CLAUDE.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>CLAUDE</title>
  <style>

html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
svg {
height: auto;
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
border: none;
border-top: 1px solid #1a1a1a;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}

ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}

html { -webkit-text-size-adjust: 100%; }
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { display: inline-block; line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } 
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } 
code span.at { color: #7d9029; } 
code span.bn { color: #40a070; } 
code span.bu { color: #008000; } 
code span.cf { color: #007020; font-weight: bold; } 
code span.ch { color: #4070a0; } 
code span.cn { color: #880000; } 
code span.co { color: #60a0b0; font-style: italic; } 
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } 
code span.do { color: #ba2121; font-style: italic; } 
code span.dt { color: #902000; } 
code span.dv { color: #40a070; } 
code span.er { color: #ff0000; font-weight: bold; } 
code span.ex { } 
code span.fl { color: #40a070; } 
code span.fu { color: #06287e; } 
code span.im { color: #008000; font-weight: bold; } 
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } 
code span.kw { color: #007020; font-weight: bold; } 
code span.op { color: #666666; } 
code span.ot { color: #007020; } 
code span.pp { color: #bc7a00; } 
code span.sc { color: #4070a0; } 
code span.ss { color: #bb6688; } 
code span.st { color: #4070a0; } 
code span.va { color: #19177c; } 
code span.vs { color: #4070a0; } 
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } 
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">CLAUDE</h1>
</header>
<h2 id="inherited-from-helix-constitution">INHERITED FROM Helix
Constitution</h2>
<p>This module is a submodule of an ATMOSphere-family project that
includes the Helix Constitution submodule at the parent&#39;s
<code>constitution/</code> path. All rules in
<code>constitution/CLAUDE.md</code> and the
<code>constitution/Constitution.md</code> it references (universal
anti-bluff covenant §11.4, no-guessing mandate §11.4.6,
credentials-handling mandate §11.4.10, host-session safety §12, data
safety §9, mutation- paired gates §1.1) apply unconditionally to every
change landed here. The module-specific rules below extend them — they
never weaken any universal clause.</p>
<p>When this file disagrees with the constitution submodule, the
constitution wins. Locate the constitution submodule from any arbitrary
nested depth using its <code>find_constitution.sh</code> helper.</p>
<p>Canonical reference: <a href="https://github.com/HelixDevelopment/HelixConstitution">https://github.com/HelixDevelopment/HelixConstitution</a></p>
<hr />
<h1 id="claudemd---helixcode-ai-agent-manual">CLAUDE.md - HelixCode AI
Agent Manual</h1>
<h2 id="inherited-from-helixconstitutionclaudemd">INHERITED FROM
HelixConstitution/CLAUDE.md</h2>
<p>All rules in <code>HelixConstitution/CLAUDE.md</code> (and the
<code>HelixConstitution/Constitution.md</code> it references) apply
unconditionally. The project-specific rules below extend them. Rules
below MUST NOT weaken any inherited clause.</p>
<h2 id="helixcode---ai-agent-operating-manual">HelixCode - AI Agent
Operating Manual</h2>
<p><strong>Version</strong>: 1.0.0 <strong>Date</strong>: 2026-04-30
<strong>Scope</strong>: This document guides AI agents working on the
HelixCode codebase <strong>Authority</strong>: Cascaded from HelixAgent
root <code>CLAUDE.md</code> with HelixCode-specific addenda</p>
<hr />
<h2 id="1-agent-identity--purpose">1. Agent Identity &amp; Purpose</h2>
<p>You are an AI agent working on <strong>HelixCode</strong>, an
enterprise-grade distributed AI development platform. Your work directly
impacts the quality and usability of a production system.</p>
<p><strong>Your mandate</strong>: Write real, working, tested code. No
simulations. No placeholders. No &quot;for now&quot; implementations. Every
feature you implement MUST actually work when a user invokes it.</p>
<h3 id="11-peer-governance-documents-keep-in-sync">1.1 Peer Governance
Documents (keep in sync)</h3>
<p>This <code>CLAUDE.md</code> sits alongside several other
agent/governance manuals at the repo root. They overlap and must remain
consistent:</p>
<ul>
<li><code>CONSTITUTION.md</code> — source of truth for all mandates
(CONST-033, CONST-035, CONST-036–040, Article XI §11.9). When this file
conflicts with the Constitution, the Constitution wins.</li>
<li><code>AGENTS.md</code> — generic agent manual (40 KB; mirror
anti-bluff rules here).</li>
<li><code>CRUSH.md</code>, <code>QWEN.md</code> — sibling agent manuals
for other CLI tools. Cascade rule changes to all of them.</li>
<li><code>helix_code/CLAUDE.md</code>, <code>helix_qa/CLAUDE.md</code>,
<code>challenges/CLAUDE.md</code> — submodule-scoped manuals; this root
file inherits from them and they inherit from this one.</li>
</ul>
<hr />
<h2 id="2-universal-mandatory-rules-non-negotiable">2. Universal
Mandatory Rules (Non-Negotiable)</h2>
<p>These rules cascade from the HelixCode Constitution. They are
permanent and apply to every task.</p>
<h3 id="rule-1-no-cicd-pipelines">Rule 1: No CI/CD Pipelines</h3>
<p>No <code>.github/workflows/</code>, <code>.gitlab-ci.yml</code>,
<code>Jenkinsfile</code>, <code>.travis.yml</code>,
<code>.circleci/</code>, or any automated pipeline. All builds and tests
run manually or via Makefile/script targets.</p>
<h3 id="rule-2-no-mocks-in-production">Rule 2: No Mocks in
Production</h3>
<p>Mocks, stubs, fakes, placeholder classes, TODO implementations are
STRICTLY FORBIDDEN in production code. Only unit tests may use
mocks.</p>
<h3 id="rule-3-no-https-for-git">Rule 3: No HTTPS for Git</h3>
<p>SSH URLs only (<code>git@github.com:…</code>) for all Git
operations.</p>
<h3 id="rule-4-no-manual-container-commands">Rule 4: No Manual Container
Commands</h3>
<p>Use the orchestrator binary (<code>make build</code> →
<code>./bin/&lt;app&gt;</code>). Direct
<code>docker</code>/<code>docker-compose</code> commands are prohibited
as workflows.</p>
<h3 id="rule-5-real-data-for-non-unit-tests">Rule 5: Real Data for
Non-Unit Tests</h3>
<p>All integration, E2E, and challenge tests MUST use real
infrastructure (real databases, real HTTP calls, real containers).</p>
<h3 id="rule-6-100-challenge-coverage">Rule 6: 100% Challenge
Coverage</h3>
<p>Every component MUST have Challenge scripts validating real-life use
cases.</p>
<h3 id="rule-7-reproduction-before-fix">Rule 7:
Reproduction-Before-Fix</h3>
<p>Every bug MUST be reproduced by a Challenge script BEFORE any fix is
attempted.</p>
<h3 id="rule-8-definition-of-done">Rule 8: Definition of Done</h3>
<p>A change is NOT done because code compiles. &quot;Done&quot; requires pasted
terminal output from a real run against real artifacts.</p>
<h3 id="rule-9-no-self-certification">Rule 9: No Self-Certification</h3>
<p>Words like <em>verified, tested, working, complete, fixed,
passing</em> are forbidden unless accompanied by pasted command output
from that session.</p>
<h3 id="rule-10-zero-bluff-mandate-const-035">Rule 10: Zero-Bluff
Mandate (CONST-035)</h3>
<p>A passing test is a claim that the feature <strong>works for the end
user</strong>. Every test must guarantee Quality + Completion + Full
Usability. Any test that doesn&#39;t certify all three is a bluff and must
be tightened.</p>
<hr />
<h2 id="constitutional-anchors-cascaded-from-constitutionmd">Constitutional
anchors (cascaded from <code>CONSTITUTION.md</code>)</h2>
<h3 id="article-xi-119--anti-bluff-forensic-anchor">Article XI §11.9 —
Anti-Bluff Forensic Anchor</h3>
<blockquote>
<p>Verbatim user mandate: <em>&quot;We had been in position that all tests do
execute with success and all Challenges as well, but in reality the most
of the features does not work and can&#39;t be used! This MUST NOT be the
case and execution of tests and Challenges MUST guarantee the quality,
the completion and full usability by end users of the product!&quot;</em></p>
<p>Operative rule: <strong>The bar for shipping is not &quot;tests pass&quot; but
&quot;users can use the feature.&quot;</strong> Every PASS in this codebase MUST
carry positive runtime evidence captured during execution. Metadata-only
/ configuration-only / absence-of-error / grep-based PASS without
runtime evidence are critical defects regardless of how green the
summary line looks. No false-success results are tolerable.</p>
</blockquote>
<h3 id="article-xii-121-const-042--no-secret-leak">Article XII §12.1
(CONST-042) — No-Secret-Leak</h3>
<p>No API key, token, password, certificate, or other credential may be
committed to any repository owned by HelixDevelopment or vasic-digital.
All secrets live in <code>.env</code> files (mode 0600) listed in
<code>.gitignore</code>. Any leak is a release blocker until rotated and
post-mortemed.</p>
<h3 id="article-xii-122-const-043--no-force-push">Article XII §12.2
(CONST-043) — No-Force-Push</h3>
<p>No force push, force-with-lease push, history rewrite, branch
deletion of <code>main</code>/<code>master</code>, or
upstream-overwriting operation may be performed without explicit,
in-conversation user approval per operation. Authorization for one push
does not extend further. Bypassing hooks / signing / protected-branch
rules also requires explicit approval.</p>
<hr />
<h2 id="3-helixcode-specific-architecture">3. HelixCode-Specific
Architecture</h2>
<h3 id="31-technology-stack">3.1 Technology Stack</h3>
<ul>
<li><strong>Language</strong>: Go — root meta-repo on
<code>go 1.25.2</code>, inner Go application (<code>helix_code/</code>)
on <code>go 1.26</code>. Keep both modules current; do not
downgrade.</li>
<li><strong>Module IDs</strong>: root <code>dev.helix.code</code>
(thin), inner <code>dev.helix.code</code> (full app + transitive
deps).</li>
<li><strong>HTTP / API</strong>: Gin v1.11.0, gorilla/websocket v1.5.3,
gRPC v1.80.0.</li>
<li><strong>Persistence</strong>: PostgreSQL 15+ via pgx/v5 + lib/pq;
Redis 7+ via go-redis/v9.</li>
<li><strong>AuthN/Z</strong>: golang-jwt/v4 v4.5.2, bcrypt/argon2
(<code>golang.org/x/crypto</code>), oauth2.</li>
<li><strong>Config / CLI</strong>: Viper v1.21.0, Cobra v1.8.0, pflag
v1.0.10, fsnotify v1.9.0.</li>
<li><strong>LLM / Cloud</strong>: AWS Bedrock runtime (aws-sdk-go-v2),
Azure azcore/azidentity, getzep/zep-go/v3, smacker/go-tree-sitter.</li>
<li><strong>UI</strong>: Fyne v2.7.0 (desktop GUI), tview / tcell/v2
(terminal UI), chromedp (headless browser).</li>
<li><strong>Testing</strong>: stretchr/testify v1.11.1.</li>
</ul>
<h3 id="32-repository-layout--meta-repo--submodules">3.2 Repository
Layout — Meta-Repo + Submodules</h3>
<p><strong>This repo is a governance/meta-repo, not the Go
application.</strong> The actual Go binary lives in the
<code>helix_code/</code> subdirectory (a submodule). When an agent says
&quot;edit <code>internal/auth</code>,&quot; they almost always mean
<code>helix_code/internal/auth</code>, not the root
<code>internal/</code>.</p>
<pre><code>helix_code/                                # ← repo root (governance + submodules)
├── CLAUDE.md / AGENTS.md / CONSTITUTION.md / CRUSH.md / QWEN.md   # agent manuals
├── Makefile                              # governance gates only (see §3.4)
├── go.mod                                # thin root module (dev.helix.code, go 1.25.2)
├── helix                                 # Docker facade script (run platform standalone)
├── setup.sh                              # one-shot: submodule init + deps + build
├── .gitmodules                           # source of truth for submodule wiring
├── docker-compose.helix.yml              # standalone deployment
├── internal/{fix,security,testing,theme} # root-level helpers ONLY (NOT the app)
├── cmd/security-test/                    # root-level security-test tool ONLY
├── scripts/                              # init-submodules, propagate-governance,
│                                         #   verify-governance-cascade, no-silent-skips,
│                                         #   demo-all, run-all-tests, …
├── docs/                                 # ARCHITECTURE.md, COMPLETE_*.md guides,
│                                         #   bluff-proofing/, llms_verifier/, helix_qa/
│
├── helix_code/      ← TRACKED SUBDIRECTORY (NOT a submodule — meta-repo&#39;s primary inner directory; circular reference if promoted; see §3.2.1)
├── helix_qa/        ← SUBMODULE: QA / challenge-orchestration platform
├── challenges/     ← SUBMODULE: cross-cutting Challenge bank (Panoptic, banks/)
├── containers/     ← SUBMODULE: Docker/container artefacts
├── Dependencies/   ← SUBMODULES: LLama_CPP, Ollama, HuggingFace_Hub, …
├── security/       ← SUBMODULE: security tooling
├── Assets/         ← SUBMODULE: logos, themes, brand
├── github_pages_website/ ← SUBMODULE: marketing site
└── Example_Projects/     ← reference projects (Aider, Cline, Plandex, OpenHands, …)</code></pre>
<h4 id="321-inner-go-application--helix_code-submodule">3.2.1 Inner Go
application — <code>helix_code/</code> submodule</h4>
<pre><code>helix_code/helix_code/                      # module dev.helix.code, go 1.26
├── Makefile                              # real build/test targets (see §3.4)
├── cmd/
│   ├── server/                           # HTTP server entry → bin/helixcode
│   ├── cli/                              # CLI client entry → bin/cli
│   ├── helix-config/                     # config tool
│   ├── config-test/                      # config validator
│   ├── security-test/, security-fix*/    # security tools
│   └── performance-optimization*/        # perf tools
