogRecord(payload);
       const unsignedRecord = {
         header: {
           version: "1.0",
@@ -4927,7 +5120,7 @@ var BacklogAdapter = class {
    * Creates a new task with workflow validation
    */
   async createTask(payload, actorId) {
-    const validatedPayload = await createTaskRecord(payload);
+    const validatedPayload = createTaskRecord(payload);
     const unsignedRecord = {
       header: {
         version: "1.0",
@@ -5344,7 +5537,7 @@ ${task.status === "review" ? "[REJECTED]" : "[CANCELLED]"} ${reason} (${(/* @__P
     if (["archived"].includes(taskRecord.payload.status)) {
       throw new Error(`ProtocolViolationError: Cannot update task in final state: ${taskRecord.payload.status}`);
     }
-    const updatedPayload = await createTaskRecord({ ...taskRecord.payload, ...payload });
+    const updatedPayload = createTaskRecord({ ...taskRecord.payload, ...payload });
     const updatedRecord = { ...taskRecord, payload: updatedPayload };
     await this.taskStore.write(updatedRecord);
     return updatedPayload;
@@ -5641,7 +5834,7 @@ ${task.status === "review" ? "[REJECTED]" : "[CANCELLED]"} ${reason} (${(/* @__P
    * Creates a new cycle with workflow validation
    */
   async createCycle(payload, actorId) {
-    const validatedPayload = await createCycleRecord(payload);
+    const validatedPayload = createCycleRecord(payload);
     const unsignedRecord = {
       header: {
         version: "1.0",
@@ -5707,7 +5900,7 @@ ${task.status === "review" ? "[REJECTED]" : "[CANCELLED]"} ${reason} (${(/* @__P
     if (["archived"].includes(cycleRecord.payload.status)) {
       throw new Error(`ProtocolViolationError: Cannot update cycle in final state: ${cycleRecord.payload.status}`);
     }
-    const updatedPayload = await createCycleRecord({ ...cycleRecord.payload, ...payload });
+    const updatedPayload = createCycleRecord({ ...cycleRecord.payload, ...payload });
     const updatedRecord = { ...cycleRecord, payload: updatedPayload };
     if (cycleRecord.payload.status !== updatedPayload.status) {
       this.eventBus.publish({
@@ -5930,6 +6123,44 @@ var indexer_adapter_exports = {};
 __export(indexer_adapter_exports, {
   FileIndexerAdapter: () => FileIndexerAdapter
 });
+
+// src/utils/signature_utils.ts
+function extractAuthor(record) {
+  const signatures = record.header.signatures;
+  if (!signatures || signatures.length === 0) {
+    return void 0;
+  }
+  const firstSignature = signatures[0];
+  return {
+    actorId: firstSignature.keyId,
+    timestamp: firstSignature.timestamp
+  };
+}
+function extractLastModifier(record) {
+  const signatures = record.header.signatures;
+  if (!signatures || signatures.length === 0) {
+    return void 0;
+  }
+  const lastSignature = signatures[signatures.length - 1];
+  if (!lastSignature) {
+    return void 0;
+  }
+  return {
+    actorId: lastSignature.keyId,
+    timestamp: lastSignature.timestamp
+  };
+}
+
+// src/crypto/index.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  calculatePayloadChecksum: () => calculatePayloadChecksum,
+  generateKeys: () => generateKeys,
+  signPayload: () => signPayload,
+  verifySignatures: () => verifySignatures
+});
+
+// src/adapters/indexer_adapter/index.ts
 var FileIndexerAdapter = class {
   metricsAdapter;
   taskStore;
@@ -5985,17 +6216,23 @@ var FileIndexerAdapter = class {
         actors
       };
       const activityHistory = await this.calculateActivityHistory(allRecords);
-      const enrichedTasks = [];
-      for (const task of tasks) {
-        const enrichedTask = await this.enrichTaskRecord(task, allRecords);
-        enrichedTasks.push(enrichedTask);
-      }
+      const derivedStates = await this.calculateDerivedStates(allRecords);
+      const derivedStateSets = {
+        stalledTasks: new Set(derivedStates.stalledTasks),
+        atRiskTasks: new Set(derivedStates.atRiskTasks),
+        needsClarificationTasks: new Set(derivedStates.needsClarificationTasks),
+        blockedByDependencyTasks: new Set(derivedStates.blockedByDependencyTasks)
+      };
+      const enrichedTasks = await Promise.all(
+        tasks.map((task) => this.enrichTaskRecord(task, allRecords, derivedStateSets))
+      );
+      const integrityReport = await this.validateIntegrity();
       const indexData = {
         metadata: {
           generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
           lastCommitHash: await this.getGitCommitHash(),
-          integrityStatus: "valid",
-          // TODO: Implement integrity check
+          integrityStatus: integrityReport.status,
+          // Populated from validateIntegrity() (EARS-4)
           recordCounts: {
             tasks: tasks.length,
             cycles: cycles.length,
@@ -6009,16 +6246,20 @@ var FileIndexerAdapter = class {
           // Will be set below
         },
         metrics: { ...systemStatus, ...productivityMetrics, ...collaborationMetrics },
+        derivedStates,
+        // System-wide derived states for analytics
         activityHistory,
-        // NUEVO
-        tasks: tasks.map((t) => t.payload),
-        // Extract payloads for IndexData
+        // Activity stream for dashboard
+        tasks,
+        // Keep full records with headers (source of truth)
         enrichedTasks,
-        // NUEVO - Tasks with activity metadata
-        cycles: cycles.map((c) => c.payload),
-        // Extract payloads for IndexData
-        actors: actors.map((a) => a.payload)
-        // Extract payloads for IndexData
+        // Tasks with intelligence layer
+        cycles,
+        // Keep full records with headers
+        actors,
+        // Keep full records with headers
+        feedback: allRecords.feedback
+        // Optional - Phase 1B+ raw feedback records
       };
       const writeStart = performance.now();
       await this.writeCacheFile(indexData);
@@ -6031,6 +6272,8 @@ var FileIndexerAdapter = class {
         recordsProcessed: tasks.length + cycles.length + actors.length,
         metricsCalculated: 3,
         // systemStatus + productivity + collaboration
+        derivedStatesApplied: Object.values(derivedStates).reduce((sum, arr) => sum + arr.length, 0),
+        // Total tasks with derived states
         generationTime: totalTime,
         cacheSize,
         cacheStrategy: this.cacheStrategy,
@@ -6042,6 +6285,7 @@ var FileIndexerAdapter = class {
         success: false,
         recordsProcessed: 0,
         metricsCalculated: 0,
+        derivedStatesApplied: 0,
         generationTime: performance.now() - startTime,
         cacheSize: 0,
         cacheStrategy: this.cacheStrategy,
@@ -6052,6 +6296,7 @@ var FileIndexerAdapter = class {
   }
   /**
    * [EARS-2] Gets data from local cache for fast CLI queries
+   * [EARS-13] Returns null and logs warning if cache is corrupted
    */
   async getIndexData() {
     try {
@@ -6067,18 +6312,29 @@ var FileIndexerAdapter = class {
       const indexData = JSON.parse(cacheContent);
       return indexData;
     } catch (error) {
-      console.warn(`Cache read error: ${error instanceof Error ? error.message : String(error)}`);
+      console.warn(`Warning: Cache is corrupted or invalid. Please regenerate with 'gitgov index'.`);
+      console.warn(`Details: ${error instanceof Error ? error.message : String(error)}`);
       return null;
     }
   }
   /**
-   * [EARS-4] Validates integrity of Records without regenerating cache
+   * [EARS-4, EARS-70 to EARS-76] Validates integrity of Records without regenerating cache
+   * 
+   * PHASE 1A (IMPLEMENTED): Basic schema validation (required fields)
+   * PHASE 1B (IMPLEMENTED): Cryptographic validation (checksums + signatures)
+   * TODO FUTURE:
+   * - Integrate ValidatorModule for comprehensive schema validation
+   * - Compare cache consistency with Records
+   * - Detect broken references between records
+   * - Validate timestamp consistency
    */
   async validateIntegrity() {
     const startTime = performance.now();
     const errors = [];
     const warnings = [];
     let recordsScanned = 0;
+    let checksumFailures = 0;
+    let signatureFailures = 0;
     try {
       const [tasks, cycles] = await Promise.all([
         this.readAllTasks(),
@@ -6103,6 +6359,57 @@ var FileIndexerAdapter = class {
           });
         }
       }
+      for (const task of tasks) {
+        const calculatedChecksum = calculatePayloadChecksum(task.payload);
+        if (calculatedChecksum !== task.header.payloadChecksum) {
+          checksumFailures++;
+          errors.push({
+            type: "checksum_failure",
+            recordId: task.payload.id,
+            message: `Checksum mismatch: expected ${task.header.payloadChecksum}, got ${calculatedChecksum}`
+          });
+        }
+      }
+      for (const cycle of cycles) {
+        const calculatedChecksum = calculatePayloadChecksum(cycle.payload);
+        if (calculatedChecksum !== cycle.header.payloadChecksum) {
+          checksumFailures++;
+          errors.push({
+            type: "checksum_failure",
+            recordId: cycle.payload.id,
+            message: `Checksum mismatch: expected ${cycle.header.payloadChecksum}, got ${calculatedChecksum}`
+          });
+        }
+      }
+      const getActorPublicKey = async (keyId) => {
+        if (!this.actorStore) {
+          return null;
+        }
+        const actor = await this.actorStore.read(keyId);
+        return actor?.payload.publicKey || null;
+      };
+      for (const task of tasks) {
+        const isValid = await verifySignatures(task, getActorPublicKey);
+        if (!isValid) {
+          signatureFailures++;
+          errors.push({
+            type: "signature_invalid",
+            recordId: task.payload.id,
+            message: "One or more signatures failed verification"
+          });
+        }
+      }
+      for (const cycle of cycles) {
+        const isValid = await verifySignatures(cycle, getActorPublicKey);
+        if (!isValid) {
+          signatureFailures++;
+          errors.push({
+            type: "signature_invalid",
+            recordId: cycle.payload.id,
+            message: "One or more signatures failed verification"
+          });
+        }
+      }
       const status = errors.length > 0 ? "errors" : warnings.length > 0 ? "warnings" : "valid";
       return {
         status,
@@ -6110,10 +6417,8 @@ var FileIndexerAdapter = class {
         errorsFound: errors,
         warningsFound: warnings,
         validationTime: performance.now() - startTime,
-        checksumFailures: 0,
-        // TODO: Implement checksum validation
-        signatureFailures: 0
-        // TODO: Implement signature validation
+        checksumFailures,
+        signatureFailures
       };
     } catch (error) {
       return {
@@ -6126,8 +6431,8 @@ var FileIndexerAdapter = class {
         }],
         warningsFound: warnings,
         validationTime: performance.now() - startTime,
-        checksumFailures: 0,
-        signatureFailures: 0
+        checksumFailures,
+        signatureFailures
       };
     }
   }
@@ -6252,6 +6557,7 @@ var FileIndexerAdapter = class {
   }
   /**
    * Reads all changelogs from changelogStore (graceful degradation) with full metadata.