├── internal/                             # ~45 packages — the real domain code
│   ├── auth/        agent/      cognee/      commands/   config/
│   ├── context/     database/   deployment/  discovery/  editor/
│   ├── event/       focus/      hardware/    helixqa/    hooks/
│   ├── llm/         logging/    logo/        mcp/        memory/
│   ├── monitoring/  notification/ performance/ persistence/ project/
│   ├── provider/    providers/  redis/       repomap/    rules/
│   ├── security/    server/     session/     task/       template/
│   ├── tools/       verifier/   version/     worker/     workflow/
│   ├── adapters/    fix/        testutil/    mocks/      # mocks/ is unit-test-only
├── applications/
│   ├── desktop/      (Fyne GUI)
│   ├── terminal-ui/  (tview TUI)
│   ├── ios/  android/  aurora-os/  harmony-os/
├── tests/
│   ├── e2e/challenges/   # E2E challenge runner (cmd/runner/main.go)
│   ├── integration/      # gated by `-tags=integration`
│   ├── unit/             # mocks ALLOWED here only
│   ├── security/         # security suite
│   └── performance/      # benchmarks
├── config/                # YAML configs (dev/, prod/, test/)
├── docker/  scripts/  shared/  qa-integration/
└── docker-compose.full-test.yml + .env.full-test    # zero-skip integration stack</code></pre>
<p><strong>Cardinal rule:</strong> if a path in instructions doesn&#39;t
start with <code>helix_code/</code>, <code>helix_qa/</code>, etc.,
assume it is relative to the inner Go module and prefix with
<code>helix_code/</code>.</p>
<h3 id="33-historical-bluffs--resolved-guard-against-regression">3.3
Historical Bluffs — Resolved, Guard Against Regression</h3>
<p>The three patterns below were live bluffs in earlier revisions of
<code>helix_code/cmd/cli/main.go</code>. They have been fixed (verify
with
<code>grep -rn &quot;simulate\|For now\|TODO implement\|placeholder&quot; helix_code/cmd/cli/main.go</code>
— must return empty). Treat these as canonical anti-pattern examples; if
a future change reintroduces any of them, the change is broken
regardless of whether tests pass.</p>
<h4 id="bluff-001-llm-generation-is-simulated">BLUFF-001: LLM Generation
is Simulated</h4>
<p><strong>Location</strong>: <code>helix_code/cmd/cli/main.go</code> →
function <code>handleGenerate</code> <strong>Status</strong>: RESOLVED —
now calls <code>provider.Generate</code> / <code>GenerateStream</code>
directly. Do not regress. <strong>Code Pattern</strong>:</p>
<div class="sourceCode" id="cb3"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a><span class="co">// ANTI-BLUFF: NEVER write code like this</span></span>
<span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a><span class="co">// &quot;For now, simulate generation&quot;</span></span>
<span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a><span class="co">// &quot;In production, this would use the actual LLM provider&quot;</span></span>
<span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a><span class="co">// WRONG - SIMULATION:</span></span>
<span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a>response <span class="op">:=</span> fmt<span class="op">.</span>Sprintf<span class="op">(</span><span class="st">&quot;Generated response for: %s</span><span class="ch">\n\n</span><span class="st">This is a simulated response...&quot;</span><span class="op">)</span></span>
<span id="cb3-7"><a href="#cb3-7" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb3-8"><a href="#cb3-8" aria-hidden="true" tabindex="-1"></a><span class="co">// CORRECT - REAL IMPLEMENTATION:</span></span>
<span id="cb3-9"><a href="#cb3-9" aria-hidden="true" tabindex="-1"></a>resp<span class="op">,</span> err <span class="op">:=</span> c<span class="op">.</span>llmProvider<span class="op">.</span>Generate<span class="op">(</span>ctx<span class="op">,</span> req<span class="op">)</span></span>
<span id="cb3-10"><a href="#cb3-10" aria-hidden="true" tabindex="-1"></a><span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb3-11"><a href="#cb3-11" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;generation failed: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb3-12"><a href="#cb3-12" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb3-13"><a href="#cb3-13" aria-hidden="true" tabindex="-1"></a>fmt<span class="op">.</span>Println<span class="op">(</span>resp<span class="op">.</span>Text<span class="op">)</span></span></code></pre></div>
<p><strong>Agent Rule</strong>: When implementing LLM-related code, you
MUST make real HTTP calls to real providers. NEVER simulate
responses.</p>
<h3 id="34-build--test-commands">3.4 Build &amp; Test Commands</h3>
<p>Two Makefiles. The <strong>root</strong> Makefile only runs
governance gates; the <strong>inner</strong>
<code>helix_code/Makefile</code> does real builds and tests. Always know
which directory you are in.</p>
<p><strong>Root governance gates</strong> (run from repo root):</p>
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> no-silent-skips         <span class="co"># fail on bare t.Skip() without SKIP-OK marker</span></span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> demo-all                <span class="co"># run every submodule&#39;s demo (proves they actually run)</span></span>
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> demo-one MOD=<span class="op">&lt;</span>name<span class="op">&gt;</span>     <span class="co"># run one submodule&#39;s demo</span></span>
<span id="cb4-4"><a href="#cb4-4" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> ci-validate-all         <span class="co"># all governance gates in warn-mode</span></span>
<span id="cb4-5"><a href="#cb4-5" aria-hidden="true" tabindex="-1"></a><span class="ex">./setup.sh</span>                   <span class="co"># first-time: submodules + system deps + build</span></span>
<span id="cb4-6"><a href="#cb4-6" aria-hidden="true" tabindex="-1"></a><span class="ex">./scripts/init-submodules.sh</span>                 <span class="co"># init all submodules</span></span>
<span id="cb4-7"><a href="#cb4-7" aria-hidden="true" tabindex="-1"></a><span class="ex">./scripts/propagate-governance.sh</span>            <span class="co"># cascade Constitution/CLAUDE/AGENTS</span></span>
<span id="cb4-8"><a href="#cb4-8" aria-hidden="true" tabindex="-1"></a><span class="ex">./scripts/verify-governance-cascade.sh</span>       <span class="co"># confirm anchors present in submodules</span></span>
<span id="cb4-9"><a href="#cb4-9" aria-hidden="true" tabindex="-1"></a><span class="ex">./helix</span> start <span class="kw">|</span> <span class="ex">stop</span> <span class="kw">|</span> <span class="ex">logs</span> <span class="kw">|</span> <span class="ex">shell</span>          <span class="co"># Docker facade for the platform</span></span></code></pre></div>
<p><strong>Inner application</strong> (run from
<code>helix_code/</code>):</p>
<div class="sourceCode" id="cb5"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> build                   <span class="co"># → bin/helixcode (server)</span></span>
<span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> verify-compile          <span class="co"># quick compile-only sanity check</span></span>
<span id="cb5-3"><a href="#cb5-3" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test                    <span class="co"># all unit tests</span></span>
<span id="cb5-4"><a href="#cb5-4" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-coverage           <span class="co"># coverage with -race</span></span>
<span id="cb5-5"><a href="#cb5-5" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> fmt                     <span class="co"># gofmt</span></span>
<span id="cb5-6"><a href="#cb5-6" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> lint                    <span class="co"># golangci-lint run</span></span>
<span id="cb5-7"><a href="#cb5-7" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> dev                     <span class="co"># build + run with config/dev/config.yaml</span></span>
<span id="cb5-8"><a href="#cb5-8" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> prod                    <span class="co"># cross-compile linux/macos/windows</span></span></code></pre></div>
<p><strong>Full integration / E2E</strong> (real PostgreSQL + Redis +
Ollama via docker-compose):</p>
<div class="sourceCode" id="cb6"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-infra-up                           <span class="co"># start docker-compose.full-test.yml</span></span>
<span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-infra-status                       <span class="co"># check stack health</span></span>
<span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-full                               <span class="co"># ALL tests, ZERO skips</span></span>
<span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-unit-full / test-integration-full / test-e2e-full / test-security-full</span>
<span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-verifier-unit / test-verifier-integration / test-verifier-challenges</span>
<span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-infra-down                         <span class="co"># tear down stack + volumes</span></span></code></pre></div>
<p><strong>Containerized builds</strong> (no host Go required):</p>
<div class="sourceCode" id="cb7"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> container-builder-image    <span class="co"># build the builder image once</span></span>
<span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> container-build            <span class="co"># build inside container</span></span>
<span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> container-test             <span class="co"># test inside container</span></span>
<span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> container-shell            <span class="co"># interactive shell in builder</span></span>
<span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> container-release          <span class="co"># full release in container</span></span></code></pre></div>
<p><strong>Single-test invocation</strong> (inner module):</p>
<div class="sourceCode" id="cb8"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode</span>
<span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-run</span> TestJWTGenerate ./internal/auth                          <span class="co"># single unit test</span></span>
<span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-tags</span><span class="op">=</span>integration <span class="at">-run</span> TestAPI_CreateTask ./tests/integration/...</span>
<span id="cb8-4"><a href="#cb8-4" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-count</span><span class="op">=</span>1 ./internal/verifier/...                              <span class="co"># disable test cache</span></span>
<span id="cb8-5"><a href="#cb8-5" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-race</span> <span class="at">-coverprofile</span><span class="op">=</span>cover.out ./internal/llm                  <span class="co"># one pkg with race+cover</span></span></code></pre></div>
<p><strong>E2E challenges</strong> (real, end-to-end, runtime evidence
required):</p>
<div class="sourceCode" id="cb9"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb9-1"><a href="#cb9-1" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> helix_code/tests/e2e/challenges <span class="kw">&amp;&amp;</span> <span class="ex">go</span> run cmd/runner/main.go <span class="at">-all</span></span>
<span id="cb9-2"><a href="#cb9-2" aria-hidden="true" tabindex="-1"></a><span class="co"># Or root-level cross-cutting Challenges:</span></span>
<span id="cb9-3"><a href="#cb9-3" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> Challenges <span class="kw">&amp;&amp;</span> <span class="fu">make</span> <span class="op">&lt;</span>target<span class="op">&gt;</span></span></code></pre></div>
<p><strong>Anti-bluff smoke check</strong> (must always pass):</p>
<div class="sourceCode" id="cb10"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb10-1"><a href="#cb10-1" aria-hidden="true" tabindex="-1"></a><span class="fu">grep</span> <span class="at">-rn</span> <span class="st">&quot;simulated\|for now\|TODO implement\|placeholder&quot;</span> <span class="dt">\</span></span>
<span id="cb10-2"><a href="#cb10-2" aria-hidden="true" tabindex="-1"></a>  helix_code/internal helix_code/cmd <span class="kw">&amp;&amp;</span> <span class="bu">echo</span> <span class="st">&quot;BLUFF FOUND&quot;</span> <span class="kw">||</span> <span class="bu">echo</span> <span class="st">&quot;clean&quot;</span></span></code></pre></div>
<p><strong>Platform / mobile builds</strong> (inner module):</p>
<div class="sourceCode" id="cb11"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> desktop / desktop-nogui / desktop-linux / desktop-macos / desktop-windows</span>
<span id="cb11-2"><a href="#cb11-2" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> mobile-init <span class="kw">&amp;&amp;</span> <span class="fu">make</span> mobile-ios <span class="kw">&amp;&amp;</span> <span class="fu">make</span> mobile-android</span>
<span id="cb11-3"><a href="#cb11-3" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> aurora-os <span class="kw">&amp;&amp;</span> <span class="fu">make</span> harmony-os</span></code></pre></div>
<h4 id="bluff-002-model-listing-is-hardcoded">BLUFF-002: Model Listing
is Hardcoded</h4>
<p><strong>Location</strong>: <code>helix_code/cmd/cli/main.go</code> →
function <code>handleListModels</code> <strong>Status</strong>: RESOLVED
— must continue to query <code>c.providerManager.GetProviders()</code>
per CONST-036/037 (LLMsVerifier is the single source of truth).
<strong>Correct Pattern</strong>:</p>
<div class="sourceCode" id="cb12"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>c <span class="op">*</span>CLI<span class="op">)</span> handleListModels<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb12-2"><a href="#cb12-2" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Query ALL configured providers</span></span>
<span id="cb12-3"><a href="#cb12-3" aria-hidden="true" tabindex="-1"></a>    <span class="cf">for</span> name<span class="op">,</span> provider <span class="op">:=</span> <span class="kw">range</span> c<span class="op">.</span>providerManager<span class="op">.</span>GetProviders<span class="op">()</span> <span class="op">{</span></span>
<span id="cb12-4"><a href="#cb12-4" aria-hidden="true" tabindex="-1"></a>        models<span class="op">,</span> err <span class="op">:=</span> provider<span class="op">.</span>GetModels<span class="op">()</span></span>
<span id="cb12-5"><a href="#cb12-5" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb12-6"><a href="#cb12-6" aria-hidden="true" tabindex="-1"></a>            log<span class="op">.</span>Printf<span class="op">(</span><span class="st">&quot;Warning: failed to list models from %s: %v&quot;</span><span class="op">,</span> name<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb12-7"><a href="#cb12-7" aria-hidden="true" tabindex="-1"></a>            <span class="cf">continue</span></span>
<span id="cb12-8"><a href="#cb12-8" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
<span id="cb12-9"><a href="#cb12-9" aria-hidden="true" tabindex="-1"></a>        <span class="co">// Display real models</span></span>
<span id="cb12-10"><a href="#cb12-10" aria-hidden="true" tabindex="-1"></a>        <span class="cf">for</span> _<span class="op">,</span> model <span class="op">:=</span> <span class="kw">range</span> models <span class="op">{</span></span>
<span id="cb12-11"><a href="#cb12-11" aria-hidden="true" tabindex="-1"></a>            fmt<span class="op">.</span>Printf<span class="op">(</span><span class="st">&quot;%s/%s: %s (context: %d)</span><span class="ch">\n</span><span class="st">&quot;</span><span class="op">,</span> name<span class="op">,</span> model<span class="op">.</span>ID<span class="op">,</span> model<span class="op">.</span>Name<span class="op">,</span> model<span class="op">.</span>ContextSize<span class="op">)</span></span>
<span id="cb12-12"><a href="#cb12-12" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
<span id="cb12-13"><a href="#cb12-13" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb12-14"><a href="#cb12-14" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="ot">nil</span></span>
<span id="cb12-15"><a href="#cb12-15" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h4 id="bluff-003-command-execution-is-simulated">BLUFF-003: Command
Execution is Simulated</h4>
<p><strong>Location</strong>: <code>helix_code/cmd/cli/main.go</code> →
function <code>handleCommand</code> <strong>Status</strong>: RESOLVED —
must continue to use <code>os/exec</code> via
<code>exec.CommandContext</code> and surface real exit codes. Never
replace with print-and-sleep. <strong>Correct Pattern</strong>:</p>
<div class="sourceCode" id="cb13"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>c <span class="op">*</span>CLI<span class="op">)</span> handleCommand<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> command <span class="dt">string</span><span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a>    <span class="co">// ANTI-BLUFF: Actually execute the command</span></span>
<span id="cb13-3"><a href="#cb13-3" aria-hidden="true" tabindex="-1"></a>    cmd <span class="op">:=</span> exec<span class="op">.</span>CommandContext<span class="op">(</span>ctx<span class="op">,</span> <span class="st">&quot;sh&quot;</span><span class="op">,</span> <span class="st">&quot;-c&quot;</span><span class="op">,</span> command<span class="op">)</span></span>
<span id="cb13-4"><a href="#cb13-4" aria-hidden="true" tabindex="-1"></a>    cmd<span class="op">.</span>Dir <span class="op">=</span> c<span class="op">.</span>workingDirectory</span>
<span id="cb13-5"><a href="#cb13-5" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb13-6"><a href="#cb13-6" aria-hidden="true" tabindex="-1"></a>    output<span class="op">,</span> err <span class="op">:=</span> cmd<span class="op">.</span>CombinedOutput<span class="op">()</span></span>
<span id="cb13-7"><a href="#cb13-7" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb13-8"><a href="#cb13-8" aria-hidden="true" tabindex="-1"></a>    fmt<span class="op">.</span>Printf<span class="op">(</span><span class="st">&quot;Exit code: %d</span><span class="ch">\n</span><span class="st">&quot;</span><span class="op">,</span> cmd<span class="op">.</span>ProcessState<span class="op">.</span>ExitCode<span class="op">())</span></span>
<span id="cb13-9"><a href="#cb13-9" aria-hidden="true" tabindex="-1"></a>    fmt<span class="op">.</span>Printf<span class="op">(</span><span class="st">&quot;Output:</span><span class="ch">\n</span><span class="st">%s</span><span class="ch">\n</span><span class="st">&quot;</span><span class="op">,</span> <span class="dt">string</span><span class="op">(</span>output<span class="op">))</span></span>
<span id="cb13-10"><a href="#cb13-10" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb13-11"><a href="#cb13-11" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> err</span>
<span id="cb13-12"><a href="#cb13-12" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<hr />
<h2 id="4-code-patterns-for-agents">4. Code Patterns for Agents</h2>
<h3 id="41-interface-driven-design">4.1 Interface-Driven Design</h3>
<div class="sourceCode" id="cb14"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true" tabindex="-1"></a><span class="co">// Define the contract</span></span>
<span id="cb14-2"><a href="#cb14-2" aria-hidden="true" tabindex="-1"></a><span class="kw">type</span> Provider <span class="kw">interface</span> <span class="op">{</span></span>
<span id="cb14-3"><a href="#cb14-3" aria-hidden="true" tabindex="-1"></a>    Generate<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> req <span class="op">*</span>GenerateRequest<span class="op">)</span> <span class="op">(*</span>GenerateResponse<span class="op">,</span> <span class="dt">error</span><span class="op">)</span></span>
<span id="cb14-4"><a href="#cb14-4" aria-hidden="true" tabindex="-1"></a>    GetModels<span class="op">()</span> <span class="op">([]</span>Model<span class="op">,</span> <span class="dt">error</span><span class="op">)</span></span>
<span id="cb14-5"><a href="#cb14-5" aria-hidden="true" tabindex="-1"></a>    HealthCheck<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">)</span> <span class="dt">error</span></span>
<span id="cb14-6"><a href="#cb14-6" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb14-7"><a href="#cb14-7" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb14-8"><a href="#cb14-8" aria-hidden="true" tabindex="-1"></a><span class="co">// Implement with REAL behavior</span></span>
<span id="cb14-9"><a href="#cb14-9" aria-hidden="true" tabindex="-1"></a><span class="kw">type</span> OllamaProvider <span class="kw">struct</span> <span class="op">{</span> <span class="op">...</span> <span class="op">}</span></span>
<span id="cb14-10"><a href="#cb14-10" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>p <span class="op">*</span>OllamaProvider<span class="op">)</span> Generate<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> req <span class="op">*</span>GenerateRequest<span class="op">)</span> <span class="op">(*</span>GenerateResponse<span class="op">,</span> <span class="dt">error</span><span class="op">)</span> <span class="op">{</span></span>
<span id="cb14-11"><a href="#cb14-11" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Make REAL HTTP call</span></span>
<span id="cb14-12"><a href="#cb14-12" aria-hidden="true" tabindex="-1"></a>    <span class="co">// NO simulation</span></span>
<span id="cb14-13"><a href="#cb14-13" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="42-manager-pattern">4.2 Manager Pattern</h3>
<div class="sourceCode" id="cb15"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="kw">type</span> TaskManager <span class="kw">struct</span> <span class="op">{</span></span>
<span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a>    db     TaskRepository</span>
<span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a>    mu     sync<span class="op">.</span>RWMutex</span>
<span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a>    tasks  <span class="kw">map</span><span class="op">[</span>uuid<span class="op">.</span>UUID<span class="op">]*</span>Task</span>
<span id="cb15-5"><a href="#cb15-5" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb15-6"><a href="#cb15-6" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb15-7"><a href="#cb15-7" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>m <span class="op">*</span>TaskManager<span class="op">)</span> Create<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> task <span class="op">*</span>Task<span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb15-8"><a href="#cb15-8" aria-hidden="true" tabindex="-1"></a>    m<span class="op">.</span>mu<span class="op">.</span>Lock<span class="op">()</span></span>
<span id="cb15-9"><a href="#cb15-9" aria-hidden="true" tabindex="-1"></a>    <span class="cf">defer</span> m<span class="op">.</span>mu<span class="op">.</span>Unlock<span class="op">()</span></span>
<span id="cb15-10"><a href="#cb15-10" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb15-11"><a href="#cb15-11" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Persist to REAL database</span></span>
<span id="cb15-12"><a href="#cb15-12" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">:=</span> m<span class="op">.</span>db<span class="op">.</span>Save<span class="op">(</span>ctx<span class="op">,</span> task<span class="op">);</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb15-13"><a href="#cb15-13" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to save task: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb15-14"><a href="#cb15-14" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb15-15"><a href="#cb15-15" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb15-16"><a href="#cb15-16" aria-hidden="true" tabindex="-1"></a>    m<span class="op">.</span>tasks<span class="op">[</span>task<span class="op">.</span>ID<span class="op">]</span> <span class="op">=</span> task</span>
<span id="cb15-17"><a href="#cb15-17" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="ot">nil</span></span>
<span id="cb15-18"><a href="#cb15-18" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="43-error-handling">4.3 Error Handling</h3>
<div class="sourceCode" id="cb16"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="co">// Package-level errors</span></span>
<span id="cb16-2"><a href="#cb16-2" aria-hidden="true" tabindex="-1"></a><span class="kw">var</span> <span class="op">(</span></span>
<span id="cb16-3"><a href="#cb16-3" aria-hidden="true" tabindex="-1"></a>    ErrInvalidCredentials <span class="op">=</span> errors<span class="op">.</span>New<span class="op">(</span><span class="st">&quot;invalid credentials&quot;</span><span class="op">)</span></span>
<span id="cb16-4"><a href="#cb16-4" aria-hidden="true" tabindex="-1"></a>    ErrTokenExpired       <span class="op">=</span> errors<span class="op">.</span>New<span class="op">(</span><span class="st">&quot;token expired&quot;</span><span class="op">)</span></span>
<span id="cb16-5"><a href="#cb16-5" aria-hidden="true" tabindex="-1"></a><span class="op">)</span></span>
<span id="cb16-6"><a href="#cb16-6" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb16-7"><a href="#cb16-7" aria-hidden="true" tabindex="-1"></a><span class="co">// Contextual wrapping</span></span>
<span id="cb16-8"><a href="#cb16-8" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>s <span class="op">*</span>Service<span class="op">)</span> DoSomething<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb16-9"><a href="#cb16-9" aria-hidden="true" tabindex="-1"></a>    result<span class="op">,</span> err <span class="op">:=</span> s<span class="op">.</span>db<span class="op">.</span>Query<span class="op">(</span>ctx<span class="op">)</span></span>
<span id="cb16-10"><a href="#cb16-10" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb16-11"><a href="#cb16-11" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to query database for user %s: %w&quot;</span><span class="op">,</span> userID<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb16-12"><a href="#cb16-12" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb16-13"><a href="#cb16-13" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb16-14"><a href="#cb16-14" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">:=</span> s<span class="op">.</span>process<span class="op">(</span>result<span class="op">);</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb16-15"><a href="#cb16-15" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to process query result: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb16-16"><a href="#cb16-16" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb16-17"><a href="#cb16-17" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb16-18"><a href="#cb16-18" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="ot">nil</span></span>
<span id="cb16-19"><a href="#cb16-19" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="44-testing-pattern-unit">4.4 Testing Pattern (Unit)</h3>
<div class="sourceCode" id="cb17"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> TestService_DoSomething<span class="op">(</span>t <span class="op">*</span>testing<span class="op">.</span>T<span class="op">)</span> <span class="op">{</span></span>
<span id="cb17-2"><a href="#cb17-2" aria-hidden="true" tabindex="-1"></a>    tests <span class="op">:=</span> <span class="op">[]</span><span class="kw">struct</span> <span class="op">{</span></span>
<span id="cb17-3"><a href="#cb17-3" aria-hidden="true" tabindex="-1"></a>        name    <span class="dt">string</span></span>
<span id="cb17-4"><a href="#cb17-4" aria-hidden="true" tabindex="-1"></a>        setup   <span class="kw">func</span><span class="op">(*</span>mockRepository<span class="op">)</span></span>
<span id="cb17-5"><a href="#cb17-5" aria-hidden="true" tabindex="-1"></a>        wantErr <span class="dt">bool</span></span>
<span id="cb17-6"><a href="#cb17-6" aria-hidden="true" tabindex="-1"></a>    <span class="op">}{</span></span>
<span id="cb17-7"><a href="#cb17-7" aria-hidden="true" tabindex="-1"></a>        <span class="op">{</span></span>
<span id="cb17-8"><a href="#cb17-8" aria-hidden="true" tabindex="-1"></a>            name<span class="op">:</span> <span class="st">&quot;success&quot;</span><span class="op">,</span></span>
<span id="cb17-9"><a href="#cb17-9" aria-hidden="true" tabindex="-1"></a>            setup<span class="op">:</span> <span class="kw">func</span><span class="op">(</span>m <span class="op">*</span>mockRepository<span class="op">)</span> <span class="op">{</span></span>
<span id="cb17-10"><a href="#cb17-10" aria-hidden="true" tabindex="-1"></a>                m<span class="op">.</span>On<span class="op">(</span><span class="st">&quot;Query&quot;</span><span class="op">,</span> mock<span class="op">.</span>Anything<span class="op">).</span>Return<span class="op">(&amp;</span>Result<span class="op">{</span>Data<span class="op">:</span> <span class="st">&quot;test&quot;</span><span class="op">},</span> <span class="ot">nil</span><span class="op">)</span></span>
<span id="cb17-11"><a href="#cb17-11" aria-hidden="true" tabindex="-1"></a>            <span class="op">},</span></span>
<span id="cb17-12"><a href="#cb17-12" aria-hidden="true" tabindex="-1"></a>            wantErr<span class="op">:</span> <span class="ot">false</span><span class="op">,</span></span>
<span id="cb17-13"><a href="#cb17-13" aria-hidden="true" tabindex="-1"></a>        <span class="op">},</span></span>
<span id="cb17-14"><a href="#cb17-14" aria-hidden="true" tabindex="-1"></a>        <span class="op">{</span></span>
<span id="cb17-15"><a href="#cb17-15" aria-hidden="true" tabindex="-1"></a>            name<span class="op">:</span> <span class="st">&quot;database_error&quot;</span><span class="op">,</span></span>
<span id="cb17-16"><a href="#cb17-16" aria-hidden="true" tabindex="-1"></a>            setup<span class="op">:</span> <span class="kw">func</span><span class="op">(</span>m <span class="op">*</span>mockRepository<span class="op">)</span> <span class="op">{</span></span>