+   * Validates schema and filters out invalid records with warnings.
    */
   async readAllChangelogs() {
     if (!this.changelogStore) {
@@ -6269,12 +6575,61 @@ var FileIndexerAdapter = class {
   }
   /**
    * Writes cache data to file (Phase 1: JSON)
+   * 
+   * [EARS-14] Creates automatic backup of existing cache before writing.
+   * If write fails, backup can be restored to preserve previous cache state.
    */
   async writeCacheFile(indexData) {
     const cacheDir = pathUtils.dirname(this.cachePath);
     await promises.mkdir(cacheDir, { recursive: true });
-    const jsonContent = JSON.stringify(indexData, null, 2);
-    await promises.writeFile(this.cachePath, jsonContent, "utf-8");
+    await this.createCacheBackup();
+    try {
+      const jsonContent = JSON.stringify(indexData, null, 2);
+      await promises.writeFile(this.cachePath, jsonContent, "utf-8");
+      await this.deleteCacheBackup();
+    } catch (error) {
+      await this.restoreCacheFromBackup();
+      throw error;
+    }
+  }
+  /**
+   * [EARS-14] Creates a backup of the current cache file.
+   * If cache doesn't exist, this is a no-op (nothing to backup).
+   */
+  async createCacheBackup() {
+    const backupPath = `${this.cachePath}.backup`;
+    try {
+      const cacheExists = await this.cacheFileExists();
+      if (cacheExists) {
+        await promises.copyFile(this.cachePath, backupPath);
+      }
+    } catch (error) {
+      console.warn(`Warning: Could not create cache backup: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  /**
+   * [EARS-14] Restores cache from backup file.
+   * Used when cache write operation fails to preserve previous state.
+   */
+  async restoreCacheFromBackup() {
+    const backupPath = `${this.cachePath}.backup`;
+    try {
+      await promises.access(backupPath);
+      await promises.copyFile(backupPath, this.cachePath);
+      await promises.unlink(backupPath);
+    } catch (error) {
+      console.warn(`Warning: Could not restore cache from backup: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  /**
+   * [EARS-14] Deletes backup file after successful cache write.
+   */
+  async deleteCacheBackup() {
+    const backupPath = `${this.cachePath}.backup`;
+    try {
+      await promises.unlink(backupPath);
+    } catch {
+    }
   }
   /**
    * Checks if cache file exists
@@ -6308,6 +6663,79 @@ var FileIndexerAdapter = class {
       return "unknown";
     }
   }
+  /**
+   * [EARS-7 to EARS-10] Calculates system-wide derived states for analytics and filtering.
+   * 
+   * Applies DerivedDataProtocol algorithms to categorize tasks:
+   * - isStalled: Tasks en 'active' sin executions >7 días O en 'review' sin approval >3 días
+   * - isAtRisk: Tasks con prioridad 'critical' + 'paused' O 2+ blocking feedbacks
+   * - needsClarification: Tasks con feedback tipo 'question' abierto
+   * - isBlockedByDependency: Tasks con referencias a tasks no completadas
+   * 
+   * @see derived_data_protocol.md for detailed algorithms
+   * @see EARS-7, EARS-8, EARS-9, EARS-10 for requirements
+   */
+  async calculateDerivedStates(allRecords) {
+    const derivedStates = {
+      stalledTasks: [],
+      atRiskTasks: [],
+      needsClarificationTasks: [],
+      blockedByDependencyTasks: []
+    };
+    const now = Date.now();
+    const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1e3;
+    try {
+      for (const task of allRecords.tasks) {
+        const taskId = task.payload.id;
+        const taskPayload = task.payload;
+        if (taskPayload.status === "active" || taskPayload.status === "review") {
+          const taskTimestamp = this.getTimestampFromId(taskId) * 1e3;
+          const daysSinceCreation = (now - taskTimestamp) / (24 * 60 * 60 * 1e3);
+          const hasRecentExecution = allRecords.executions.some((exec) => {
+            if (exec.payload.taskId === taskId) {
+              const execTimestamp = this.getTimestampFromId(exec.payload.id) * 1e3;
+              return now - execTimestamp < SEVEN_DAYS_MS;
+            }
+            return false;
+          });
+          const isStalled = taskPayload.status === "active" && daysSinceCreation > 7 && !hasRecentExecution || taskPayload.status === "review" && daysSinceCreation > 3;
+          if (isStalled) {
+            derivedStates.stalledTasks.push(taskId);
+          }
+        }
+        const isCriticalPaused = taskPayload.priority === "critical" && taskPayload.status === "paused";
+        const blockingFeedbackCount = allRecords.feedback.filter((feedback) => {
+          return feedback.payload.type === "blocking" && feedback.payload.status === "open" && feedback.payload.entityId === taskId;
+        }).length;
+        if (isCriticalPaused || blockingFeedbackCount >= 2) {
+          derivedStates.atRiskTasks.push(taskId);
+        }
+        const hasOpenQuestion = allRecords.feedback.some((feedback) => {
+          return feedback.payload.type === "question" && feedback.payload.status === "open" && feedback.payload.entityId === taskId;
+        });
+        if (hasOpenQuestion) {
+          derivedStates.needsClarificationTasks.push(taskId);
+        }
+        if (taskPayload.references && taskPayload.references.length > 0) {
+          const hasBlockingDependency = taskPayload.references.some((ref) => {
+            if (ref.startsWith("task:")) {
+              const dependencyId = ref.replace("task:", "");
+              const dependencyTask = allRecords.tasks.find((t) => t.payload.id === dependencyId);
+              return dependencyTask && dependencyTask.payload.status !== "done" && dependencyTask.payload.status !== "archived";
+            }
+            return false;
+          });
+          if (hasBlockingDependency) {
+            derivedStates.blockedByDependencyTasks.push(taskId);
+          }
+        }
+      }
+      return derivedStates;
+    } catch (error) {
+      console.warn(`calculateDerivedStates error: ${error instanceof Error ? error.message : String(error)}`);
+      return derivedStates;
+    }
+  }
   /**
    * [EARS-19] Calculates activity history from Record timestamps for dashboard activity streams
    */
@@ -6417,10 +6845,11 @@ var FileIndexerAdapter = class {
   /**
    * [EARS-21] Calculate lastUpdated timestamp and activity type for a task
    * Considers task file modification time and related records timestamps
+   * @param taskPayload - Task payload (not full record with headers)
    */
-  async calculateLastUpdated(task, relatedRecords) {
+  async calculateLastUpdated(taskPayload, relatedRecords) {
     try {
-      let lastUpdated = this.getTimestampFromId(task.id) * 1e3;
+      let lastUpdated = this.getTimestampFromId(taskPayload.id) * 1e3;
       let lastActivityType = "task_created";
       let recentActivity = "Task created";
       try {
@@ -6428,10 +6857,10 @@ var FileIndexerAdapter = class {
         while (!fs.existsSync(pathUtils.join(projectRoot2, ".gitgov")) && projectRoot2 !== "/") {
           projectRoot2 = pathUtils.dirname(projectRoot2);
         }
-        const taskFilePath = pathUtils.join(projectRoot2, ".gitgov", "tasks", `${task.id}.json`);
+        const taskFilePath = pathUtils.join(projectRoot2, ".gitgov", "tasks", `${taskPayload.id}.json`);
         const stats = await promises.stat(taskFilePath);
         const fileModTime = stats.mtime.getTime();
-        const creationTime = this.getTimestampFromId(task.id) * 1e3;
+        const creationTime = this.getTimestampFromId(taskPayload.id) * 1e3;
         const timeDifference = fileModTime - creationTime;
         if (timeDifference > 6e4 && fileModTime > lastUpdated) {
           lastUpdated = fileModTime;
@@ -6441,7 +6870,7 @@ var FileIndexerAdapter = class {
       } catch (error) {
       }
       const relatedFeedback = relatedRecords.feedback.filter(
-        (f) => f.payload.entityId === task.id || f.payload.content.includes(task.id)
+        (f) => f.payload.entityId === taskPayload.id || f.payload.content && f.payload.content.includes(taskPayload.id)
       );
       for (const feedback of relatedFeedback) {
         const feedbackTime = this.getTimestampFromId(feedback.payload.id) * 1e3;
@@ -6451,7 +6880,7 @@ var FileIndexerAdapter = class {
           recentActivity = `${feedback.payload.type} feedback: ${feedback.payload.content.slice(0, 30)}...`;
         }
       }
-      const relatedExecutions = relatedRecords.executions.filter((e) => e.payload.taskId === task.id);
+      const relatedExecutions = relatedRecords.executions.filter((e) => e.payload.taskId === taskPayload.id);
       for (const execution of relatedExecutions) {
         const executionTime = this.getTimestampFromId(execution.payload.id) * 1e3;
         if (executionTime > lastUpdated) {
@@ -6461,7 +6890,7 @@ var FileIndexerAdapter = class {
         }
       }
       const relatedChangelogs = relatedRecords.changelogs.filter(
-        (c) => c.payload.relatedTasks.includes(task.id) || c.payload.description?.includes(task.id)
+        (c) => c.payload.relatedTasks && c.payload.relatedTasks.includes(taskPayload.id) || c.payload.description?.includes(taskPayload.id)
       );
       for (const changelog of relatedChangelogs) {
         const changelogTime = this.getTimestampFromId(changelog.payload.id) * 1e3;
@@ -6473,7 +6902,7 @@ var FileIndexerAdapter = class {
       }
       return { lastUpdated, lastActivityType, recentActivity };
     } catch (error) {
-      const fallbackTime = this.getTimestampFromId(task.id) * 1e3;
+      const fallbackTime = this.getTimestampFromId(taskPayload.id) * 1e3;
       return {
         lastUpdated: fallbackTime,
         lastActivityType: "task_created",
@@ -6486,14 +6915,119 @@ var FileIndexerAdapter = class {
    * @param task - Full GitGovTaskRecord with header.signatures for author/lastModifier extraction
    * @param relatedRecords - All related records with full metadata
    */
-  async enrichTaskRecord(task, relatedRecords) {
+  /**
+   * Enriches a task with complete intelligence layer (EARS 25-48)
+   * 
+   * 11-step algorithm:
+   * 1. Activity metadata (lastUpdated, lastActivityType, recentActivity)
+   * 2. Signatures (author, lastModifier with timestamps)
+   * 3. Assignments (assignedTo from feedback)
+   * 4. Dependencies (dependsOn, blockedBy with typed references)
+   * 5. Cycles (all cycles as array with id+title)
+   * 6. Metrics (executionCount, blockingFeedbackCount, openQuestionCount)
+   * 7. Time to resolution (for done tasks)
+   * 8. Release info (isReleased, lastReleaseVersion from changelogs)
+   * 9. Derived states (EARS-43: REUTILIZA pre-calculated derivedStates con O(1) lookup)
+   * 10. Health score (0-100 using multi-factor algorithm)
+   * 11. Time in current stage (days)
+   * 
+   * @param task - Full GitGovTaskRecord with header.signatures