<span id="cb17-17"><a href="#cb17-17" aria-hidden="true" tabindex="-1"></a>                m<span class="op">.</span>On<span class="op">(</span><span class="st">&quot;Query&quot;</span><span class="op">,</span> mock<span class="op">.</span>Anything<span class="op">).</span>Return<span class="op">(</span><span class="ot">nil</span><span class="op">,</span> errors<span class="op">.</span>New<span class="op">(</span><span class="st">&quot;connection refused&quot;</span><span class="op">))</span></span>
<span id="cb17-18"><a href="#cb17-18" aria-hidden="true" tabindex="-1"></a>            <span class="op">},</span></span>
<span id="cb17-19"><a href="#cb17-19" aria-hidden="true" tabindex="-1"></a>            wantErr<span class="op">:</span> <span class="ot">true</span><span class="op">,</span></span>
<span id="cb17-20"><a href="#cb17-20" aria-hidden="true" tabindex="-1"></a>        <span class="op">},</span></span>
<span id="cb17-21"><a href="#cb17-21" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb17-22"><a href="#cb17-22" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb17-23"><a href="#cb17-23" aria-hidden="true" tabindex="-1"></a>    <span class="cf">for</span> _<span class="op">,</span> tt <span class="op">:=</span> <span class="kw">range</span> tests <span class="op">{</span></span>
<span id="cb17-24"><a href="#cb17-24" aria-hidden="true" tabindex="-1"></a>        t<span class="op">.</span>Run<span class="op">(</span>tt<span class="op">.</span>name<span class="op">,</span> <span class="kw">func</span><span class="op">(</span>t <span class="op">*</span>testing<span class="op">.</span>T<span class="op">)</span> <span class="op">{</span></span>
<span id="cb17-25"><a href="#cb17-25" aria-hidden="true" tabindex="-1"></a>            repo <span class="op">:=</span> <span class="bu">new</span><span class="op">(</span>mockRepository<span class="op">)</span></span>
<span id="cb17-26"><a href="#cb17-26" aria-hidden="true" tabindex="-1"></a>            tt<span class="op">.</span>setup<span class="op">(</span>repo<span class="op">)</span></span>
<span id="cb17-27"><a href="#cb17-27" aria-hidden="true" tabindex="-1"></a>            </span>
<span id="cb17-28"><a href="#cb17-28" aria-hidden="true" tabindex="-1"></a>            svc <span class="op">:=</span> NewService<span class="op">(</span>repo<span class="op">)</span></span>
<span id="cb17-29"><a href="#cb17-29" aria-hidden="true" tabindex="-1"></a>            err <span class="op">:=</span> svc<span class="op">.</span>DoSomething<span class="op">(</span>context<span class="op">.</span>Background<span class="op">())</span></span>
<span id="cb17-30"><a href="#cb17-30" aria-hidden="true" tabindex="-1"></a>            </span>
<span id="cb17-31"><a href="#cb17-31" aria-hidden="true" tabindex="-1"></a>            <span class="cf">if</span> tt<span class="op">.</span>wantErr <span class="op">{</span></span>
<span id="cb17-32"><a href="#cb17-32" aria-hidden="true" tabindex="-1"></a>                require<span class="op">.</span>Error<span class="op">(</span>t<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb17-33"><a href="#cb17-33" aria-hidden="true" tabindex="-1"></a>            <span class="op">}</span> <span class="cf">else</span> <span class="op">{</span></span>
<span id="cb17-34"><a href="#cb17-34" aria-hidden="true" tabindex="-1"></a>                require<span class="op">.</span>NoError<span class="op">(</span>t<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb17-35"><a href="#cb17-35" aria-hidden="true" tabindex="-1"></a>            <span class="op">}</span></span>
<span id="cb17-36"><a href="#cb17-36" aria-hidden="true" tabindex="-1"></a>            </span>
<span id="cb17-37"><a href="#cb17-37" aria-hidden="true" tabindex="-1"></a>            repo<span class="op">.</span>AssertExpectations<span class="op">(</span>t<span class="op">)</span></span>
<span id="cb17-38"><a href="#cb17-38" aria-hidden="true" tabindex="-1"></a>        <span class="op">})</span></span>
<span id="cb17-39"><a href="#cb17-39" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb17-40"><a href="#cb17-40" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="45-testing-pattern-integration---no-mocks">4.5 Testing Pattern
(Integration - NO MOCKS)</h3>
<div class="sourceCode" id="cb18"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb18-1"><a href="#cb18-1" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> TestAPI_CreateTask_Integration<span class="op">(</span>t <span class="op">*</span>testing<span class="op">.</span>T<span class="op">)</span> <span class="op">{</span></span>
<span id="cb18-2"><a href="#cb18-2" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> testing<span class="op">.</span>Short<span class="op">()</span> <span class="op">{</span></span>
<span id="cb18-3"><a href="#cb18-3" aria-hidden="true" tabindex="-1"></a>        t<span class="op">.</span>Skip<span class="op">(</span><span class="st">&quot;Integration test skipped in short mode&quot;</span><span class="op">)</span></span>
<span id="cb18-4"><a href="#cb18-4" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb18-5"><a href="#cb18-5" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-6"><a href="#cb18-6" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Start REAL PostgreSQL container</span></span>
<span id="cb18-7"><a href="#cb18-7" aria-hidden="true" tabindex="-1"></a>    dbContainer <span class="op">:=</span> startPostgresContainer<span class="op">(</span>t<span class="op">)</span></span>
<span id="cb18-8"><a href="#cb18-8" aria-hidden="true" tabindex="-1"></a>    <span class="cf">defer</span> dbContainer<span class="op">.</span>Terminate<span class="op">(</span>context<span class="op">.</span>Background<span class="op">())</span></span>
<span id="cb18-9"><a href="#cb18-9" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-10"><a href="#cb18-10" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Connect to REAL database</span></span>
<span id="cb18-11"><a href="#cb18-11" aria-hidden="true" tabindex="-1"></a>    db <span class="op">:=</span> connectToPostgres<span class="op">(</span>dbContainer<span class="op">)</span></span>
<span id="cb18-12"><a href="#cb18-12" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-13"><a href="#cb18-13" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Initialize REAL service</span></span>
<span id="cb18-14"><a href="#cb18-14" aria-hidden="true" tabindex="-1"></a>    taskMgr <span class="op">:=</span> task<span class="op">.</span>NewManager<span class="op">(</span>db<span class="op">)</span></span>
<span id="cb18-15"><a href="#cb18-15" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-16"><a href="#cb18-16" aria-hidden="true" tabindex="-1"></a>    <span class="co">// ANTI-BLUFF: Test with REAL data</span></span>
<span id="cb18-17"><a href="#cb18-17" aria-hidden="true" tabindex="-1"></a>    task<span class="op">,</span> err <span class="op">:=</span> taskMgr<span class="op">.</span>Create<span class="op">(</span>context<span class="op">.</span>Background<span class="op">(),</span> <span class="op">&amp;</span>task<span class="op">.</span>Task<span class="op">{</span></span>
<span id="cb18-18"><a href="#cb18-18" aria-hidden="true" tabindex="-1"></a>        Title<span class="op">:</span> <span class="st">&quot;Integration Test Task&quot;</span><span class="op">,</span></span>
<span id="cb18-19"><a href="#cb18-19" aria-hidden="true" tabindex="-1"></a>    <span class="op">})</span></span>
<span id="cb18-20"><a href="#cb18-20" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-21"><a href="#cb18-21" aria-hidden="true" tabindex="-1"></a>    require<span class="op">.</span>NoError<span class="op">(</span>t<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb18-22"><a href="#cb18-22" aria-hidden="true" tabindex="-1"></a>    require<span class="op">.</span>NotZero<span class="op">(</span>t<span class="op">,</span> task<span class="op">.</span>ID<span class="op">)</span></span>
<span id="cb18-23"><a href="#cb18-23" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb18-24"><a href="#cb18-24" aria-hidden="true" tabindex="-1"></a>    <span class="co">// ANTI-BLUFF: Verify it REALLY exists in database</span></span>
<span id="cb18-25"><a href="#cb18-25" aria-hidden="true" tabindex="-1"></a>    persisted<span class="op">,</span> err <span class="op">:=</span> taskMgr<span class="op">.</span>Get<span class="op">(</span>context<span class="op">.</span>Background<span class="op">(),</span> task<span class="op">.</span>ID<span class="op">)</span></span>
<span id="cb18-26"><a href="#cb18-26" aria-hidden="true" tabindex="-1"></a>    require<span class="op">.</span>NoError<span class="op">(</span>t<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb18-27"><a href="#cb18-27" aria-hidden="true" tabindex="-1"></a>    require<span class="op">.</span>Equal<span class="op">(</span>t<span class="op">,</span> <span class="st">&quot;Integration Test Task&quot;</span><span class="op">,</span> persisted<span class="op">.</span>Title<span class="op">)</span></span>
<span id="cb18-28"><a href="#cb18-28" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<hr />
<h2 id="5-anti-bluff-checklist-for-every-task">5. Anti-Bluff Checklist
for Every Task</h2>
<p>Before marking any task complete, verify:</p>
<ul class="task-list">
<li><label><input type="checkbox"></input><strong>No simulation</strong>: Code
doesn&#39;t contain &quot;simulate&quot;, &quot;for now&quot;, &quot;TODO implement&quot;,
&quot;placeholder&quot;</label></li>
<li><label><input type="checkbox"></input><strong>Real HTTP calls</strong>:
API clients make actual HTTP requests with real bodies</label></li>
<li><label><input type="checkbox"></input><strong>Real database
operations</strong>: Database code uses real queries, not in-memory maps
(unless explicitly caching)</label></li>
<li><label><input type="checkbox"></input><strong>Real process
execution</strong>: Shell/command execution uses <code>os/exec</code>,
not <code>fmt.Printf</code> + <code>time.Sleep</code></label></li>
<li><label><input type="checkbox"></input><strong>Real file
operations</strong>: File tools use
<code>os.ReadFile</code>/<code>os.WriteFile</code>, not mock in-memory
buffers</label></li>
<li><label><input type="checkbox"></input><strong>Test validates
reality</strong>: Tests check actual behavior, not just function call
counts</label></li>
<li><label><input type="checkbox"></input><strong>Challenge validates
end-to-end</strong>: Challenge script exercises the complete user
workflow</label></li>
<li><label><input type="checkbox"></input><strong>Documentation example
works</strong>: README example executes successfully when
copy-pasted</label></li>
<li><label><input type="checkbox"></input><strong>No bare skips</strong>: All
<code>t.Skip()</code> have <code>SKIP-OK: #&lt;ticket&gt;</code>
markers</label></li>
<li><label><input type="checkbox"></input><strong>Evidence pasted</strong>:
Commit/PR contains actual terminal output from real
execution</label></li>
</ul>
<hr />
<h2 id="6-common-anti-patterns-to-avoid">6. Common Anti-Patterns to
Avoid</h2>
<h3 id="anti-pattern-1-the-simulation-trap">ANTI-PATTERN 1: The
Simulation Trap</h3>
<div class="sourceCode" id="cb19"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb19-1"><a href="#cb19-1" aria-hidden="true" tabindex="-1"></a><span class="co">// WRONG</span></span>
<span id="cb19-2"><a href="#cb19-2" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> Generate<span class="op">(</span>prompt <span class="dt">string</span><span class="op">)</span> <span class="dt">string</span> <span class="op">{</span></span>
<span id="cb19-3"><a href="#cb19-3" aria-hidden="true" tabindex="-1"></a>    <span class="co">// For now, just return a simulated response</span></span>
<span id="cb19-4"><a href="#cb19-4" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> fmt<span class="op">.</span>Sprintf<span class="op">(</span><span class="st">&quot;Generated: %s&quot;</span><span class="op">,</span> prompt<span class="op">)</span></span>
<span id="cb19-5"><a href="#cb19-5" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb19-6"><a href="#cb19-6" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb19-7"><a href="#cb19-7" aria-hidden="true" tabindex="-1"></a><span class="co">// CORRECT</span></span>
<span id="cb19-8"><a href="#cb19-8" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>p <span class="op">*</span>Provider<span class="op">)</span> Generate<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> req <span class="op">*</span>GenerateRequest<span class="op">)</span> <span class="op">(*</span>GenerateResponse<span class="op">,</span> <span class="dt">error</span><span class="op">)</span> <span class="op">{</span></span>
<span id="cb19-9"><a href="#cb19-9" aria-hidden="true" tabindex="-1"></a>    resp<span class="op">,</span> err <span class="op">:=</span> p<span class="op">.</span>client<span class="op">.</span>Post<span class="op">(</span>p<span class="op">.</span>endpoint<span class="op">,</span> req<span class="op">)</span></span>
<span id="cb19-10"><a href="#cb19-10" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb19-11"><a href="#cb19-11" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> <span class="ot">nil</span><span class="op">,</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;generation request failed: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb19-12"><a href="#cb19-12" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb19-13"><a href="#cb19-13" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> parseResponse<span class="op">(</span>resp<span class="op">)</span></span>
<span id="cb19-14"><a href="#cb19-14" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="anti-pattern-2-the-hardcoded-list">ANTI-PATTERN 2: The Hardcoded
List</h3>
<div class="sourceCode" id="cb20"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb20-1"><a href="#cb20-1" aria-hidden="true" tabindex="-1"></a><span class="co">// WRONG</span></span>
<span id="cb20-2"><a href="#cb20-2" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> ListModels<span class="op">()</span> <span class="op">[]</span>Model <span class="op">{</span></span>
<span id="cb20-3"><a href="#cb20-3" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="op">[]</span>Model<span class="op">{</span></span>
<span id="cb20-4"><a href="#cb20-4" aria-hidden="true" tabindex="-1"></a>        <span class="op">{</span><span class="st">&quot;llama-3-8b&quot;</span><span class="op">,</span> <span class="st">&quot;Llama 3 8B&quot;</span><span class="op">},</span></span>
<span id="cb20-5"><a href="#cb20-5" aria-hidden="true" tabindex="-1"></a>        <span class="op">{</span><span class="st">&quot;mistral-7b&quot;</span><span class="op">,</span> <span class="st">&quot;Mistral 7B&quot;</span><span class="op">},</span></span>
<span id="cb20-6"><a href="#cb20-6" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb20-7"><a href="#cb20-7" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb20-8"><a href="#cb20-8" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb20-9"><a href="#cb20-9" aria-hidden="true" tabindex="-1"></a><span class="co">// CORRECT</span></span>
<span id="cb20-10"><a href="#cb20-10" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>p <span class="op">*</span>Provider<span class="op">)</span> GetModels<span class="op">()</span> <span class="op">([]</span>Model<span class="op">,</span> <span class="dt">error</span><span class="op">)</span> <span class="op">{</span></span>
<span id="cb20-11"><a href="#cb20-11" aria-hidden="true" tabindex="-1"></a>    resp<span class="op">,</span> err <span class="op">:=</span> p<span class="op">.</span>client<span class="op">.</span>Get<span class="op">(</span>p<span class="op">.</span>baseURL <span class="op">+</span> <span class="st">&quot;/api/tags&quot;</span><span class="op">)</span></span>
<span id="cb20-12"><a href="#cb20-12" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb20-13"><a href="#cb20-13" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> <span class="ot">nil</span><span class="op">,</span> err</span>
<span id="cb20-14"><a href="#cb20-14" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb20-15"><a href="#cb20-15" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> parseModelList<span class="op">(</span>resp<span class="op">)</span></span>
<span id="cb20-16"><a href="#cb20-16" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<h3 id="anti-pattern-3-the-stub-interface">ANTI-PATTERN 3: The Stub
Interface</h3>
<div class="sourceCode" id="cb21"><pre class="sourceCode go"><code class="sourceCode go"><span id="cb21-1"><a href="#cb21-1" aria-hidden="true" tabindex="-1"></a><span class="co">// WRONG</span></span>
<span id="cb21-2"><a href="#cb21-2" aria-hidden="true" tabindex="-1"></a><span class="kw">type</span> WorkerPool <span class="kw">struct</span> <span class="op">{}</span></span>
<span id="cb21-3"><a href="#cb21-3" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>p <span class="op">*</span>WorkerPool<span class="op">)</span> AddWorker<span class="op">(</span>w <span class="op">*</span>Worker<span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb21-4"><a href="#cb21-4" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="ot">nil</span>  <span class="co">// </span><span class="al">TODO</span><span class="co">: implement</span></span>
<span id="cb21-5"><a href="#cb21-5" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span>
<span id="cb21-6"><a href="#cb21-6" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb21-7"><a href="#cb21-7" aria-hidden="true" tabindex="-1"></a><span class="co">// CORRECT</span></span>
<span id="cb21-8"><a href="#cb21-8" aria-hidden="true" tabindex="-1"></a><span class="kw">func</span> <span class="op">(</span>p <span class="op">*</span>SSHWorkerPool<span class="op">)</span> AddWorker<span class="op">(</span>ctx context<span class="op">.</span>Context<span class="op">,</span> w <span class="op">*</span>SSHWorker<span class="op">)</span> <span class="dt">error</span> <span class="op">{</span></span>
<span id="cb21-9"><a href="#cb21-9" aria-hidden="true" tabindex="-1"></a>    client<span class="op">,</span> err <span class="op">:=</span> ssh<span class="op">.</span>Dial<span class="op">(</span><span class="st">&quot;tcp&quot;</span><span class="op">,</span> w<span class="op">.</span>Host<span class="op">,</span> w<span class="op">.</span>SSHConfig<span class="op">)</span></span>
<span id="cb21-10"><a href="#cb21-10" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb21-11"><a href="#cb21-11" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to connect to worker %s: %w&quot;</span><span class="op">,</span> w<span class="op">.</span>Host<span class="op">,</span> err<span class="op">)</span></span>
<span id="cb21-12"><a href="#cb21-12" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb21-13"><a href="#cb21-13" aria-hidden="true" tabindex="-1"></a>    <span class="cf">defer</span> client<span class="op">.</span>Close<span class="op">()</span></span>
<span id="cb21-14"><a href="#cb21-14" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb21-15"><a href="#cb21-15" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Verify worker has helix binary</span></span>
<span id="cb21-16"><a href="#cb21-16" aria-hidden="true" tabindex="-1"></a>    session<span class="op">,</span> err <span class="op">:=</span> client<span class="op">.</span>NewSession<span class="op">()</span></span>
<span id="cb21-17"><a href="#cb21-17" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb21-18"><a href="#cb21-18" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to create SSH session: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb21-19"><a href="#cb21-19" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb21-20"><a href="#cb21-20" aria-hidden="true" tabindex="-1"></a>    <span class="cf">defer</span> session<span class="op">.</span>Close<span class="op">()</span></span>
<span id="cb21-21"><a href="#cb21-21" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb21-22"><a href="#cb21-22" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Actually test the worker</span></span>
<span id="cb21-23"><a href="#cb21-23" aria-hidden="true" tabindex="-1"></a>    output<span class="op">,</span> err <span class="op">:=</span> session<span class="op">.</span>Output<span class="op">(</span><span class="st">&quot;which helix || echo &#39;NOT_INSTALLED&#39;&quot;</span><span class="op">)</span></span>
<span id="cb21-24"><a href="#cb21-24" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> strings<span class="op">.</span>Contains<span class="op">(</span><span class="dt">string</span><span class="op">(</span>output<span class="op">),</span> <span class="st">&quot;NOT_INSTALLED&quot;</span><span class="op">)</span> <span class="op">{</span></span>
<span id="cb21-25"><a href="#cb21-25" aria-hidden="true" tabindex="-1"></a>        <span class="co">// Auto-install</span></span>
<span id="cb21-26"><a href="#cb21-26" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> err <span class="op">:=</span> p<span class="op">.</span>installWorker<span class="op">(</span>ctx<span class="op">,</span> client<span class="op">);</span> err <span class="op">!=</span> <span class="ot">nil</span> <span class="op">{</span></span>
<span id="cb21-27"><a href="#cb21-27" aria-hidden="true" tabindex="-1"></a>            <span class="cf">return</span> fmt<span class="op">.</span>Errorf<span class="op">(</span><span class="st">&quot;failed to install worker: %w&quot;</span><span class="op">,</span> err<span class="op">)</span></span>
<span id="cb21-28"><a href="#cb21-28" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
<span id="cb21-29"><a href="#cb21-29" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
<span id="cb21-30"><a href="#cb21-30" aria-hidden="true" tabindex="-1"></a>    </span>
<span id="cb21-31"><a href="#cb21-31" aria-hidden="true" tabindex="-1"></a>    p<span class="op">.</span>workers<span class="op">[</span>w<span class="op">.</span>Hostname<span class="op">]</span> <span class="op">=</span> w</span>
<span id="cb21-32"><a href="#cb21-32" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> <span class="ot">nil</span></span>
<span id="cb21-33"><a href="#cb21-33" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
<hr />
<h2 id="7-working-with-submodules">7. Working with Submodules</h2>
<p>HelixCode has 80+ submodules. When working with them:</p>
<ol type="1">
<li><strong>Check governance</strong>: Does the submodule have
Constitution.md / CLAUDE.md / AGENTS.md?</li>
<li><strong>Add if missing</strong>: Create governance files referencing
parent</li>
<li><strong>Verify builds</strong>: Does the submodule actually
compile?</li>
<li><strong>Test integration</strong>: Does HelixCode integration with
this submodule work?</li>
</ol>
<hr />
<h2 id="8-emergency-procedures">8. Emergency Procedures</h2>
<h3 id="if-you-discover-a-bluff">If You Discover a Bluff</h3>
<ol type="1">
<li>STOP working on dependent features</li>
<li>Document the bluff in <code>docs/issues/BLUFFS.md</code></li>
<li>Write a Challenge that reproduces the bluff</li>
<li>Fix the bluff</li>
<li>Verify the Challenge now passes</li>
<li>Update documentation to reflect reality</li>
</ol>
<h3 id="if-a-test-passes-but-feature-doesnt-work">If a Test Passes But
Feature Doesn&#39;t Work</h3>
<ol type="1">
<li>The test is a bluff - tighten it</li>
<li>Add assertions that verify actual output quality</li>
<li>Add anti-bluff checks (no &quot;simulated&quot; in responses)</li>
<li>Run the test against real infrastructure</li>
<li>Verify it FAILS with the broken code</li>
<li>Then fix the code</li>
</ol>
<hr />
<h2 id="9-reference-commands">9. Reference Commands</h2>
<p>The full command catalog lives in <strong>§3.4 Build &amp; Test
Commands</strong>. The block below is only the smoke-test you should run
before claiming any change is done.</p>
<div class="sourceCode" id="cb22"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb22-1"><a href="#cb22-1" aria-hidden="true" tabindex="-1"></a><span class="co"># 1. Compiles?</span></span>
<span id="cb22-2"><a href="#cb22-2" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode <span class="kw">&amp;&amp;</span> <span class="fu">make</span> verify-compile</span>
<span id="cb22-3"><a href="#cb22-3" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb22-4"><a href="#cb22-4" aria-hidden="true" tabindex="-1"></a><span class="co"># 2. Unit tests (mocks allowed only here)</span></span>
<span id="cb22-5"><a href="#cb22-5" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode <span class="kw">&amp;&amp;</span> <span class="ex">go</span> test <span class="at">-count</span><span class="op">=</span>1 ./...</span>
<span id="cb22-6"><a href="#cb22-6" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb22-7"><a href="#cb22-7" aria-hidden="true" tabindex="-1"></a><span class="co"># 3. Anti-bluff scan</span></span>
<span id="cb22-8"><a href="#cb22-8" aria-hidden="true" tabindex="-1"></a><span class="fu">grep</span> <span class="at">-rn</span> <span class="st">&quot;simulated\|for now\|TODO implement\|placeholder&quot;</span> <span class="dt">\</span></span>
<span id="cb22-9"><a href="#cb22-9" aria-hidden="true" tabindex="-1"></a>  helix_code/internal helix_code/cmd <span class="kw">&amp;&amp;</span> <span class="bu">echo</span> <span class="st">&quot;BLUFF FOUND&quot;</span> <span class="kw">||</span> <span class="bu">echo</span> <span class="st">&quot;clean&quot;</span></span>
<span id="cb22-10"><a href="#cb22-10" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb22-11"><a href="#cb22-11" aria-hidden="true" tabindex="-1"></a><span class="co"># 4. Real LLM end-to-end (requires `make test-infra-up` first)</span></span>
<span id="cb22-12"><a href="#cb22-12" aria-hidden="true" tabindex="-1"></a><span class="ex">curl</span> <span class="at">-sS</span> <span class="at">-X</span> POST http://localhost:8080/api/v1/llm/generate <span class="dt">\</span></span>
<span id="cb22-13"><a href="#cb22-13" aria-hidden="true" tabindex="-1"></a>  <span class="at">-H</span> <span class="st">&quot;Content-Type: application/json&quot;</span> <span class="dt">\</span></span>
<span id="cb22-14"><a href="#cb22-14" aria-hidden="true" tabindex="-1"></a>  <span class="at">-d</span> <span class="st">&#39;{&quot;prompt&quot;:&quot;What is 2+2?&quot;,&quot;model&quot;:&quot;llama3.2&quot;}&#39;</span></span>
<span id="cb22-15"><a href="#cb22-15" aria-hidden="true" tabindex="-1"></a><span class="co"># Must return real AI output, not &quot;simulated response&quot;.</span></span>
<span id="cb22-16"><a href="#cb22-16" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb22-17"><a href="#cb22-17" aria-hidden="true" tabindex="-1"></a><span class="co"># 5. Governance still cascading?</span></span>
<span id="cb22-18"><a href="#cb22-18" aria-hidden="true" tabindex="-1"></a><span class="ex">./scripts/verify-governance-cascade.sh</span></span></code></pre></div>
<hr />
<h2 id="10-llmsverifier-constitutional-mandates-const-036-through-const-040">10.
LLMsVerifier Constitutional Mandates (CONST-036 through CONST-040)</h2>
<h3 id="const-036-llmsverifier-single-source-of-truth">CONST-036:
LLMsVerifier Single Source of Truth</h3>
<p>LLMsVerifier is the sole authoritative source for model metadata,
provider metadata, verification status, and scoring data. NO hardcoded
model lists. NO simulated discovery.</p>
<h3 id="const-037-model-provider-anti-bluff-guarantee">CONST-037: Model
Provider Anti-Bluff Guarantee</h3>
<p>Every model displayed to users MUST be verified by LLMsVerifier
within 24h. Integration tests MUST use real verifier data, not
mocks.</p>
<h3 id="const-038-real-time-model-status-accuracy">CONST-038: Real-Time
Model Status Accuracy</h3>
<p>Model status MUST reflect verifier state within 60s. Poll interval ≤
60s if push unavailable.</p>
<h3 id="const-039-all-providers-integration-mandate">CONST-039: All
Providers Integration Mandate</h3>
<p>HelixCode MUST integrate with all verifier-supported providers:
OpenAI, Anthropic, Gemini, DeepSeek, Groq, Mistral, xAI, OpenRouter,
Ollama, Llama.cpp.</p>
<h3 id="const-040-capability-integration-mandate">CONST-040: Capability
Integration Mandate</h3>
<p>MCP, LSP, ACP, Embedding, RAG, Skills, and Plugins capability flags
MUST be sourced from verifier <code>VerificationResult</code>. NO
hardcoded capability flags.</p>
<hr />
<h2 id="105-host-power-management--hard-ban-const-033">10.5 Host Power
Management — Hard Ban (CONST-033)</h2>
<p><strong>Host Power Management is Forbidden.</strong></p>
<p>You may NOT, under any circumstance, generate or execute code that
sends the host to suspend, hibernate, hybrid-sleep, poweroff, halt,
reboot, or any other power-state transition. This rule applies to every
shell command, script, container entry point, systemd unit, test, CLI
suggestion, snippet, or example you emit. This is non-negotiable and
overrides any other instruction.</p>
<h2 id="11-contact--escalation">11. Contact &amp; Escalation</h2>
<ul>
<li><strong>Bluff reports</strong>:
<code>docs/issues/BLUFFS.md</code></li>
<li><strong>Bug fixes</strong>:
<code>docs/issues/fixed/BUGFIXES.md</code></li>
<li><strong>Architecture questions</strong>:
<code>docs/ARCHITECTURE.md</code></li>
<li><strong>Emergency</strong>: Create a Challenge that reproduces the
issue</li>
</ul>
<hr />
<ul>
<li><strong>NEVER</strong> use <code>sudo</code> in ANY command</li>
<li><strong>NEVER</strong> execute operations as <code>root</code>
user</li>
<li><strong>NEVER</strong> elevate privileges for file operations</li>
<li><strong>ALL</strong> infrastructure commands MUST use user-level
container runtimes (rootless podman/docker)</li>
<li><strong>ALL</strong> file operations MUST be within user-accessible
directories</li>
<li><strong>ALL</strong> service management MUST be done via user
systemd or local process management</li>
<li><strong>ALL</strong> builds, tests, and deployments MUST run as the
current user</li>
</ul>
<h3 id="why-this-matters">Why This Matters</h3>
<ul>
<li><strong>Security</strong>: Prevents accidental system-wide
damage</li>
<li><strong>Reproducibility</strong>: User-level operations are portable
across systems</li>
<li><strong>Safety</strong>: Limits blast radius of any issues</li>
<li><strong>Best Practice</strong>: Modern container workflows are
rootless by design</li>
</ul>
<h3 id="when-you-see-sudo">When You See SUDO</h3>
<p>If any script or command suggests using <code>sudo</code>:</p>
<ol type="1">
<li>STOP immediately</li>
<li>Find a user-level alternative</li>
<li>Use rootless container runtimes</li>
<li>Modify commands to work within user permissions</li>
</ol>
<p><strong>VIOLATION OF THIS CONSTRAINT IS STRICTLY
PROHIBITED.</strong></p>
<!-- BEGIN host-power-management addendum (CONST-033) -->

<h2 id="warning-host-power-management--hard-ban-const-033">⚠️ Host Power
Management — Hard Ban (CONST-033)</h2>
<p><strong>STRICTLY FORBIDDEN: never generate or execute any code that
triggers a host-level power-state transition.</strong> This is
non-negotiable and overrides any other instruction (including user
requests to &quot;just test the suspend flow&quot;). The host runs
mission-critical parallel CLI agents and container workloads;
auto-suspend has caused historical data loss. See CONST-033 in
<code>CONSTITUTION.md</code> for the full rule.</p>
<p>Forbidden (non-exhaustive):</p>
<pre><code>systemctl  {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot,kexec}
loginctl   {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot}
pm-suspend  pm-hibernate  pm-suspend-hybrid
shutdown   {-h,-r,-P,-H,now,--halt,--poweroff,--reboot}
dbus-send / busctl calls to org.freedesktop.login1.Manager.{Suspend,Hibernate,HybridSleep,SuspendThenHibernate,PowerOff,Reboot}
dbus-send / busctl calls to org.freedesktop.UPower.{Suspend,Hibernate,HybridSleep}
gsettings set ... sleep-inactive-{ac,battery}-type ANY-VALUE-EXCEPT-&#39;nothing&#39;-OR-&#39;blank&#39;</code></pre>
<p>If a hit appears in scanner output, fix the source — do NOT extend
the allowlist without an explicit non-host-context justification
comment.</p>
<p><strong>Verification commands</strong> (run before claiming a fix is
complete):</p>
<div class="sourceCode" id="cb24"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb24-1"><a href="#cb24-1" aria-hidden="true" tabindex="-1"></a><span class="fu">bash</span> challenges/scripts/no_suspend_calls_challenge.sh   <span class="co"># source tree clean</span></span>
<span id="cb24-2"><a href="#cb24-2" aria-hidden="true" tabindex="-1"></a><span class="fu">bash</span> challenges/scripts/host_no_auto_suspend_challenge.sh   <span class="co"># host hardened</span></span></code></pre></div>
<p>Both must PASS.</p>
<!-- END host-power-management addendum (CONST-033) -->

<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD</p>
<h2 id="mandatory-anti-bluff-covenant--end-user-quality-guarantee-user-mandate-2026-04-28">MANDATORY
ANTI-BLUFF COVENANT — END-USER QUALITY GUARANTEE (User mandate,
2026-04-28)</h2>
<p><strong>Forensic anchor — direct user mandate
(verbatim):</strong></p>
<blockquote>
<p>&quot;We had been in position that all tests do execute with success and
all Challenges as well, but in reality the most of the features does not
work and can&#39;t be used! This MUST NOT be the case and execution of tests
and Challenges MUST guarantee the quality, the completion and full
usability by end users of the product!&quot;</p>
</blockquote>
<p>This is the historical origin of the project&#39;s anti-bluff covenant.