+   * @param relatedRecords - All records for cross-referencing
+   * @param derivedStateSets - Pre-calculated system-wide derived states as Sets for O(1) lookup (EARS-43)
+   * @returns Promise<EnrichedTaskRecord> - Task with complete intelligence layer
+   */
+  async enrichTaskRecord(task, relatedRecords, derivedStateSets) {
     const { lastUpdated, lastActivityType, recentActivity } = await this.calculateLastUpdated(task.payload, relatedRecords);
-    return {
+    const author = extractAuthor(task);
+    const lastModifier = extractLastModifier(task);
+    const assignments = relatedRecords.feedback.filter((f) => f.payload.entityId === task.payload.id && f.payload.type === "assignment").map((f) => ({
+      actorId: f.payload.assignee || "unknown",
+      assignedAt: this.getTimestampFromId(f.payload.id) * 1e3
+      // ms
+    }));
+    const completedStatuses = ["done", "archived", "discarded"];
+    const dependsOn = (task.payload.references || []).filter((ref) => {
+      const hasValidPrefix = ref.startsWith("task:") || ref.startsWith("pr:") || ref.startsWith("issue:") || ref.startsWith("file:") || ref.startsWith("url:");
+      if (!hasValidPrefix) return false;
+      if (ref.startsWith("task:")) {
+        const refTaskId = ref.replace("task:", "");
+        const refTask = relatedRecords.tasks.find((t) => t.payload.id === refTaskId);
+        return !refTask || !refTask.payload.status || !completedStatuses.includes(refTask.payload.status);
+      }
+      return true;
+    });
+    const blockedBy = relatedRecords.tasks.filter((t) => !completedStatuses.includes(t.payload.status)).filter((t) => (t.payload.references || []).includes(`task:${task.payload.id}`)).map((t) => `task:${t.payload.id}`);
+    const cycles = (task.payload.cycleIds || []).map((cycleId) => {
+      const cycle = relatedRecords.cycles.find((c) => c.payload.id === cycleId);
+      return cycle ? { id: cycleId, title: cycle.payload.title } : null;
+    }).filter((c) => c !== null);
+    const executionCount = relatedRecords.executions.filter((e) => e.payload.taskId === task.payload.id).length;
+    const blockingFeedbackCount = relatedRecords.feedback.filter(
+      (f) => f.payload.entityId === task.payload.id && f.payload.type === "blocking" && f.payload.status === "open"
+    ).length;
+    const openQuestionCount = relatedRecords.feedback.filter(
+      (f) => f.payload.entityId === task.payload.id && f.payload.type === "question" && f.payload.status === "open"
+    ).length;
+    const timeToResolution = task.payload.status === "done" ? (lastUpdated - this.getTimestampFromId(task.payload.id) * 1e3) / (1e3 * 60 * 60) : void 0;
+    const releaseChangelogs = relatedRecords.changelogs.filter(
+      (cl) => cl.payload.relatedTasks.includes(task.payload.id)
+    );
+    const isReleased = releaseChangelogs.length > 0;
+    const lastReleaseVersion = isReleased ? releaseChangelogs[releaseChangelogs.length - 1]?.payload.version || void 0 : void 0;
+    const taskId = task.payload.id;
+    const isStalled = derivedStateSets.stalledTasks.has(taskId);
+    const isAtRisk = derivedStateSets.atRiskTasks.has(taskId);
+    const needsClarification = derivedStateSets.needsClarificationTasks.has(taskId);
+    const isBlockedByDependency = derivedStateSets.blockedByDependencyTasks.has(taskId);
+    const daysSinceLastUpdate = (Date.now() - lastUpdated) / (1e3 * 60 * 60 * 24);
+    let healthScore = 100;
+    if (task.payload.status === "done") healthScore -= 0;
+    else if (task.payload.status === "active") healthScore -= 5;
+    else if (task.payload.status === "ready") healthScore -= 10;
+    else if (task.payload.status === "review") healthScore -= 15;
+    else if (task.payload.status === "paused") healthScore -= 25;
+    else healthScore -= 30;
+    healthScore -= Math.min(blockingFeedbackCount * 10, 30);
+    if (executionCount === 0 && task.payload.status === "active") healthScore -= 20;
+    else if (executionCount < 2) healthScore -= 10;
+    if (daysSinceLastUpdate > 30) healthScore -= 20;
+    else if (daysSinceLastUpdate > 14) healthScore -= 15;
+    else if (daysSinceLastUpdate > 7) healthScore -= 10;
+    healthScore = Math.max(0, Math.min(100, healthScore));
+    const timeInCurrentStage = daysSinceLastUpdate;
+    const enrichedRecord = {
       ...task.payload,
+      derivedState: {
+        isStalled,
+        isAtRisk,
+        needsClarification,
+        isBlockedByDependency,
+        healthScore,
+        timeInCurrentStage
+      },
+      relationships: {
+        ...author && { author },
+        ...lastModifier && { lastModifier },
+        assignedTo: assignments,
+        dependsOn,
+        blockedBy,
+        cycles
+      },
+      metrics: {
+        executionCount,
+        blockingFeedbackCount,
+        openQuestionCount,
+        ...timeToResolution !== void 0 && { timeToResolution }
+      },
+      release: {
+        isReleased,
+        ...lastReleaseVersion !== void 0 && { lastReleaseVersion }
+      },
       lastUpdated,
       lastActivityType,
-      recentActivity
+      ...recentActivity && { recentActivity }
     };
+    return enrichedRecord;
   }
   /**
    * Format timestamp as human-readable time ago
@@ -6530,6 +7064,15 @@ var project_adapter_exports = {};
 __export(project_adapter_exports, {
   ProjectAdapter: () => ProjectAdapter
 });
+
+// src/utils/esm_helper.ts
+function getImportMetaUrl() {
+  try {
+    return import.meta.url;
+  } catch {
+    return null;
+  }
+}
 var ProjectAdapter = class {
   identityAdapter;
   backlogAdapter;
@@ -6638,8 +7181,8 @@ var ProjectAdapter = class {
   /**
    * [EARS-2] Validates environment for GitGovernance initialization
    */
-  async validateEnvironment(path5) {
-    const targetPath = path5 || process.env["GITGOV_ORIGINAL_DIR"] || process.cwd();
+  async validateEnvironment(path6) {
+    const targetPath = path6 || process.env["GITGOV_ORIGINAL_DIR"] || process.cwd();
     const warnings = [];
     const suggestions = [];
     try {
@@ -6822,14 +7365,6 @@ var ProjectAdapter = class {
     }
   }
   async copyAgentPrompt(gitgovPath) {
-    function getImportMetaUrl() {
-      try {
-        const getUrl = new Function("return import.meta.url");
-        return getUrl();
-      } catch {
-        return null;
-      }
-    }
     const targetPrompt = pathUtils.join(gitgovPath, "gitgov");
     const potentialSources = [];
     potentialSources.push(
@@ -6841,9 +7376,8 @@ var ProjectAdapter = class {
         const require2 = createRequire(metaUrl);
         const pkgJsonPath = require2.resolve("@gitgov/core/package.json");
         const pkgRoot = pathUtils.dirname(pkgJsonPath);
-        potentialSources.push(
-          pathUtils.join(pkgRoot, "prompts/gitgov_agent_prompt.md")
-        );
+        const promptPath = pathUtils.join(pkgRoot, "prompts/gitgov_agent_prompt.md");
+        potentialSources.push(promptPath);
       }
     } catch {
     }
@@ -6852,9 +7386,8 @@ var ProjectAdapter = class {
       if (metaUrl) {
         const __filename = fileURLToPath(metaUrl);
         const __dirname = pathUtils.dirname(__filename);
-        potentialSources.push(
-          pathUtils.resolve(__dirname, "../../prompts/gitgov_agent_prompt.md")
-        );
+        const promptPath = pathUtils.resolve(__dirname, "../../prompts/gitgov_agent_prompt.md");
+        potentialSources.push(promptPath);
       }
     } catch {
     }
@@ -7583,15 +8116,6 @@ var WorkflowMethodologyAdapter = class _WorkflowMethodologyAdapter {
   }
 };
 
-// src/crypto/index.ts
-var crypto_exports = {};
-__export(crypto_exports, {
-  calculatePayloadChecksum: () => calculatePayloadChecksum,
-  generateKeys: () => generateKeys,
-  signPayload: () => signPayload,
-  verifySignatures: () => verifySignatures
-});
-
 // src/factories/index.ts
 var factories_exports = {};
 __export(factories_exports, {
@@ -7605,7 +8129,14 @@ __export(factories_exports, {
   createFeedbackRecord: () => createFeedbackRecord,
   createTaskRecord: () => createTaskRecord,
   createTestSignature: () => createTestSignature,
-  createWorkflowMethodologyConfig: () => createWorkflowMethodologyConfig
+  createWorkflowMethodologyConfig: () => createWorkflowMethodologyConfig,
+  loadActorRecord: () => loadActorRecord,
+  loadAgentRecord: () => loadAgentRecord,
+  loadChangelogRecord: () => loadChangelogRecord,
+  loadCycleRecord: () => loadCycleRecord,
+  loadExecutionRecord: () => loadExecutionRecord,
+  loadFeedbackRecord: () => loadFeedbackRecord,
+  loadTaskRecord: () => loadTaskRecord
 });
 
 // src/validation/workflow_methodology_validator.ts
@@ -7683,7 +8214,7 @@ function validateWorkflowMethodologyConfigBusinessRules(config) {
 }
 
 // src/factories/workflow_methodology_factory.ts
-async function createWorkflowMethodologyConfig(payload) {
+function createWorkflowMethodologyConfig(payload) {
   const config = {
     version: payload.version || "1.0.0",
     name: payload.name || "Custom Methodology",
@@ -7851,8 +8382,8 @@ function createTestSignature(keyId = "human:test-user", role = "author", notes =
     keyId,
     role,
     notes,
-    signature: "dGVzdHNpZ25hdHVyZWJhc2U2NGVuY29kZWRkdW1teWZvcnRlc3RpbmdwdXJwb3Nlc29ubHlub3RyZWFsY3J5cHRvZ3JhcGh5PT0=",
-    // Dummy 88-char base64 for testing (matches Ed25519 signature length)
+    signature: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+    // Dummy 88-char base64 for testing (86 chars + ==, matches Ed25519 signature format)
     timestamp
   };
 }
@@ -7866,7 +8397,7 @@ function inferTypeFromPayload(payload) {
   if ("displayName" in payload && "publicKey" in payload) return "actor";
   return "custom";
 }
-async function createEmbeddedMetadataRecord(payload, options = {}) {
+function createEmbeddedMetadataRecord(payload, options = {}) {
   const inferredType = inferTypeFromPayload(payload);
   const type = options.header?.type || inferredType;
   const payloadChecksum = calculatePayloadChecksum(payload);
@@ -7906,6 +8437,1449 @@ async function createEmbeddedMetadataRecord(payload, options = {}) {
   return embeddedRecord;
 }
 
+// src/lint/index.ts
+var lint_exports = {};
+__export(lint_exports, {
+  LintModule: () => LintModule
+});
+function isTaskRecord2(payload) {
+  return "title" in payload && "status" in payload && "priority" in payload && "description" in payload;
+}
+function isCycleRecord2(payload) {
+  return "title" in payload && "status" in payload && !("priority" in payload);
+}
+function isExecutionRecord2(payload) {
+  return "taskId" in payload && "type" in payload && "result" in payload;
+}
+var logger3 = createLogger("[LintModule]");
+var LintModule = class {
+  recordStore;
+  indexerAdapter;
+  fileSystem;
+  lastBackupPath = null;
+  /**
+   * Constructor for LintModule with graceful degradation.