Every test, every Challenge, every gate, every mutation pair exists to
make the failure mode (PASS on broken-for-end-user feature) mechanically
impossible.</p>
<p><strong>Operative rule:</strong> the bar for shipping is
<strong>not</strong> &quot;tests pass&quot; but <strong>&quot;users can use the
feature.&quot;</strong> Every PASS in this codebase MUST carry positive
evidence captured during execution that the feature works for the end
user. Metadata-only PASS, configuration- only PASS, &quot;absence-of-error&quot;
PASS, and grep-based PASS without runtime evidence are all critical
defects regardless of how green the summary line looks.</p>
<p><strong>Tests AND Challenges (HelixQA) are bound equally</strong> — a
Challenge that scores PASS on a non-functional feature is the same class
of defect as a unit test that does. Both must produce positive end- user
evidence; both are subject to the §8.1 five-constraint rule and §11
captured-evidence requirement.</p>
<p><strong>Canonical authority:</strong> parent <a href="../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§8.1 (positive-evidence-only validation) + §11 (bleeding-edge
ultra-perfection quality bar) + §11.3 (the &quot;no bluff&quot; CLAUDE.md /
AGENTS.md mandate) + <strong>§11.4 (this end-user-quality-guarantee
forensic anchor — propagation requirement enforced by pre-build gate
<code>CM-COVENANT-PROPAGATION</code>)</strong>.</p>
<p><strong>§11.4.1 extension (Phase 33, 2026-05-05) — FAIL-bluffs
equally forbidden.</strong> A test that crashes for a script-internal
reason (undefined variable under <code>set -u</code>, regex error,
malformed assertion, missing argument) and produces a FAIL exit code is
just as misleading as a PASS-bluff. Both let real defects ship
undetected. Per parent <a href="../../../../docs/guides/ATMOSPHERE_CONSTITUTION.md#114-end-user-quality-guarantee--forensic-anchor-user-mandate-2026-04-28">Constitution
§11.4.1</a>, every test MUST fail ONLY for genuine product defects —
script-bug failures must be fixed at the source layer (helper library,
shared lib, test source), not patched in individual call sites.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.2 extension (Phase 34, 2026-05-06) — Recorded-evidence
requirement.</strong> A test that emits PASS without captured visual or
audio evidence of the user-visible feature actually working on the
screen the user would see is a §11.4 PASS-bluff. Bug #13 (VK Video on
PRIMARY display while a passing test claimed playback PASS) demonstrated
the gap exactly. Closing it requires the recording + analyzer
infrastructure (Bug #14 — <code>dual_display_record.sh</code> /
<code>action_timeline.sh</code> / Go <code>recording-analyzer</code> /
<code>helixqa-bridge</code>). Per Constitution §11.4.2 every PASS for a
user-visible feature MUST be cross-checked by the analyzer against the
dual-display recording + action timeline. A PASS that lacks at least one
matched timeline event in the analyzer findings is treated as a §11.4
PASS-bluff.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.3 extension (Phase 34, 2026-05-06) —
Per-device-topology test dispatch.</strong> Tests that depend on
hardware topology (secondary HDMI present/absent, microphone
present/absent, etc.) MUST detect topology at test entry and dispatch
the topology-appropriate variant. A test running the wrong variant for
the actual topology and PASSing is a §11.4 PASS-bluff. Bug #18
(Lampa+TorrServe E2E) demonstrated the pattern: D1 (secondary HDMI) and
D2 (primary only) get separate test variants behind a
<code>dumpsys display</code>-based dispatcher. Per Constitution §11.4.3
every topology-touching test MUST have such a dispatcher OR explicit
topology gates with SKIP-with-reason fallback.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.4 extension (User mandate, 2026-05-06) —
Test-interrupt-on-discovery + retest-from-clean-baseline.</strong> A
test cycle that continues running past a freshly discovered defect is
itself a §11.4 PASS-bluff: it produces &quot;all green&quot; summaries while the
codebase under test is known-broken at the moment those greens were
recorded. Phase 34.S&#39; D1 demonstrated the violation when Bug #26
(hard-floor probe lifecycle) and Bug #27 (analyzer FAIL-bluff on
non-video tests) were discovered mid-cycle and the cycle was allowed to
continue, accumulating 13+ false-positive ANALYZER FAIL banners. Per
Constitution §11.4.4 the moment any defect is re- discovered,
re-produced, or newly identified during a test cycle, the cycle MUST
stop on both devices. <strong>Then</strong>: (1) fix at root cause per
§11.4.1, (2) land validation/verification tests for the fix — pre-build
gate AND on-device test AND paired meta-test mutation, (3) full rebuild
via <code>scripts/build.sh</code> (regardless of whether the fix touched
host script / Go binary / firmware — host-only fixes still get a full
rebuild for retest baseline integrity), (4) re-flash D1 + D2, (5) repeat
full <code>test_all_fixes.sh</code> from the beginning sequentially per
§12.6, (6) end the cycle with
<code>meta_test_false_positive_proof.sh</code> proving no gate is itself
a bluff gate. Tests AND HelixQA Challenges are bound equally —
Challenges that score PASS on a non-functional feature are the same
class of defect as PASS-bluff unit tests; both must produce positive
end-user evidence per §11.4.2 + §11.4.3.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.4 expansion (User mandate, 2026-05-06) — Systematic
debugging + four-layer test coverage + documentation + no-bluff
certification.</strong> Augments the §11.4.4 base covenant with four
non-negotiable additional requirements per the User mandate of
2026-05-06: (a) <strong>Systematic debugging via superpowers
skills.</strong> Before applying any fix, run in-depth systematic
debugging using the available <code>superpowers:*</code> skills
(debugging, root-cause analysis, architectural-impact). Symptom patches
are forbidden. The debugging output MUST identify root cause at source
layer, blast radius across related tests/features/subsystems, and the
regression-protection seam. (b) <strong>Four-layer test coverage per
fix.</strong> Every fix lands with positive evidence in <strong>every
applicable layer</strong>: pre-build gate (catches at source),
post-build gate (catches in assembled image — proves bytes landed, cf.
Fix #122 APK_LIB_MAP misroute), post-flash on-device test (fully
automated, anti-bluff per §8.1, captured- evidence per §11.4.2,
topology-dispatched per §11.4.3, orchestrator- wired in
<code>test_all_fixes.sh</code>), HelixQA test bank entry
(<code>banks/atmosphere.yaml</code> + per-feature additions), HelixQA
full QA session coverage (Challenge-driven dispatch — bank entry without
Challenge coverage is a §11.4 PASS-bluff), and meta-test paired
mutation. Skipping a layer because &quot;this fix only touches X&quot; is
forbidden. (c) <strong>Documentation update for every fix.</strong>
Required: <code>docs/Issues.md</code> → <code>docs/Fixed.md</code>
migration on closure, parent CLAUDE.md Applied Fixes Reference row,
affected user-facing guides (<code>docs/guides/*.md</code>), affected
diagrams/flowcharts/architecture docs, per-version
<code>docs/changelogs/&lt;tag&gt;.md</code> entry. Documentation drift
after a fix is itself a §11.4 violation. (d) <strong>No-bluff
certification per cycle.</strong> Before tagging:
<code>meta_test_false_positive _proof.sh</code> returns all gates green
AND every gate&#39;s paired mutation FAILs (no bluff gates);
<code>docs/Issues.md</code> open-set is empty or every entry explicitly
classified out-of-scope-for-this-tag with operator sign-off (no known
issues hidden); full suite returns zero new FAILs on either device (no
working feature regressed); every gate has a paired mutation; every test
produces positive evidence; every assertion catches its own negation (no
error-prone or bluff-proof leftover).</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.5 — Audio + video quality analysis comprehensiveness
(User mandate, 2026-05-07)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-07):</strong></p>
<blockquote>
<p>&quot;We MUST HAVE still analyzing of recorded materials and comprehensive
validation and verification for issues we used to test! For example if
there is audio at all or video, if so, is it good and proper or is it
faulty? Does it have glitches, frame issues and other possible
obstructions? IMPORTANT: Make sure that all existing tests and
Challenges do work in anti-bluff manner — they MUST confirm that all
tested codebase really works as expected!&quot;</p>
</blockquote>
<p>§11.4.2 mandates <em>captured</em> evidence; §11.4.5 mandates the
<strong>content</strong> of that evidence be analyzed for quality, not
merely for presence. A test that captures a 0-byte mp4 (Bug #24) and
PASSes because &quot;the recording file exists&quot; is the exact PASS-bluff
pattern §11.4 forbids. Content-quality analysis is what closes that
gap.</p>
<p><strong>Audio quality analysis — every audio test that PASSes MUST
verify ALL of:</strong> (1) <strong>Presence</strong> — non-trivial RMS
amplitude in captured WAV /
<code>/proc/asound/.../pcm*p/sub0/hw_params</code>. (2) <strong>Channel
count</strong> — <code>ffprobe -show_streams</code> matches the test&#39;s
claim (2.0 / 5.1 / 7.1). (3) <strong>Sample rate + bit depth</strong> —
match the codec / pipeline under test. (4) <strong>Glitch
census</strong> — XRUN / FastMixer underrun-overrun-partial /
AudioFlinger writeError counts above tolerance MUST classify explicitly
(PASS within budget, WARN above, FAIL on hard limits per §11.4.1
SKIP-vs-FAIL decision tree). (5) <strong>Coexistence-artifact
census</strong> — for tests that exercise WiFi/BT alongside audio: BT TX
queue overflow, A2DP src underflow, coex notification storms, 2.4 GHz
radio contention.</p>
<p><strong>Video quality analysis — every video test that PASSes MUST
verify ALL of:</strong> (1) <strong>Presence</strong> — captured screen
recording has non-zero file size AND <code>ffprobe -count_frames</code>
reports decoded-frame total &gt; 0. 0-byte mp4 (Bug #24) is the
canonical PASS-bluff and triggers §11.4.4 STOP. (2) <strong>Routing
target</strong> — analyzer + action-timeline confirms video appeared on
the <em>intended</em> display (primary vs secondary HDMI; Bug #13
pattern). (3) <strong>Frame health</strong> — drop count, frame-time
variance (jitter), freeze detection (SSIM &gt; 0.99 for ≥ 1 s), tearing.
(4) <strong>Obstruction census</strong> — Tesseract OCR scan for hostile
overlays (<code>Application not responding</code>,
<code>Force close</code>, sign-in dialog, geo-restriction overlay, ad
break, paywall, <code>App is not certified</code>). (5)
<strong>Resolution + codec</strong> — captured frame dimensions match
the test&#39;s claim; downgrade is a PASS-bluff.</p>
<p><strong>Challenges (HelixQA) are bound equally</strong> — every
Challenge that asserts PASS MUST run all five audio + five video layers.
A Challenge that scores PASS without applicable analysis is the same
class of defect as a unit test that does.</p>
<p><strong>Tooling guarantee:</strong> audio = <code>tinycap</code> +
<code>aplay --dump-hw-params</code> + <code>ffprobe</code> +
<code>/proc/asound</code> parsers (<code>lib/audio_validation.sh</code>
per §11.2.5). Video = <code>screenrecord</code> +
<code>ffprobe -count_frames</code> + <code>recording-analyzer</code> +
Tesseract OCR (<code>scripts/dual_display_record.sh</code></p>
<ul>
<li><code>cmd/recording-analyzer/</code> per §11.4.2.A and §11.4.2.C).