+   * 
+   * @param dependencies - Module dependencies (some optional)
+   * @throws {Error} If recordStore is not present
+   * 
+   * @example
+   * ```typescript
+   * const lintModule = new LintModule({
+   *   recordStore: taskStore, // REQUIRED
+   *   indexerAdapter: indexerAdapter, // optional
+   *   fileSystem: customFileSystem // optional (default: Node.js fs)
+   * });
+   * ```
+   */
+  constructor(dependencies) {
+    if (!dependencies.recordStore) {
+      throw new Error("recordStore is required for file access");
+    }
+    this.recordStore = dependencies.recordStore;
+    this.indexerAdapter = dependencies.indexerAdapter ?? null;
+    if (!this.indexerAdapter) {
+      logger3.warn(
+        "indexerAdapter not provided, reference validation will be limited"
+      );
+    }
+    this.fileSystem = dependencies.fileSystem ?? {
+      readFile: async (path6, encoding) => {
+        return promises.readFile(path6, encoding);
+      },
+      writeFile: async (path6, content) => {
+        await promises.writeFile(path6, content, "utf-8");
+      },
+      exists: async (path6) => {
+        try {
+          await promises.access(path6);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      unlink: async (path6) => {
+        await promises.unlink(path6);
+      }
+    };
+  }
+  /**
+   * Valida todos los records en el directorio especificado.
+   * 
+   * Usa delegation pattern: llama a recordStore.read() que internamente usa loaders
+   * para validar schema + embedded metadata. Luego agrega validaciones adicionales
+   * (convenciones, referencias).
+   * 
+   * @param options - Opciones de configuración
+   * @returns {Promise<LintReport>} Reporte consolidado con todos los resultados
+   * 
+   * @example
+   * ```typescript
+   * const report = await lintModule.lint({
+   *   path: '.gitgov/',
+   *   validateReferences: true,
+   *   validateActors: true,
+   *   concurrent: true
+   * });
+   * 
+   * console.log(`Errors: ${report.summary.errors}`);
+   * console.log(`Warnings: ${report.summary.warnings}`);
+   * ```
+   */
+  async lint(options) {
+    const startTime = Date.now();
+    const opts = {
+      path: options?.path ?? ".gitgov/",
+      validateReferences: options?.validateReferences ?? false,
+      validateActors: options?.validateActors ?? false,
+      validateChecksums: options?.validateChecksums ?? true,
+      validateSignatures: options?.validateSignatures ?? true,
+      validateConventions: options?.validateConventions ?? true,
+      failFast: options?.failFast ?? false,
+      concurrent: options?.concurrent ?? true,
+      concurrencyLimit: options?.concurrencyLimit ?? 10
+    };
+    const results = [];
+    const originalWarn = console.warn;
+    console.warn = () => {
+    };
+    try {
+      const recordsWithTypes = await this.discoverAllRecordsWithTypes(opts.path);
+      const recordIds = recordsWithTypes.map((r) => r.id);
+      logger3.info(`Starting lint validation for ${recordIds.length} records`);
+      const recordTypeMap = /* @__PURE__ */ new Map();
+      for (const { id, type } of recordsWithTypes) {
+        recordTypeMap.set(id, type);
+      }
+      if (opts.concurrent) {
+        const batches = this.chunkArray(recordIds, opts.concurrencyLimit);
+        for (const batch of batches) {
+          const batchResults = await Promise.all(
+            batch.map((recordId) => this.lintSingleRecord(recordId, opts, recordTypeMap.get(recordId)))
+          );
+          for (const batchResult of batchResults) {
+            results.push(...batchResult);
+            if (opts.failFast && batchResult.some((r) => r.level === "error")) {
+              logger3.warn("Fail-fast mode: stopping after first error");
+              break;
+            }
+          }
+          if (opts.failFast && results.some((r) => r.level === "error")) {
+            break;
+          }
+        }
+      } else {
+        for (const recordId of recordIds) {
+          const recordResults = await this.lintSingleRecord(recordId, opts, recordTypeMap.get(recordId));
+          results.push(...recordResults);
+          if (opts.failFast && recordResults.some((r) => r.level === "error")) {
+            logger3.warn("Fail-fast mode: stopping after first error");
+            break;
+          }
+        }
+      }
+      const executionTime = Date.now() - startTime;
+      const errors = results.filter((r) => r.level === "error").length;
+      const warnings = results.filter((r) => r.level === "warning").length;
+      const fixable = results.filter((r) => r.fixable).length;
+      logger3.info(
+        `Lint completed in ${executionTime}ms: ${recordIds.length} files, ${errors} errors, ${warnings} warnings`
+      );
+      return {
+        summary: {
+          filesChecked: recordIds.length,
+          errors,
+          warnings,
+          fixable,
+          executionTime
+        },
+        results,
+        metadata: {
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          options: opts,
+          version: "1.0.0"
+        }
+      };
+    } catch (error) {
+      logger3.error("Lint operation failed:", error);
+      throw error;
+    } finally {
+      console.warn = originalWarn;
+    }
+  }
+  /**
+   * Validates a specific file and returns its results.
+   * Ultra-fast validation for single records (target: <50ms).
+   * 
+   * @param filePath - Path to the file to validate
+   * @param options - Configuration options
+   * @returns {Promise<LintReport>} Lint report for this single file
+   * 
+   * @example
+   * ```typescript
+   * const report = await lintModule.lintFile('.gitgov/tasks/1234567890-task-example.json', {
+   *   validateReferences: true
+   * });
+   * ```
+   */
+  async lintFile(filePath, options) {
+    const startTime = Date.now();
+    const recordId = this.extractRecordId(filePath);
+    const pathParts = filePath.split("/");
+    const typeDirIndex = pathParts.findIndex(
+      (part) => ["tasks", "cycles", "executions", "changelogs", "feedback", "actors", "agents"].includes(part)
+    );
+    let entityType = this.getEntityType(recordId);
+    if (typeDirIndex >= 0 && pathParts[typeDirIndex]) {
+      const typeDir = pathParts[typeDirIndex];
+      const typeMap = {
+        "tasks": "task",
+        "cycles": "cycle",
+        "executions": "execution",
+        "changelogs": "changelog",
+        "feedback": "feedback",
+        "actors": "actor",
+        "agents": "agent"
+      };
+      entityType = typeMap[typeDir] || entityType;
+    }
+    const opts = {
+      path: filePath,
+      validateReferences: options?.validateReferences ?? false,
+      validateActors: options?.validateActors ?? false,
+      validateChecksums: options?.validateChecksums ?? true,
+      validateSignatures: options?.validateSignatures ?? true,
+      validateConventions: options?.validateConventions ?? true,
+      failFast: options?.failFast ?? false,
+      concurrent: false,
+      // Single file, no concurrency needed
+      concurrencyLimit: 1
+    };
+    const originalWarn = console.warn;
+    console.warn = () => {
+    };
+    try {
+      const results = await this.lintSingleRecord(recordId, opts, entityType);
+      const executionTime = Date.now() - startTime;
+      const errors = results.filter((r) => r.level === "error").length;
+      const warnings = results.filter((r) => r.level === "warning").length;
+      const fixable = results.filter((r) => r.fixable).length;
+      return {
+        summary: {
+          filesChecked: 1,
+          errors,
+          warnings,
+          fixable,
+          executionTime
+        },
+        results,
+        metadata: {
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          options: opts,
+          version: "1.0.0"
+        }
+      };
+    } finally {
+      console.warn = originalWarn;
+    }
+  }
+  /**
+   * Valida un record individual y retorna sus resultados.
+   * 
+   * @private
+   * @param recordId - ID del record a validar
+   * @param options - Opciones de configuración
+   * @returns {Promise<LintResult[]>} Array de resultados para este record
+   */
+  async lintSingleRecord(recordId, options, entityTypeOverride) {
+    const results = [];
+    const entityType = entityTypeOverride || this.getEntityType(recordId);
+    let filePath;
+    if (options.path && options.path.endsWith(".json")) {
+      const projectRoot2 = ConfigManager.findProjectRoot();
+      if (options.path.startsWith("/")) {
+        filePath = options.path;
+      } else if (projectRoot2) {
+        filePath = join(projectRoot2, options.path);
+      } else {
+        filePath = join(process.cwd(), options.path);
+      }
+    } else {
+      filePath = this.getFilePath(recordId, entityType);
+    }
+    try {
+      let record = null;
+      try {
+        const content = await this.fileSystem.readFile(filePath, "utf-8");
+        const raw = JSON.parse(content);
+        switch (entityType) {
+          case "task":
+            record = loadTaskRecord(raw);
+            break;
+          case "actor":
+            record = loadActorRecord(raw);
+            break;
+          case "agent":
+            record = loadAgentRecord(raw);
+            break;
+          case "cycle":
+            record = loadCycleRecord(raw);
+            break;
+          case "execution":
+            record = loadExecutionRecord(raw);
+            break;
+          case "changelog":
+            record = loadChangelogRecord(raw);
+            break;
+          case "feedback":
+            record = loadFeedbackRecord(raw);
+            break;
+          default:
+            record = await this.recordStore.read(recordId);
+        }
+      } catch (validationError) {
+        if (validationError instanceof DetailedValidationError) {
+          const hasAdditionalProperties = validationError.errors.some(
+            (e) => e.message.includes("must NOT have additional properties") || e.message.includes("must not have additional properties")
+          );
+          const filteredErrors = hasAdditionalProperties ? validationError.errors.filter(
+            (e) => !e.message.includes("oneOf") && !e.message.includes("must match") && !e.message.includes("boolean schema is false")
+          ) : validationError.errors;
+          for (const err of filteredErrors) {
+            const tempError = new DetailedValidationError("Record", [err]);
+            tempError.message = `${err.field}: ${err.message}`;
+            const validatorType = this.detectValidatorType(tempError);
+            const isFixable = this.isFixable(tempError);
+            results.push({
+              level: "error",
+              filePath,
+              validator: validatorType,
+              message: `${err.field}: ${err.message}`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: isFixable,
+              ...err && {
+                context: {
+                  ...err.field && { field: err.field },
+                  ...err.value !== void 0 && { actual: err.value },
+                  ...err.message && { expected: err.message }
+                }
+              }
+            });
+          }
+          return results;
+        }
+        const fsError = validationError;
+        let errorMessage;
+        if (fsError.code === "ENOENT") {
+          errorMessage = `Record file not found: ${recordId}`;
+        } else if (validationError instanceof SyntaxError) {
+          errorMessage = `Invalid JSON in record file: ${recordId}`;
+        } else {
+          errorMessage = `Failed to read record file: ${validationError instanceof Error ? validationError.message : String(validationError)}`;
+        }
+        results.push({
+          level: "error",
+          filePath,
+          validator: "SCHEMA_VALIDATION",
+          message: errorMessage,
+          entity: {
+            type: entityType,
+            id: recordId
+          },
+          fixable: false
+        });
+        return results;
+      }
+      if (!record) {
+        results.push({
+          level: "error",
+          filePath,
+          validator: "SCHEMA_VALIDATION",
+          message: `Record validation failed: ${recordId}`,
+          entity: {
+            type: entityType,
+            id: recordId
+          },
+          fixable: false
+        });
+        return results;
+      }
+      if (options.validateConventions) {
+        const conventionResults = await this.validateConventions(record, recordId, filePath, entityType);
+        results.push(...conventionResults);
+      }
+      if (options.validateReferences && this.indexerAdapter) {
+        const refResults = await this.validateReferences(record, recordId, filePath, entityType);
+        results.push(...refResults);
+      }
+      if (options.validateActors && this.indexerAdapter) {
+        const actorResults = await this.validateActors(record, recordId, filePath, entityType);
+        results.push(...actorResults);
+      }
+    } catch (error) {
+      if (error instanceof DetailedValidationError) {
+        const hasAdditionalProperties = error.errors.some(
+          (e) => e.message.includes("must NOT have additional properties") || e.message.includes("must not have additional properties")
+        );
+        const filteredErrors = hasAdditionalProperties ? error.errors.filter(
+          (e) => !e.message.includes("oneOf") && !e.message.includes("must match") && !e.message.includes("boolean schema is false")
+        ) : error.errors;
+        for (const err of filteredErrors) {
+          const tempError = new DetailedValidationError("Record", [err]);
+          tempError.message = `${err.field}: ${err.message}`;
+          const validatorType = this.detectValidatorType(tempError);
+          const isFixable = this.isFixable(tempError);
+          results.push({
+            level: "error",
+            filePath,
+            validator: validatorType,
+            message: `${err.field}: ${err.message}`,
+            entity: {
+              type: entityType,
+              id: recordId
+            },
+            fixable: isFixable,
+            ...err && {
+              context: {
+                ...err.field && { field: err.field },
+                ...err.value !== void 0 && { actual: err.value },
+                ...err.message && { expected: err.message }
+              }
+            }
+          });
+        }
+      } else {
+        results.push({
+          level: "error",
+          filePath,
+          validator: "SCHEMA_VALIDATION",
+          message: error instanceof Error ? error.message : String(error),
+          entity: {
+            type: entityType,
+            id: recordId
+          },
+          fixable: false
+        });
+      }
+    }
+    return results;
+  }
+  /**
+   * Valida un archivo específico.
+   * 
+   * Útil para validación en vivo (ej: dashboard, IDE integration).
+   * 
+   * @param filePath - Path del archivo a validar
+   * @param options - Opciones de configuración
+   * @returns {Promise<LintResult[]>} Resultados de validación para este archivo
+   * 
+   * @example
+   * ```typescript
+   * const results = await lintModule.lintFile(
+   *   '.gitgov/tasks/task-123.json',
+   *   { validateReferences: true }
+   * );
+   * ```
+   */
+  /**
+   * Applies automatic repairs to problems marked as fixable.
+   * 
+   * @param lintReport - Lint report with detected problems
+   * @param fixOptions - Options for the fix operation
+   * @returns {Promise<FixReport>} Report of applied repairs
+   * 
+   * @example
+   * ```typescript
+   * const lintReport = await lintModule.lint();
+   * const fixReport = await lintModule.fix(lintReport, {
+   *   createBackups: true,
+   *   keyId: 'system:migrator'
+   * });
+   * 
+   * console.log(`Fixed: ${fixReport.summary.fixed}`);
+   * ```
+   */
+  async fix(lintReport, fixOptions) {
+    const opts = {
+      ...fixOptions?.fixTypes && { fixTypes: fixOptions.fixTypes },
+      createBackups: fixOptions?.createBackups ?? true,
+      keyId: fixOptions?.keyId ?? "system:migrator",
+      dryRun: fixOptions?.dryRun ?? false,
+      ...fixOptions?.privateKey && { privateKey: fixOptions.privateKey }
+    };
+    const fixes = [];
+    let fixableResults = lintReport.results.filter((r) => r.fixable);
+    if (opts.fixTypes && opts.fixTypes.length > 0) {
+      fixableResults = fixableResults.filter(
+        (r) => opts.fixTypes.includes(r.validator)
+      );
+    }
+    logger3.info(`Starting fix operation for ${fixableResults.length} fixable problems`);
+    const resultsByFile = /* @__PURE__ */ new Map();
+    for (const result of fixableResults) {
+      if (!resultsByFile.has(result.filePath)) {
+        resultsByFile.set(result.filePath, /* @__PURE__ */ new Map());
+      }
+      const fileResults = resultsByFile.get(result.filePath);
+      if (!fileResults.has(result.validator)) {
+        fileResults.set(result.validator, []);
+      }
+      fileResults.get(result.validator).push(result);
+    }
+    for (const [, validatorMap] of resultsByFile) {
+      for (const [, results] of validatorMap) {
+        const primaryResult = results[0];
+        let backupPath;
+        try {
+          if (opts.dryRun) {
+            fixes.push({
+              filePath: primaryResult.filePath,
+              validator: primaryResult.validator,
+              action: `Would fix ${primaryResult.validator} (${results.length} error${results.length === 1 ? "" : "s"})`,
+              success: true
+            });
+            continue;
+          }
+          if (opts.createBackups && !backupPath) {
+            backupPath = await this.createBackup(primaryResult.filePath);
+          }
+          await this.applyFix(primaryResult, opts, results);
+          fixes.push({
+            filePath: primaryResult.filePath,
+            validator: primaryResult.validator,
+            action: `Fixed ${primaryResult.validator} (${results.length} error${results.length === 1 ? "" : "s"})`,
+            success: true,
+            ...backupPath && { backupPath }
+          });
+          logger3.debug(`Successfully fixed ${primaryResult.filePath} (${primaryResult.validator}, ${results.length} errors)`);
+        } catch (error) {
+          if (opts.createBackups && backupPath) {
+            try {
+              await this.restoreBackup(primaryResult.filePath);
+              logger3.warn(`Restored backup for ${primaryResult.filePath} after fix failure`);
+            } catch (restoreError) {
+              logger3.error(`Failed to restore backup for ${primaryResult.filePath}:`, restoreError);
+            }
+          }
+          fixes.push({
+            filePath: primaryResult.filePath,
+            validator: primaryResult.validator,
+            action: `Failed to fix ${primaryResult.validator}`,
+            success: false,
+            error: error instanceof Error ? error.message : String(error),
+            ...backupPath && { backupPath }
+            // Include backup path even if fix failed
+          });
+          logger3.error(`Failed to fix ${primaryResult.filePath}:`, error);
+        }
+      }
+    }
+    const summary = {
+      fixed: fixes.filter((f) => f.success).length,
+      failed: fixes.filter((f) => !f.success).length,
+      backupsCreated: opts.createBackups ? fixes.filter((f) => f.backupPath).length : 0
+    };
+    logger3.info(
+      `Fix operation completed: ${summary.fixed} fixed, ${summary.failed} failed, ${summary.backupsCreated} backups created`
+    );
+    return {
+      summary,
+      fixes
+    };
+  }
+  // ==================== Helper Methods ====================
+  /**
+   * Splits an array into chunks of the specified size.
+   * @private
+   */
+  chunkArray(array, chunkSize) {
+    const chunks = [];
+    for (let i = 0; i < array.length; i += chunkSize) {
+      chunks.push(array.slice(i, i + chunkSize));
+    }
+    return chunks;
+  }
+  /**
+   * Discovers all records with their types by scanning the filesystem.
+   * This ensures we know the correct type for each record based on its directory.
+   * @private
+   */
+  async discoverAllRecordsWithTypes(path6) {
+    const projectRoot2 = ConfigManager.findProjectRoot() || path6 || ".gitgov/";
+    const recordTypes = [
+      "actor",
+      "agent",
+      "cycle",
+      "task",
+      "execution",
+      "changelog",
+      "feedback"
+    ];
+    const allRecords = [];
+    for (const recordType of recordTypes) {
+      const dirNameMap = {
+        "task": "tasks",
+        "cycle": "cycles",
+        "execution": "executions",
+        "changelog": "changelogs",
+        "feedback": "feedback",
+        // feedback directory is singular, not plural
+        "actor": "actors",
+        "agent": "agents"
+      };
+      const dirName = dirNameMap[recordType];
+      const dirPath = join(projectRoot2, ".gitgov", dirName);
+      try {
+        const files = await readdir(dirPath);
+        const jsonFiles = files.filter((f) => f.endsWith(".json"));
+        const records = jsonFiles.map((f) => ({
+          id: f.replace(".json", ""),
+          type: recordType
+        }));
+        allRecords.push(...records);
+      } catch (error) {
+        continue;
+      }
+    }
+    return allRecords;
+  }
+  /**
+   * Gets the file path for a given recordId.
+   * Matches the format used by RecordStore.getRecordPath()
+   * @private
+   */
+  getFilePath(recordId, entityTypeOverride) {
+    const type = entityTypeOverride || this.getEntityType(recordId);
+    const projectRoot2 = ConfigManager.findProjectRoot();
+    const dirNameMap = {
+      "task": "tasks",
+      "cycle": "cycles",
+      "execution": "executions",
+      "changelog": "changelogs",
+      "feedback": "feedback",
+      // feedback directory is singular, not plural
+      "actor": "actors",
+      "agent": "agents"
+    };
+    const dirName = dirNameMap[type];
+    if (!projectRoot2) {
+      const safeId2 = recordId.replace(/:/g, "_");
+      return join(".gitgov", dirName, `${safeId2}.json`);
+    }
+    const safeId = recordId.replace(/:/g, "_");
+    return join(projectRoot2, ".gitgov", dirName, `${safeId}.json`);
+  }
+  /**
+   * Extracts the recordId from a filePath.