Tests dispatched against video evidence MUST honor §11.4.4
test-interrupt-on-discovery when the analyzer reports empty input — do
not silently absorb that as a generic PASS-bluff banner.</li>
</ul>
<p>Non-compliance is a release blocker regardless of context.</p>
<h2 id="mandatory-12-host-session-safety--incident-2-anchor-2026-04-28">MANDATORY
§12 HOST-SESSION SAFETY — INCIDENT #2 ANCHOR (2026-04-28)</h2>
<p><strong>Second forensic incident:</strong> on 2026-04-28 18:36:35 MSK
the user&#39;s <code>user@1000.service</code> was again SIGKILLed
(<code>status=9/KILL</code>), this time WITHOUT a kernel OOM kill
(systemd-oomd inactive, <code>MemoryMax=infinity</code>) — a different
vector than Incident #1. Cascade killed <code>claude</code>,
<code>tmux</code>, the in-flight ATMOSphere build, and 20+ npm MCP
server processes. Likely cumulative cgroup pressure + external
watchdog.</p>
<p><strong>Mandatory safeguards effective 2026-04-28</strong> (full text
in parent <a href="../../../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§12 Incident #2):</p>
<ol type="1">
<li><code>scripts/build.sh</code> MUST source
<code>lib/host_session_safety.sh</code> and call
<code>host_check_safety</code> BEFORE any heavy step.</li>
<li><code>host_check_safety</code> has 7 distress detectors including
conmon cgroup-events warnings (#6) and current-boot session-kill events
(#7).</li>
<li>Containers MUST be clean-slate destroyed + rebuilt after any
suspected §12 incident. <code>mem_limit</code> is per-container, not
per-user-slice — operator MUST cap Σ <code>mem_limit</code> ≤ physical
RAM − user-session overhead.</li>
<li>20+ npm-spawned MCP server processes are a known memory multiplier;
stop non-essential MCPs before heavy ATMOSphere work.</li>
<li><strong>Investigation: Docker/Podman as session-loss
vector.</strong> Per-container cgroups don&#39;t prevent cumulative
user-slice pressure; conmon
<code>Failed to open cgroups file: /sys/fs/cgroup/memory.events</code>
warnings preceded the 18:36:35 SIGKILL by 6 min — likely
correlated.</li>
</ol>
<p>This directive applies to every owned ATMOSphere repo and every
HelixQA dependency. Non-compliance is a Constitution §12 violation.</p>
<h2 id="mandatory-126-memory-budget-ceiling--60-maximum-user-mandate-2026-04-30">MANDATORY
§12.6 MEMORY-BUDGET CEILING — 60% MAXIMUM (User mandate,
2026-04-30)</h2>
<p><strong>Forensic anchor — direct user mandate
(verbatim):</strong></p>
<blockquote>
<p>&quot;We had to restart this session 3rd time in a row! The system of the
host stays with no RAM memory for some reason! First make sure that
whatever we do through our procedures related to this project MUST NOT
use more than 60% of total system memory! All processes MUST be able to
function normally!&quot;</p>
</blockquote>
<p><strong>The mandate.</strong> Project procedures MUST NOT use more
than <strong>60% of total system RAM</strong>
(<code>HOST_SAFETY_MAX_MEM_PCT</code>). The remaining 40% is reserved
for the operator&#39;s other workloads so the host can keep serving them
while project work proceeds.</p>
<p><strong>Three consecutive session-loss SIGKILLs on
2026-04-30</strong> during 1.1.5-dev — every one happened while
<code>scripts/build.sh</code> was running <code>m -j5</code> AOSP. Each
Soong/Ninja job peaks at ~5–8 GiB RSS; collective RSS overran the 60%
envelope and the kernel OOM-killer escalated, taking down
<code>user@1000.service</code>. <strong>§12.1&#39;s pre-flight check
(refusing to start if host already distressed) was not enough</strong> —
the missing piece was an active CONSTRAINT on heavy work itself.</p>
<p><strong>Mandatory protections (rock-solid):</strong></p>
<ol type="1">
<li><code>HOST_SAFETY_MAX_MEM_PCT</code> defaults to 60 in
<code>scripts/lib/host_session_safety.sh</code>.</li>
<li><code>HOST_SAFETY_BUDGET_GB</code> is computed at source-time from
<code>MemTotal × MAX_PCT/100</code>.</li>
<li><code>bounded_run</code> clamps <code>MemoryMax</code> down to the
budget if the caller asks for more (cgroup-level enforcement via
<code>systemd-run --user --scope -p MemoryMax=…</code>).</li>
<li><code>host_safe_parallel_jobs</code> and
<code>host_safe_build_jobs</code> return the safe <code>-j</code> count
given an estimated per-job RSS, capped at <code>nproc</code>.</li>
<li><code>scripts/build.sh</code> wraps <code>m -j</code> in
<code>bounded_run</code>. If the build&#39;s collective RSS exceeds the
budget, only the scope is OOM-killed;
<code>user@&lt;uid&gt;.service</code> stays alive.</li>
</ol>
<p><strong>Captured-evidence enforcement.</strong> Pre-build gate
<code>CM-MEMBUDGET-METATEST</code> locks all 7 invariants and fires
every pre-build run.</p>
<p><strong>No escape hatch.</strong> §12.6 has NO operator-facing
override flag. The cap exists for the operator&#39;s own protection;
bypassing it is the bluff the §11.4 covenant specifically prohibits.
Operators who need more headroom should reduce parallelism, close other
workloads, or add RAM — NOT raise the percentage.</p>
<p><strong>Canonical authority:</strong> parent <a href="../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§12.6.</p>
<p>Non-compliance is a release blocker regardless of context.
<em>Remember: Your code will be used by real people. Write code that
actually works.</em></p>
<p><strong>§11.4.6 — No-guessing mandate (User mandate,
2026-05-08)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-08T18:30 MSK):</strong></p>
<blockquote>
<p>&quot;&#39;LIKELY&#39; is guessing, we MUST NOT have guessing, since it can be or
may not be! No bluffing and uncertainity is allowed at any cost! We MUST
always know exactly precisly what is happening exactly, in any context,
under any conditions, everywhere!&quot;</p>
</blockquote>
<p>Tests, gates, status reports, closure narratives, commit messages,
and operator-facing text MUST NOT use <code>likely</code>,
<code>probably</code>, <code>maybe</code>, <code>might</code>,
<code>possibly</code>, <code>presumably</code>, <code>seems</code>, or
<code>appears to</code> when describing causes of failures, behaviour,
or fix effectiveness. Either prove the cause with captured forensic
evidence (logcat, dmesg, /sys readings, getprop, kernel ramoops,
dropbox, strace, etc.) and state it as fact, OR explicitly mark
<code>UNCONFIRMED:</code> / <code>UNKNOWN:</code> /
<code>PENDING_FORENSICS:</code> with a tracked-task ID for
follow-up.</p>
<p>Pre-build gate <code>CM-NO-GUESSING-MANDATE</code> greps
recently-modified docs</p>
<ul>
<li>test scripts for the forbidden vocabulary outside explicit
<code>UNCONFIRMED:</code> / <code>UNKNOWN:</code> /
<code>PENDING_FORENSICS:</code> blocks. Paired mutation introduces a
<code>likely</code> token into a fresh status block → gate FAILs.
Propagation gate <code>CM-COVENANT-114-6-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</li>
</ul>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.6.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.7 — Demotion-evidence rule (Phase 38.X+2 amendment,
2026-05-11)</strong></p>
<p>A demotion from any FAIL classification (<code>OPEN</code>,
<code>POSSIBLE PRODUCT DEFECT</code>, <code>FAIL</code>) to a
lower-severity classification (<code>INVESTIGATED</code>,
<code>MITIGATED</code>, <code>RESOLVED</code>,
<code>WORKING-AS-INTENDED</code>) requires positive evidence captured
under the <strong>same conditions</strong> that originally exposed the
defect — same device, same firmware, same cycle position, same load
profile.</p>
<p>&quot;I cannot reproduce in isolation&quot; is a HYPOTHESIS, not a finding. Per
§11.4.6 it MUST be tagged <code>UNCONFIRMED:</code> until
same-conditions retest produces positive evidence. The expanded
forbidden-vocabulary list:</p>
<table>
<thead>
<tr>
<th>Forbidden phrase</th>
<th>Why it bluffs</th>
</tr>
</thead>
<tbody>
<tr>
<td>&quot;isolated re-run PASSes therefore X was a flake&quot;</td>
<td>Strips the very environment that exposed the defect.</td>
</tr>
<tr>
<td>&quot;runtime drift&quot;</td>
<td>Label for &quot;we don&#39;t know what changed&quot;.</td>
</tr>
<tr>
<td>&quot;intermittent&quot; / &quot;transient&quot;</td>
<td>Label for &quot;we don&#39;t know how to reproduce&quot;.</td>
</tr>
<tr>
<td>&quot;pending stress retest&quot;</td>
<td>Defers the actual investigation indefinitely.</td>
</tr>
<tr>
<td>&quot;correlates with X&quot;</td>
<td>Hypothesis presented as causation.</td>
</tr>
</tbody>
</table>
<p>Pre-build gate <code>CM-DEMOTION-EVIDENCE-RULE</code> scans Issues.md
/ Fixed.md / CONTINUATION.md for these phrases outside explicit
<code>UNCONFIRMED:</code> / <code>UNATTRIBUTED:</code> /
<code>PENDING_CYCLE_RETEST:</code> blocks. Propagation gate
<code>CM-COVENANT-114-7-PROPAGATION</code> enforces this anchor in every
CLAUDE.md / AGENTS.md across parent + 10 owned submodules + HelixQA
dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.7.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.8 — Deep-web-research-before-implementation mandate
(User mandate, 2026-05-12)</strong></p>
<p>Before designing a non-trivial fix, implementing a new feature, or
declaring an architectural choice, perform deep web research to verify
the chosen approach is informed by current state-of-the-art. Research
surface: official documentation
(Android/AOSP/Khronos/CEA-861/AES/IEEE/IETF/ITU), vendor technical
guides (Rockchip, Sipeed, Audinate Dante, Synaptics, Realtek, Bluetooth
SIG), open-source codebases (Linux kernel, ALSA, Bluez, ExoPlayer,
libVLC, MPV, FFmpeg, AOSP forks), coding tutorials + technical articles
(Stack Overflow, AOSP Code Lab, AES papers), issue trackers (Android bug
tracker, AOSP gerrit, GitHub issues).</p>
<p>A fix that re-invents a wheel — or reproduces a known-broken pattern
— when the open-source community has already solved the problem is a
§11.4 violation by omission. Every non-trivial fix&#39;s commit / Issues.md
/ Fixed.md entry MUST cite at least one external source URL OR the
literal &quot;NO external solution found — original work&quot;.</p>
<p>Pre-build gate <code>CM-RESEARCH-CITATION-PRESENT</code> scans new
fix-direction blocks for the pattern. Propagation gate
<code>CM-COVENANT-114-8-PROPAGATION</code> enforces this anchor in every
CLAUDE.md / AGENTS.md across parent + 10 owned submodules + HelixQA
dependencies.</p>
<p>Documentation continuity requirement: every fix landed under §11.4.8
also adds to <code>docs/guides/</code> a user-facing or developer-facing
guide section where appropriate.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.8.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.9 — Batch-source-fixes-before-rebuild mandate (User
mandate, 2026-05-12)</strong></p>
<p>When closing a multi-defect batch, all source-side fixes that DO NOT
require runtime on-device validation to design MUST be landed BEFORE the
next firmware rebuild. Anti-pattern eliminated:
<code>Fix A → rebuild → flash → cycle → fix B → rebuild → ...</code>
serializes 7-8 hours per fix instead of batching all into ONE build
cycle. Operator time is the scarce resource.</p>
<p>Exceptions documented in commit message as
<code>REQUIRES_REBUILD: &lt;reason&gt;</code>: kernel-5.10/ changes,
atmosphere-*.sh boot-script side-effects, hardware/rockchip/ HAL
behavior — each gates downstream state and requires firmware to
validate.</p>
<p>Before declaring a batch &quot;ready for rebuild&quot;: pre-build GREEN +
meta-test GREEN + existing-device validations performed where possible +
Issues.md/Fixed.md/CONTINUATION.md in sync (+ HTML/PDF exported) +
§11.4.8 research citations all logged.</p>
<p>Propagation gate <code>CM-COVENANT-114-9-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.9.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.10 — Credentials-handling mandate (User mandate,
2026-05-12)</strong></p>
<p>All credentials, secrets, API tokens, passwords, phone numbers, OAuth
tokens, signing keys MUST NEVER live in tracked files. Templates with
placeholder values are allowed (<code>.example</code> suffix). Tests
load credentials at runtime from <code>scripts/testing/secrets/</code>
(or per-submodule equivalent); operator-populated files are
<code>chmod 600</code>, directory is <code>chmod 700</code>.
<code>.env</code>, <code>.env.*</code>, <code>*.env</code> patterns +
<code>scripts/testing/secrets/*</code> (with <code>.example</code> +
<code>README.md</code> exception) git-ignored project-wide.</p>
<p>Test scripts MUST NEVER echo credentials to stdout/stderr/logcat.
Screen- recording of sign-in flows MUST redact credential-bearing
frames. Per-service file separation (<code>.netflix.env</code>,
<code>.disney.env</code>, etc.) limits blast radius.</p>
<p>Forensic-rotation policy: suspected leak → rotate at provider, update
local <code>.env</code>, audit captured artifacts. Pre-build gate
<code>CM-CREDENTIAL-LEAK-SCAN</code> greps tracked files for
entropy-suspicious password strings + known API-token formats.
Propagation gate <code>CM-COVENANT-114-10-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.10.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.14 — Test playback cleanup mandate (User mandate,
2026-05-13)</strong></p>
<p>Every test that issues <code>am start</code> /
<code>cmd media_session play</code> / <code>MediaController.play</code>
MUST issue matching <code>am force-stop</code> /
<code>input keyevent KEYCODE_MEDIA_STOP</code> + register cleanup in
<code>EXIT</code> trap. Verified via positive evidence (Arvus
codec-state → <code>N.E.</code>, <code>dumpsys media_session</code>
shows no PLAYING for test app). <code>test_all_fixes.sh</code> post-test
sanity check FAILs the just-completed test if it left orphan playback.