+   * @private
+   */
+  extractRecordId(filePath) {
+    return basename(filePath, ".json");
+  }
+  /**
+   * Detects the entity type from a recordId.
+   * @private
+   */
+  getEntityType(recordId) {
+    if (recordId.match(/^\d+-exec-/)) return "execution";
+    if (recordId.match(/^\d+-changelog-/)) return "changelog";
+    if (recordId.match(/^\d+-feedback-/)) return "feedback";
+    if (recordId.match(/^\d+-cycle-/)) return "cycle";
+    if (recordId.match(/^\d+-task-/)) return "task";
+    if (recordId.startsWith("execution:") || recordId.includes("-execution-")) return "execution";
+    if (recordId.startsWith("changelog:") || recordId.includes("-changelog-")) return "changelog";
+    if (recordId.startsWith("feedback:") || recordId.includes("-feedback-")) return "feedback";
+    if (recordId.startsWith("task:") || recordId.includes("-task-")) return "task";
+    if (recordId.startsWith("cycle:") || recordId.includes("-cycle-")) return "cycle";
+    if (recordId.startsWith("actor:") || recordId.startsWith("human:") || recordId.startsWith("agent:")) return "actor";
+    if (recordId.startsWith("human_") || recordId.match(/^human-/)) return "actor";
+    if (recordId.startsWith("agent_") || recordId.match(/^agent-/)) return "agent";
+    if (recordId.startsWith("agent:")) return "agent";
+    return "task";
+  }
+  /**
+   * Detects the validator type based on the error.
+   * @private
+   */
+  detectValidatorType(error) {
+    const errorMessage = error.message.toLowerCase();
+    const fieldPath = error.errors?.[0]?.field?.toLowerCase() || "";
+    const allErrorMessages = error.errors?.map((e) => e.message?.toLowerCase() || "").join(" ") || "";
+    const combinedText = `${errorMessage} ${fieldPath} ${allErrorMessages}`;
+    if (combinedText.includes("checksum") || fieldPath.includes("payloadchecksum")) {
+      return "CHECKSUM_VERIFICATION";
+    }
+    if (combinedText.includes("signature") || fieldPath.includes("/signatures/") || fieldPath.includes("signatures")) {
+      return "SIGNATURE_STRUCTURE";
+    }
+    if (combinedText.includes("header") || combinedText.includes("payload") || fieldPath.includes("/header/")) {
+      return "EMBEDDED_METADATA_STRUCTURE";
+    }
+    const versionMismatchIndicators = [
+      "required in v",
+      "field required in v",
+      "deprecated",
+      "obsolete",
+      "schema version",
+      "migration",
+      "v1 to v2",
+      "v2 to v3"
+    ];
+    const hasVersionMismatchIndicator = versionMismatchIndicators.some(
+      (indicator) => combinedText.includes(indicator)
+    );
+    const hasVersionSpecificMessage = /v\d+|version\s+\d+/i.test(combinedText);
+    if (hasVersionMismatchIndicator || hasVersionSpecificMessage) {
+      return "SCHEMA_VERSION_MISMATCH";
+    }
+    return "SCHEMA_VALIDATION";
+  }
+  /**
+   * Determines if an error is fixable.
+   * @private
+   */
+  isFixable(error) {
+    const errorMessage = error.message.toLowerCase();
+    if (errorMessage.includes("header") || errorMessage.includes("metadata")) {
+      return true;
+    }
+    if (errorMessage.includes("must not have additional properties") || errorMessage.includes("must NOT have additional properties")) {
+      return true;
+    }
+    if (errorMessage.includes("checksum")) {
+      return true;
+    }
+    if (errorMessage.includes("signature") && errorMessage.includes("format")) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Validates conventions (file naming, timestamps, etc).
+   * Implements EARS-13 through EARS-16.
+   * @private
+   */
+  async validateConventions(record, recordId, filePath, entityType) {
+    const results = [];
+    const dirNameMap = {
+      "task": "tasks",
+      "cycle": "cycles",
+      "execution": "executions",
+      "changelog": "changelogs",
+      "feedback": "feedback",
+      // feedback directory is singular, not plural
+      "actor": "actors",
+      "agent": "agents"
+    };
+    const expectedDir = `.gitgov/${dirNameMap[entityType]}`;
+    if (!filePath.includes(expectedDir)) {
+      results.push({
+        level: "error",
+        filePath,
+        validator: "FILE_NAMING_CONVENTION",
+        message: `File should be in ${expectedDir}/ directory but found in ${filePath}`,
+        entity: {
+          type: entityType,
+          id: recordId
+        },
+        fixable: false,
+        context: {
+          field: "directory",
+          actual: dirname(filePath),
+          expected: expectedDir
+        }
+      });
+    }
+    const expectedFilename = `${recordId}.json`;
+    const actualFilename = basename(filePath);
+    if (actualFilename !== expectedFilename) {
+      results.push({
+        level: "error",
+        filePath,
+        validator: "FILE_NAMING_CONVENTION",
+        message: `Filename '${actualFilename}' does not match entity ID '${recordId}'`,
+        entity: {
+          type: entityType,
+          id: recordId
+        },
+        fixable: false,
+        context: {
+          field: "filename",
+          actual: actualFilename,
+          expected: expectedFilename
+        }
+      });
+    }
+    const payload = record.payload;
+    if (payload.createdAt && payload.updatedAt) {
+      const created = new Date(payload.createdAt).getTime();
+      const updated = new Date(payload.updatedAt).getTime();
+      if (created > updated) {
+        results.push({
+          level: "error",
+          filePath,
+          validator: "TEMPORAL_CONSISTENCY",
+          message: `createdAt (${String(payload.createdAt)}) is after updatedAt (${String(payload.updatedAt)})`,
+          entity: {
+            type: entityType,
+            id: recordId
+          },
+          fixable: false,
+          context: {
+            field: "timestamps",
+            actual: { createdAt: payload.createdAt, updatedAt: payload.updatedAt },
+            expected: "createdAt <= updatedAt"
+          }
+        });
+      }
+      if (payload.completedAt) {
+        const completed = new Date(payload.completedAt).getTime();
+        if (completed < created) {
+          results.push({
+            level: "error",
+            filePath,
+            validator: "TEMPORAL_CONSISTENCY",
+            message: `completedAt (${String(payload.completedAt)}) is before createdAt (${String(payload.createdAt)})`,
+            entity: {
+              type: entityType,
+              id: recordId
+            },
+            fixable: false
+          });
+        }
+      }
+      if (payload.discardedAt) {
+        const discarded = new Date(payload.discardedAt).getTime();
+        if (discarded < created) {
+          results.push({
+            level: "error",
+            filePath,
+            validator: "TEMPORAL_CONSISTENCY",
+            message: `discardedAt (${String(payload.discardedAt)}) is before createdAt (${String(payload.createdAt)})`,
+            entity: {
+              type: entityType,
+              id: recordId
+            },
+            fixable: false
+          });
+        }
+      }
+    }
+    return results;
+  }
+  /**
+   * Validates references (typed references, bidirectional consistency).
+   * Implements EARS-17 through EARS-22.
+   * Requires indexerAdapter to be present.
+   * @private
+   */
+  async validateReferences(record, recordId, filePath, entityType) {
+    const results = [];
+    const payload = record.payload;
+    if (entityType === "execution" && isExecutionRecord2(payload) && payload.taskId) {
+      try {
+        const taskRecord = await this.recordStore.read(payload.taskId);
+        if (!taskRecord) {
+          results.push({
+            level: "warning",
+            filePath,
+            validator: "REFERENTIAL_INTEGRITY",
+            message: `Referenced taskId '${payload.taskId}' not found`,
+            entity: {
+              type: entityType,
+              id: recordId
+            },
+            fixable: false,
+            context: {
+              field: "taskId",
+              actual: payload.taskId,
+              expected: "existing task record"
+            }
+          });
+        } else {
+          const taskPayload = taskRecord.payload;
+          if (taskPayload.status === "discarded") {
+            results.push({
+              level: "warning",
+              filePath,
+              validator: "SOFT_DELETE_DETECTION",
+              message: `Referenced task '${payload.taskId}' has status 'discarded'`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: false
+            });
+          }
+        }
+      } catch (error) {
+        results.push({
+          level: "warning",
+          filePath,
+          validator: "REFERENTIAL_INTEGRITY",
+          message: `Failed to validate taskId reference: ${error instanceof Error ? error.message : String(error)}`,
+          entity: {
+            type: entityType,
+            id: recordId
+          },
+          fixable: false
+        });
+      }
+    }
+    if (isTaskRecord2(payload) || isExecutionRecord2(payload)) {
+      const payloadWithRefs = payload;
+      if (payloadWithRefs.references && Array.isArray(payloadWithRefs.references)) {
+        for (const ref of payloadWithRefs.references) {
+          const refStr = String(ref);
+          if (!refStr.includes(":")) {
+            results.push({
+              level: "warning",
+              filePath,
+              validator: "TYPED_REFERENCE",
+              message: `Reference '${refStr}' missing type prefix (expected: task:, cycle:, file:, etc.)`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: false,
+              context: {
+                field: "references",
+                actual: refStr,
+                expected: "prefix:value format"
+              }
+            });
+            continue;
+          }
+          const parts = refStr.split(":", 2);
+          if (parts.length < 2) continue;
+          const [prefix, value] = parts;
+          if (!prefix || !value) continue;
+          const knownPrefixes = ["task", "cycle", "execution", "changelog", "feedback", "actor", "agent", "file", "url", "commit", "pr", "adapter"];
+          if (!knownPrefixes.includes(prefix)) {
+            results.push({
+              level: "warning",
+              filePath,
+              validator: "TYPED_REFERENCE",
+              message: `Unknown reference prefix '${prefix}' (known: ${knownPrefixes.join(", ")})`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: false,
+              context: {
+                field: "references",
+                actual: prefix,
+                expected: knownPrefixes.join(", ")
+              }
+            });
+          }
+          if (["task", "cycle", "execution", "changelog", "feedback"].includes(prefix)) {
+            try {
+              const referencedRecord = await this.recordStore.read(value);
+              if (!referencedRecord) {
+                results.push({
+                  level: "warning",
+                  filePath,
+                  validator: "REFERENTIAL_INTEGRITY",
+                  message: `Referenced ${prefix} '${value}' not found`,
+                  entity: {
+                    type: entityType,
+                    id: recordId
+                  },
+                  fixable: false,
+                  context: {
+                    field: "references",
+                    actual: refStr,
+                    expected: `existing ${prefix} record`
+                  }
+                });
+              } else {
+                const refPayload = referencedRecord.payload;
+                if ("status" in refPayload && refPayload.status === "discarded") {
+                  results.push({
+                    level: "warning",
+                    filePath,
+                    validator: "SOFT_DELETE_DETECTION",
+                    message: `Referenced ${prefix} '${value}' has status 'discarded'`,
+                    entity: {
+                      type: entityType,
+                      id: recordId
+                    },
+                    fixable: false
+                  });
+                }
+              }
+            } catch (error) {
+            }
+          }
+        }
+      }
+    }
+    if (entityType === "task" && isTaskRecord2(payload) && payload.cycleIds && Array.isArray(payload.cycleIds)) {
+      for (const cycleId of payload.cycleIds) {
+        try {
+          const cycleRecord = await this.recordStore.read(cycleId);
+          if (cycleRecord) {
+            const cyclePayload = cycleRecord.payload;
+            if (cyclePayload.taskIds && Array.isArray(cyclePayload.taskIds)) {
+              if (!cyclePayload.taskIds.includes(recordId)) {
+                results.push({
+                  level: "warning",
+                  filePath,
+                  validator: "BIDIRECTIONAL_CONSISTENCY",
+                  message: `Task references cycle '${cycleId}' in cycleIds but cycle doesn't include this task in taskIds[]`,
+                  entity: {
+                    type: entityType,
+                    id: recordId
+                  },
+                  fixable: true,
+                  context: {
+                    field: "cycleIds",
+                    actual: cycleId,
+                    expected: `cycle should include task ${recordId} in taskIds[]`
+                  }
+                });
+              }
+            }
+          }
+        } catch (error) {
+        }
+      }
+    }
+    if (entityType === "cycle" && isCycleRecord2(payload) && payload.taskIds && Array.isArray(payload.taskIds)) {
+      for (const taskId of payload.taskIds) {
+        try {
+          const taskRecord = await this.recordStore.read(taskId);
+          if (taskRecord) {
+            const taskPayload = taskRecord.payload;
+            if (!taskPayload.cycleIds || !taskPayload.cycleIds.includes(recordId)) {
+              results.push({
+                level: "warning",
+                filePath,
+                validator: "BIDIRECTIONAL_CONSISTENCY",
+                message: `Cycle includes task '${taskId}' in taskIds[] but task doesn't include this cycle in cycleIds[]`,
+                entity: {
+                  type: entityType,
+                  id: recordId
+                },
+                fixable: true,
+                context: {
+                  field: "taskIds",
+                  actual: taskPayload.cycleIds || [],
+                  expected: `task should include cycle ${recordId} in cycleIds[]`
+                }
+              });
+            }
+          }
+        } catch (error) {
+        }
+      }
+    }
+    return results;
+  }
+  /**
+   * Validates actorIds (resolution in .gitgov/actors/).
+   * Implements EARS-19.
+   * @private
+   */
+  async validateActors(record, recordId, filePath, entityType) {
+    const results = [];
+    if (record.header && record.header.signatures && Array.isArray(record.header.signatures)) {
+      for (const signature of record.header.signatures) {
+        if (signature.keyId) {
+          try {
+            const actorRecord = await this.recordStore.read(signature.keyId);
+            if (!actorRecord) {
+              results.push({
+                level: "warning",
+                filePath,
+                validator: "ACTOR_RESOLUTION",
+                message: `Actor '${signature.keyId}' referenced in signature not found in .gitgov/actors/`,
+                entity: {
+                  type: entityType,
+                  id: recordId
+                },
+                fixable: false,
+                context: {
+                  field: "signatures.keyId",
+                  actual: signature.keyId,
+                  expected: "existing actor record"
+                }
+              });
+            }
+          } catch (error) {
+            results.push({
+              level: "warning",
+              filePath,
+              validator: "ACTOR_RESOLUTION",
+              message: `Failed to validate actor '${signature.keyId}': ${error instanceof Error ? error.message : String(error)}`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: false
+            });
+          }
+        }
+      }
+    }
+    const payload = record.payload;
+    if ("actorId" in payload && payload.actorId) {
+      const actorId = payload.actorId;
+      if (actorId) {
+        try {
+          const actorRecord = await this.recordStore.read(actorId);
+          if (!actorRecord) {
+            results.push({
+              level: "warning",
+              filePath,
+              validator: "ACTOR_RESOLUTION",
+              message: `Actor '${actorId}' referenced in payload not found`,
+              entity: {
+                type: entityType,
+                id: recordId
+              },
+              fixable: false,
+              context: {
+                field: "actorId",
+                actual: actorId,
+                expected: "existing actor record"
+              }
+            });
+          }
+        } catch (error) {
+        }
+      }
+    }
+    return results;
+  }
+  /**
+   * Applies a specific repair based on the problem type.
+   * @private
+   */
+  async applyFix(result, options, allErrors) {
+    switch (result.validator) {
+      case "EMBEDDED_METADATA_STRUCTURE":
+        await this.fixLegacyRecord(result, options, allErrors);
+        break;
+      case "BIDIRECTIONAL_CONSISTENCY":
+        await this.fixBidirectionalReference(result);
+        break;
+      case "CHECKSUM_VERIFICATION":
+        await this.recalculateChecksum(result);
+        break;
+      case "SIGNATURE_STRUCTURE":
+        await this.fixSignatureStructure(result, options, allErrors || [result]);
+        break;
+      default:
+        throw new Error(`Fix not implemented for validator: ${result.validator}`);
+    }
+  }
+  /**
+   * Repairs a legacy record by wrapping it in embedded metadata.
+   * Implements EARS-24: Normalize legacy records with signature.
+   * @private
+   */
+  async fixLegacyRecord(result, options, allErrors) {
+    if (!options.privateKey) {
+      throw new Error("privateKey is required in FixOptions to sign legacy records");
+    }
+    const fileContent = await this.fileSystem.readFile(result.filePath, "utf-8");
+    const rawData = JSON.parse(fileContent);
+    if (typeof rawData !== "object" || rawData === null || !("header" in rawData) || !("payload" in rawData)) {
+      throw new Error(`Record does not have EmbeddedMetadataRecord structure (missing header or payload): ${result.filePath}`);
+    }
+    const rawObj = rawData;
+    if (!rawObj["header"] || !rawObj["payload"]) {
+      throw new Error(`Record does not have EmbeddedMetadataRecord structure (missing header or payload): ${result.filePath}`);
+    }
+    const embeddedRecord = rawData;
+    const hasAdditionalProperties = allErrors?.some(
+      (e) => e.message.includes("must NOT have additional properties") && e.message.includes("/payload")
+    );
+    if (hasAdditionalProperties) {
+      const entityType = this.getEntityType(result.entity.id);
+      let cleanPayload;
+      try {
+        switch (entityType) {
+          case "task":
+            const taskPayload = embeddedRecord.payload;
+            cleanPayload = {
+              id: taskPayload.id,
+              title: taskPayload.title,
+              status: taskPayload.status,
+              priority: taskPayload.priority,
+              description: taskPayload.description,
+              ...taskPayload.cycleIds && { cycleIds: taskPayload.cycleIds },
+              ...taskPayload.tags && { tags: taskPayload.tags },
+              ...taskPayload.references && { references: taskPayload.references },
+              ...taskPayload.notes && { notes: taskPayload.notes }
+            };
+            break;
+          case "cycle":
+            const cyclePayload = embeddedRecord.payload;
+            cleanPayload = {
+              id: cyclePayload.id,
+              title: cyclePayload.title,
+              status: cyclePayload.status,
+              ...cyclePayload.taskIds && { taskIds: cyclePayload.taskIds },
+              ...cyclePayload.childCycleIds && { childCycleIds: cyclePayload.childCycleIds },
+              ...cyclePayload.tags && { tags: cyclePayload.tags },
+              ...cyclePayload.notes && { notes: cyclePayload.notes }
+            };
+            break;
+          default:
+            await this.recalculateChecksum(result);
+            return;
+        }
+        const payloadChecksum = calculatePayloadChecksum(cleanPayload);
+        const signature = signPayload(
+          cleanPayload,
+          options.privateKey,
+          options.keyId || result.entity.id,
+          "author",
+          "Signature regenerated after removing additional properties"
+        );
+        const fixedRecord = {
+          header: {
+            ...embeddedRecord.header,
+            payloadChecksum,
+            signatures: [signature]
+          },
+          payload: cleanPayload
+        };
+        await this.fileSystem.writeFile(
+          result.filePath,
+          JSON.stringify(fixedRecord, null, 2)
+        );
+        logger3.info(`Removed additional properties from payload: ${result.filePath}`);
+        return;
+      } catch (error) {
+        logger3.warn(`Could not clean additional properties, recalculating checksum only: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    await this.recalculateChecksum(result);
+  }
+  /**
+   * Repairs bidirectional inconsistencies between Task and Cycle.
+   * Implements EARS-25: Sync bidirectional references.
+   * @private
+   */
+  async fixBidirectionalReference(result) {
+    const entityType = result.entity.type;
+    const recordId = result.entity.id;
+    if (entityType === "task") {
+      const taskRecord = await this.recordStore.read(recordId);
+      if (!taskRecord) return;
+      const taskPayload = taskRecord.payload;
+      if (!taskPayload.cycleIds || taskPayload.cycleIds.length === 0) return;
+      for (const cycleId of taskPayload.cycleIds) {
+        const cycleRecord = await this.recordStore.read(cycleId);
+        if (!cycleRecord) continue;
+        const mutableCyclePayload = cycleRecord.payload;
+        if (!mutableCyclePayload.taskIds) {
+          mutableCyclePayload.taskIds = [];
+        }
+        if (!mutableCyclePayload.taskIds.includes(recordId)) {
+          mutableCyclePayload.taskIds.push(recordId);
+          const cycleFilePath = this.getFilePath(cycleId);
+          await this.fileSystem.writeFile(
+            cycleFilePath,
+            JSON.stringify(cycleRecord, null, 2)
+          );
+          logger3.info(`Fixed bidirectional reference: Added task ${recordId} to cycle ${cycleId}`);
+        }
+      }
+    } else if (entityType === "cycle") {
+      const cycleRecord = await this.recordStore.read(recordId);
+      if (!cycleRecord) return;
+      const cyclePayload = cycleRecord.payload;
+      if (!cyclePayload.taskIds || cyclePayload.taskIds.length === 0) return;
+      const taskIdFromContext = result.context?.actual;
+      const tasksToFix = taskIdFromContext ? [taskIdFromContext] : cyclePayload.taskIds;
+      for (const taskId of tasksToFix) {
+        const taskRecord = await this.recordStore.read(taskId);
+        if (!taskRecord) continue;
+        const taskPayload = taskRecord.payload;
+        if (!taskPayload.cycleIds) {
+          taskPayload.cycleIds = [];
+        }
+        if (!taskPayload.cycleIds.includes(recordId)) {
+          taskPayload.cycleIds.push(recordId);
+          const taskFilePath = this.getFilePath(taskId);
+          await this.fileSystem.writeFile(
+            taskFilePath,
+            JSON.stringify(taskRecord, null, 2)
+          );
+          logger3.info(`Fixed bidirectional reference: Added cycle ${recordId} to task ${taskId} in cycleIds[]`);
+        }
+      }
+    }
+  }
+  /**
+   * Recalculates the checksum of a record.
+   * Implements checksum repair for corrupted checksums.
+   * @private
+   */
+  async recalculateChecksum(result) {
+    const fileContent = await this.fileSystem.readFile(result.filePath, "utf-8");
+    const record = JSON.parse(fileContent);
+    if (!record.header || !record.payload) {
+      throw new Error("Cannot recalculate checksum: invalid record structure");
+    }
+    const correctChecksum = calculatePayloadChecksum(record.payload);
+    record.header.payloadChecksum = correctChecksum;
+    await this.fileSystem.writeFile(
+      result.filePath,
+      JSON.stringify(record, null, 2)
+    );
+    logger3.info(`Recalculated checksum for: ${result.filePath}`);
+  }
+  /**
+   * Creates a backup of a file.
+   * @private
+   */
+  async createBackup(filePath) {
+    const timestamp = Date.now();
+    const backupPath = `${filePath}.backup-${timestamp}`;
+    const content = await this.fileSystem.readFile(filePath, "utf-8");
+    await this.fileSystem.writeFile(backupPath, content);
+    this.lastBackupPath = backupPath;
+    return backupPath;
+  }
+  /**
+   * Fixes signature structure errors by analyzing specific errors and applying targeted fixes.
+   * Reads the record directly (bypassing validation), extracts payload, and fixes signature issues:
+   * - Adds missing 'notes' field with a valid value
+   * - Removes additional properties not allowed
+   * - Regenerates invalid signatures
+   * Works even when signatures have invalid format (e.g., "placeholder" instead of base64).
+   * @private
+   */
+  async fixSignatureStructure(result, options, allErrors) {
+    if (!options.privateKey) {
+      throw new Error("Private key required to fix signature structure errors");
+    }
+    const content = await this.fileSystem.readFile(result.filePath, "utf-8");
+    let raw;
+    try {
+      raw = JSON.parse(content);
+    } catch (parseError) {
+      throw new Error(`Invalid JSON in file: ${result.filePath}`);
+    }
+    if (typeof raw !== "object" || raw === null || !("header" in raw) || !("payload" in raw)) {
+      throw new Error(`Record does not have EmbeddedMetadataRecord structure (missing header or payload): ${result.filePath}`);
+    }
+    const rawObj = raw;
+    if (!rawObj["header"] || !rawObj["payload"]) {
+      throw new Error(`Record does not have EmbeddedMetadataRecord structure (missing header or payload): ${result.filePath}`);
+    }
+    const embeddedRecord = raw;
+    const payload = embeddedRecord.payload;
+    const existingHeader = embeddedRecord.header;
+    const payloadChecksum = calculatePayloadChecksum(payload);
+    const needsNotes = allErrors.some((e) => e.message.includes("must have required property 'notes'"));
+    const hasAdditionalProperties = allErrors.some((e) => e.message.includes("must NOT have additional properties"));
+    const hasInvalidSignature = allErrors.some((e) => e.message.includes("signature: must match pattern"));
+    let keyId = options.keyId || result.entity.id;
+    let role = "author";
+    let notes = "Signature regenerated by lint --fix";
+    if (existingHeader?.signatures?.[0]) {
+      const existingSig = existingHeader.signatures[0];
+      if (existingSig.keyId) {
+        keyId = existingSig.keyId;
+      }
+      if (existingSig.role) {
+        role = existingSig.role;
+      }
+      if (existingSig.notes && typeof existingSig.notes === "string" && existingSig.notes.length > 0) {
+        notes = existingSig.notes;
+      }
+    }
+    if (needsNotes && !notes) {
+      notes = "Signature regenerated by lint --fix";
+    }
+    const needsRegeneration = hasInvalidSignature || hasAdditionalProperties || needsNotes && (hasInvalidSignature || hasAdditionalProperties);
+    let fixedSignature;
+    if (needsRegeneration) {
+      fixedSignature = signPayload(
+        payload,
+        options.privateKey,
+        keyId,
+        role,
+        notes
+      );
+    } else {
+      const existingSig = existingHeader?.signatures?.[0];
+      fixedSignature = {
+        keyId: existingSig?.keyId || keyId,
+        role: existingSig?.role || role,
+        notes: needsNotes ? notes || "Signature regenerated by lint --fix" : existingSig?.notes || notes,
+        signature: existingSig?.signature || "",
+        timestamp: existingSig?.timestamp || Math.floor(Date.now() / 1e3)
+      };
+    }
+    const entityType = this.getEntityType(result.entity.id);
+    const fixedRecord = {
+      header: {
+        version: existingHeader?.version || "1.0",
+        type: existingHeader?.type || entityType,
+        payloadChecksum,
+        signatures: [fixedSignature]
+        // Replace all signatures with one valid signature
+      },
+      payload
+    };
+    await this.fileSystem.writeFile(
+      result.filePath,
+      JSON.stringify(fixedRecord, null, 2)
+    );
+    const action = needsRegeneration ? "regenerated" : "fixed structure";
+    logger3.info(`Fixed signature structure: ${result.filePath} (${action} signature for ${keyId})`);
+  }
+  /**
+   * Restores a file from its most recent backup.
+   * Implements EARS-32: Restore backup if fix fails.
+   * @private
+   */
+  async restoreBackup(filePath) {
+    if (this.lastBackupPath) {
+      try {
+        const exists = await this.fileSystem.exists(this.lastBackupPath);
+        if (exists) {
+          const backupContent = await this.fileSystem.readFile(this.lastBackupPath, "utf-8");
+          await this.fileSystem.writeFile(filePath, backupContent);
+          logger3.info(`Restored ${filePath} from backup ${this.lastBackupPath}`);
+          this.lastBackupPath = null;
+          return;
+        }
+      } catch (error) {
+      }
+    }
+    const now = Date.now();
+    const timeWindows = [0, 1e3, 5e3, 1e4, 6e4];
+    for (const delta of timeWindows) {
+      const timestamp = now - delta;
+      const backupPath = `${filePath}.backup-${timestamp}`;
+      try {
+        const exists = await this.fileSystem.exists(backupPath);
+        if (exists) {
+          const backupContent = await this.fileSystem.readFile(backupPath, "utf-8");
+          await this.fileSystem.writeFile(filePath, backupContent);
+          logger3.info(`Restored ${filePath} from backup ${backupPath}`);
+          return;
+        }
+      } catch (error) {
+        continue;
+      }
+    }
+    throw new Error(`No backup found for ${filePath}`);
+  }
+};
+
 // src/validation/index.ts
 var validation_exports = {};
 __export(validation_exports, {
@@ -7927,7 +9901,6 @@ __export(validation_exports, {
   validateChangelogRecordSchema: () => validateChangelogRecordSchema,
   validateCycleRecordDetailed: () => validateCycleRecordDetailed,
   validateCycleRecordSchema: () => validateCycleRecordSchema,
-  validateEmbeddedMetadataBusinessRules: () => validateEmbeddedMetadataBusinessRules,
   validateEmbeddedMetadataDetailed: () => validateEmbeddedMetadataDetailed,
   validateEmbeddedMetadataSchema: () => validateEmbeddedMetadataSchema,
   validateExecutionRecordDetailed: () => validateExecutionRecordDetailed,
@@ -8385,10 +10358,10 @@ var RelationshipAnalyzer = class {
     }
     const visited = /* @__PURE__ */ new Set();
     const recursionStack = /* @__PURE__ */ new Set();
-    const path5 = [];
+    const path6 = [];
     for (const node of graph.keys()) {
       if (!visited.has(node)) {
-        const cyclePath = this.findCycleDFS(node, graph, visited, recursionStack, path5);
+        const cyclePath = this.findCycleDFS(node, graph, visited, recursionStack, path6);
         if (cyclePath.length > 0) {
           const cycleDescription = this.formatCycleError(cyclePath);
           throw new CircularDependencyError(cycleDescription);
@@ -8399,24 +10372,24 @@ var RelationshipAnalyzer = class {
   /**
    * DFS helper for circular dependency detection with path tracking
    */
-  findCycleDFS(node, graph, visited, recursionStack, path5) {
+  findCycleDFS(node, graph, visited, recursionStack, path6) {
     visited.add(node);
     recursionStack.add(node);
-    path5.push(node);
+    path6.push(node);
     const neighbors = graph.get(node) || [];
     for (const neighbor of neighbors) {
       if (!visited.has(neighbor)) {
-        const cyclePath = this.findCycleDFS(neighbor, graph, visited, recursionStack, path5);
+        const cyclePath = this.findCycleDFS(neighbor, graph, visited, recursionStack, path6);
         if (cyclePath.length > 0) {
           return cyclePath;
         }
       } else if (recursionStack.has(neighbor)) {
-        const cycleStartIndex = path5.indexOf(neighbor);
-        return path5.slice(cycleStartIndex).concat([neighbor]);
+        const cycleStartIndex = path6.indexOf(neighbor);
+        return path6.slice(cycleStartIndex).concat([neighbor]);
       }
     }
     recursionStack.delete(node);
-    path5.pop();
+    path6.pop();
     return [];
   }
   /**
@@ -9124,6 +11097,6 @@ var DiagramGenerator = class {
   }
 };
 
-export { adapters_exports as Adapters, backlog_adapter_exports as BacklogAdapter, changelog_adapter_exports as ChangelogAdapter, config_manager_exports as Config, crypto_exports as Crypto, diagram_generator_exports as DiagramGenerator, event_bus_exports as EventBus, execution_adapter_exports as ExecutionAdapter, factories_exports as Factories, feedback_adapter_exports as FeedbackAdapter, identity_adapter_exports as IdentityAdapter, indexer_adapter_exports as IndexerAdapter, logger_exports as Logger, metrics_adapter_exports as MetricsAdapter, project_adapter_exports as ProjectAdapter, types_exports as Records, schemas_exports as Schemas, store_exports as Store, validation_exports as Validation, workflow_methodology_adapter_exports as WorkflowMethodologyAdapter };
+export { adapters_exports as Adapters, backlog_adapter_exports as BacklogAdapter, changelog_adapter_exports as ChangelogAdapter, config_manager_exports as Config, crypto_exports as Crypto, diagram_generator_exports as DiagramGenerator, event_bus_exports as EventBus, execution_adapter_exports as ExecutionAdapter, factories_exports as Factories, feedback_adapter_exports as FeedbackAdapter, identity_adapter_exports as IdentityAdapter, indexer_adapter_exports as IndexerAdapter, lint_exports as Lint, logger_exports as Logger, metrics_adapter_exports as MetricsAdapter, project_adapter_exports as ProjectAdapter, types_exports as Records, schemas_exports as Schemas, store_exports as Store, validation_exports as Validation, workflow_methodology_adapter_exports as WorkflowMethodologyAdapter };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map