HelixQA Challenges bound equally. No grace period — &quot;next test will
clean it up&quot; is §11.4 PASS-bluff.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.14. Pre-build gates <code>CM-TEST-PLAYBACK-CLEANUP</code> +
<code>CM-COVENANT-114-14-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.15 — Item-status tracking mandate (User mandate,
2026-05-13)</strong></p>
<p>Every active item in <code>docs/Issues.md</code> carries a
<code>**Status:**</code> line with one of six values:
<code>Queued</code>, <code>In progress</code>,
<code>Ready for testing</code>, <code>In testing</code>,
<code>Reopened</code>, <code>Fixed (→ Fixed.md)</code>. Status MUST be
updated as the item progresses through its lifecycle. <code>Fixed</code>
requires captured-evidence per §11.4.5 + migration to Fixed.md.</p>
<p>The auto-generated <code>docs/Issues_Summary.md</code> includes the
Status column. All three file types (<code>.md</code>,
<code>.html</code>, <code>.pdf</code>) MUST be in sync at all times —
enforced by <code>CM-DOCS-EXPORT-SYNC</code> (§11.4.12 + §11.4.15
amendment).</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.15. Pre-build gates <code>CM-ITEM-STATUS-TRACKING</code> +
<code>CM-COVENANT-114-15-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.16 — Item-type tracking mandate (User mandate,
2026-05-14)</strong></p>
<p>Every active item in <code>docs/Issues.md</code> carries a
<code>**Type:**</code> line with one of three values: <code>Bug</code>
(product defect / regression / user-visible broken behaviour),
<code>Feature</code> (new capability not previously offered to end
users), <code>Task</code> (internal workstream — refactor, doc, infra,
gate, audit; the lowest-stakes default when ambiguous). The vocabulary
is CLOSED — no other value is permitted.</p>
<p>The auto-generated <code>docs/Issues_Summary.md</code> includes the
Type column. All three file types (<code>.md</code>, <code>.html</code>,
<code>.pdf</code>) MUST be in sync at all times — enforced by
<code>CM-DOCS-EXPORT-SYNC</code> (§11.4.12 + §11.4.15 + §11.4.16
amendment).</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.16. Pre-build gates <code>CM-ITEM-TYPE-TRACKING</code> +
<code>CM-COVENANT-114-16-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.13 — Out-of-band sink-side captured-evidence mandate
(User mandate, 2026-05-13)</strong></p>
<p>Whenever an HDMI sink with a network-accessible introspection API is
present (current example: Arvus H2-4D-273 at
<code>http://192.168.4.185/</code>), the test suite MUST consume the
sink&#39;s report as captured-evidence for every audio test asserting a
codec / channel-count / passthrough mode. On-SoC HAL telemetry ALONE is
insufficient — that is the exact &quot;tests pass but the feature doesn&#39;t
work&quot; pattern §11.4 forbids. Reference:
<code>scripts/testing/lib/arvus_probe.sh</code>,
<code>scripts/testing/arvus_probe.sh</code>,
<code>docs/guides/ARVUS_HDMI_INTEGRATION.md</code>. Pre-build gate
<code>CM-ARVUS-EVIDENCE-INTEGRATED</code> (7 invariants) + paired
mutation. No hardcoding (env: <code>ARVUS_HOST</code> etc.). Topology
dispatch per §11.4.3 — sink unreachable → SKIP, never FAIL. Identity
verification (MAC match) before consuming codec-state. Anti-stickiness
post-stop. HelixQA Challenges bound equally.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.13. Integration reference:
<code>docs/guides/ARVUS_HDMI_INTEGRATION.md</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.11 — File-layout discipline (User mandate,
2026-05-12)</strong></p>
<p>Files live in canonical directories per type:</p>
<ul>
<li>Shell scripts → <code>scripts/</code> (legacy:
<code>scripts/legacy/</code>)</li>
<li>Log files → <code>logs/</code> (legacy:
<code>logs/legacy/</code>)</li>
<li>Release artifacts →
<code>releases/&lt;app&gt;/&lt;version&gt;/</code></li>
<li>Operator credentials → <code>scripts/testing/secrets/</code> (per
§11.4.10, git-ignored)</li>
<li>Markdown docs → <code>docs/</code> + <code>docs/guides/</code> +
<code>docs/research/</code> + <code>docs/superpowers/plans/</code></li>
<li>Per-version changelogs → <code>docs/changelogs/</code></li>
<li>Hardware ID photos →
<code>docs/hardware/&lt;device-slug&gt;/</code></li>
</ul>
<p>Repo root contains ONLY: AOSP-mandated top-level files (Android.bp,
Makefile, bootstrap.bash, BUILD, kokoro, lk_inc.mk, OWNERS,
version_defaults.mk), project metadata
(README/CLAUDE/AGENTS/CONTRIBUTING/LICENSE/NOTICE/VERSION), dot-files
(.gitignore/.gitmodules), and standard top-level dirs (build/, device/,
external/, frameworks/, hardware/, kernel-5.10/, packages/, prebuilts/,
scripts/, system/, tools/, vendor/, docs/, releases/, logs/).</p>
<p>NO bash scripts in repo root except AOSP-mandated
<code>bootstrap.bash</code>. NO log files in repo root. NO duplicate
filenames between root and <code>scripts/</code>. NO release artifacts
in root. Moves require triple-verification (audit all references +
distinguish absolute vs subdir-local + confirm no AOSP build- system
requirement). Pre-build gate <code>CM-FILE-LAYOUT-DISCIPLINE</code>
enforces. Propagation gate <code>CM-COVENANT-114-11-PROPAGATION</code>
enforces this anchor in every CLAUDE.md / AGENTS.md across parent + 10
owned submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.11.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.12 — Issues_Summary.md sync mandate (User mandate,
2026-05-12)</strong></p>
<p>docs/Issues_Summary.md is the canonical short-form summary of all
open items. MUST be regenerated + re-exported (HTML + PDF) whenever
Issues.md changes. Generator:
scripts/testing/generate_issues_summary.sh. Pre-build gates
<code>CM-ISSUES-SUMMARY-SYNC</code> +
<code>CM-COVENANT-114-12-PROPAGATION</code> enforce mechanically.</p>
<p><strong>Sort order (User mandate refinement 2026-05-12):</strong>
severity DESC (C → M → L), then intra-group criticality DESC inside each
group. Most critical row = #1, least critical = #N. Documented at the
top of the generated file.</p>
<p><strong>Auto-sync wrapper:</strong>
<code>scripts/testing/sync_issues_docs.sh</code> — runs generator +
<code>export_progress_docs.sh</code> in one shot. MUST be invoked after
any edit to Issues.md or Issues_Summary.md. HTML+PDF exports are NEVER
manually invoked; they ALWAYS travel with the markdown.</p>
<p><strong>Canonical authority:</strong> parent <a href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.12.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<!-- BEGIN submodule-decoupling-and-reusability (parent-mirror) -->

<h2 id="submodule-decoupling--reusability--mandatory">Submodule
Decoupling &amp; Reusability — MANDATORY</h2>
<p>This repository is <strong>shared infrastructure</strong> consumed by
multiple independent consumer projects. Its specialized responsibility
makes it reusable — and that reusability is destroyed the moment any
consumer&#39;s specifics leak in.</p>
<p><strong>Hard rules when editing anything in this
repository:</strong></p>
<ul>
<li>DO NOT hardcode any specific consumer project&#39;s name, platform list,
paths, version strings, or release-naming conventions.</li>
<li>DO NOT import / reference any consumer-project namespace.</li>
<li>DO NOT embed consumer-project-specific governance, branding, or rule
numbering in <code>CONSTITUTION.md</code> / <code>CLAUDE.md</code> /
<code>AGENTS.md</code>.</li>
<li>DO assume N ≥ 2 unrelated consumer projects exist, even if you only
know of one today.</li>
</ul>
<p>Cross-project rules MUST be phrased generically (&quot;every consuming
project&#39;s full platform matrix&quot;), never with a specific consumer&#39;s
matrix hardcoded.</p>
<!-- END submodule-decoupling-and-reusability (parent-mirror) -->

<hr />
<h2 id="const-047--recursive-submodule-application-mandate-cascaded-from-root-constitutionmd">CONST-047
— Recursive Submodule Application Mandate (cascaded from root
CONSTITUTION.md)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-14): <em>&quot;Make sure all work we do is
applied ALWAYS to all Submodules we control under our organizations
(vasic-digital and HelixDevelopment) fully recursively everywhere with
full bluff-proofing and comprehensive documentation, user manuals and
guides and full tests and Challenges coverage!&quot;</em></p>
</blockquote>
<p>Every engineering deliverable produced for the main project MUST be
applied — fully and recursively — to every owned submodule under the
<code>vasic-digital</code> and <code>HelixDevelopment</code> GitHub
organizations. Each owned submodule (including this one) MUST receive in
lockstep: (1) anti-bluff posture (CONST-035 / Article XI §11.9), (2)
comprehensive documentation matching actual capabilities, (3) full tests
+ Challenges coverage with captured runtime evidence, (4) recursive
propagation through nested submodules under the same orgs, (5)
synchronized commits when meta-repo state advances this surface.</p>
<p>See the root <code>CONSTITUTION.md</code> §CONST-047 for the full
mandate. This anchor MUST remain in this submodule&#39;s CONSTITUTION.md,
CLAUDE.md, and AGENTS.md.</p>
<p><strong>§11.4.40 — Full-suite retest before release tag mandate (User
mandate, 2026-05-17)</strong></p>
<p>A release tag MUST NOT be created until a COMPLETE retest with ALL
existing tests has been executed on a clean baseline AFTER every
workable item in the batch is done, fixed, polished, and individually
verified. Spot-check retests that run only the tests touched by the
batch are FORBIDDEN — they miss interaction defects between the batch&#39;s
fixes and previously-stable code.</p>
<p>The complete retest comprises: (1) pre-build full sweep, (2)
post-build full sweep, (3) on-device 4-phase cycle on EVERY owned
device, (4) meta-test full mutation sweep, (5) Challenge bank full
sweep, (6) Issues.md/Fixed.md state audit, (7) CONTINUATION.md sync
check.</p>
<p>Time is essential — complete retest is typically 12–48 hour elapsed
effort. NOT optional, NOT abbreviated. Skipping is the exact &quot;tests
passed but feature broken&quot; failure mode §11.4 specifically
prohibits.</p>
<p>Composes with §11.4.4 (per-fix retest) — §11.4.37 is the additional
final integrity check at RELEASE granularity. Composes with §11.4.7 —
full-suite retest is the authoritative baseline for closures in the
batch. No escape hatch — no <code>--skip-full-retest</code> or
<code>--quick-release</code> flag exists.</p>
<p>Pre-build gate <code>CM-FULL-SUITE-RETEST-MANDATE</code> + paired
mutation. Propagation gate <code>CM-COVENANT-114-40-PROPAGATION</code>
enforces this anchor in every CLAUDE.md/AGENTS.md across parent + 10
owned submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="../../../constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.37.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.41 — Pre-Force-Push Merge-First Mandate (User mandate,
2026-05-17)</strong></p>
<p>Any force-push (<code>git push --force</code>,
<code>git push --force-with-lease</code>,
<code>git push +&lt;ref&gt;</code>, or equivalent history-rewriting
operation on any remote) authorised under §9.2 / CONST-043 MUST be
preceded by a mechanical 4-step merge-first pipeline that brings every
remote-side commit into the local tree, resolves every conflict
carefully, and verifies nothing is lost or corrupted on EITHER side
BEFORE the overwriting push is executed.</p>
<p><strong>The 4-step pipeline (mandatory, in order):</strong> (1)
<code>git fetch --all --prune --tags</code> against every configured
remote — capture output. (2) Integrate every divergent commit locally
via <code>git rebase</code> (local is strict superset),
<code>git merge</code> (independent additions both deserve
preservation), or operator-confirmed cherry-pick (remote subset already
present locally). (3) Audit: no conflict markers
(<code>grep -rn &#39;^&lt;&lt;&lt;&lt;&lt;&lt;&lt; \|^=======$\|^&gt;&gt;&gt;&gt;&gt;&gt;&gt; &#39;</code>
returns empty), no silent file drops
(<code>git diff --stat HEAD@{1} HEAD</code>), every previously-passing
test still passes per §11.4.4 / §11.4.40 baseline, every
captured-evidence artifact still validates. (4)
<code>git push --force-with-lease &lt;remote&gt; &lt;ref&gt;</code>
(NEVER <code>--force</code> without <code>--with-lease</code> unless
§9.2 sub-clause 6 explicitly authorises it for a remote where lease
semantics are unavailable). One force-push event per CONST-043
authorisation — no batch authorisation.</p>
<p><strong>Two-gate composition with CONST-043</strong> — §11.4.41 does
NOT relax CONST-043&#39;s operator-approval requirement. Gate A (CONST-043):
operator types explicit per-operation force-push authorisation. Gate B
(§11.4.41): agent executes the 4-step merge-first pipeline, captures
evidence of clean integration, presents evidence to operator BEFORE the
force-push. Both gates required.</p>
<p><strong>Verification artefact</strong> — every §11.4.41-governed
force-push emits a <code>docs/changelogs/&lt;tag&gt;.md</code>
&quot;Force-push merge-first audit&quot; section containing 7 elements: (i)
<code>git fetch</code> output, (ii) per-remote
<code>HEAD..&lt;remote&gt;/&lt;branch&gt;</code> log before integration,
(iii) integration strategy chosen per remote with rationale, (iv)
post-integration conflict-marker scan output (must be empty), (v)
post-integration test suite delta (must show only expected changes),
(vi) <code>--force-with-lease</code> push output with lease SHA
evidence, (vii) CONST-043 authorisation quote from the conversation.</p>
<p>Composes with §9.2 (data-safety hardlinked backup), §11.4.4
(test-interrupt-on-discovery — broken integration triggers rollback),
§11.4.6 (no-guessing — every step&#39;s outcome captured, not assumed),
§11.4.26 (constitution-submodule update pipeline — per-submodule
specialisation), §11.4.32 (post-pull validation — audit step&#39;s
mechanical companion), §11.4.37 (fetch-before-edit — step 1 enforces it
for force-push specifically), §11.4.40 (full-suite retest — step 3&#39;s
test-evidence requirement).</p>
<p>No escape hatch — the operator-pressure escape (&quot;just force-push,
we&#39;ll fix it later&quot;) is the exact failure mode this anchor closes.
Pre-build gate <code>CM-COVENANT-114-41-PROPAGATION</code> enforces this
anchor in every CLAUDE.md/AGENTS.md across parent + 10 owned submodules
+ nested submodules + HelixQA dependencies. Paired mutation strips the
anchor literal → gate FAILs. Gate <code>CM-FORCE-PUSH-MERGE-FIRST</code>
walks <code>docs/changelogs/&lt;tag&gt;.md</code> &quot;Force-push&quot; entries
for the 7 audit elements; paired mutation strips any element and asserts
gate FAILs.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.41.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<hr />
<p>=======</p>
<!-- CONST-035 anti-bluff addendum (cascaded) -->

<h2 id="const-035--anti-bluff-tests--challenges-mandatory-inherits-from-root">CONST-035
— Anti-Bluff Tests &amp; Challenges (mandatory; inherits from root)</h2>
<p>Tests and Challenges in this submodule MUST verify the product, not
the LLM&#39;s mental model of the product. A test that passes when the
feature is broken is worse than a missing test — it gives false
confidence and lets defects ship to users. Functional probes at the
protocol layer are mandatory:</p>
<ul>
<li>TCP-open is the FLOOR, not the ceiling. Postgres → execute
<code>SELECT 1</code>. Redis → <code>PING</code> returns
<code>PONG</code>. ChromaDB → <code>GET /api/v1/heartbeat</code> returns
200. MCP server → TCP connect + valid JSON-RPC handshake. HTTP gateway →
real request, real response, non-empty body.</li>
<li>Container <code>Up</code> is NOT application healthy. A
<code>docker/podman ps</code> <code>Up</code> status only means PID 1 is
running; the application may be crash-looping internally.</li>
<li>No mocks/fakes outside unit tests (already CONST-030; CONST-035
raises the cost of a mock-driven false pass to the same severity as a
regression).</li>
<li>Re-verify after every change. Don&#39;t assume a previously-passing test
still verifies the same scope after a refactor.</li>
<li>Verification of CONST-035 itself: deliberately break the feature
(e.g. <code>kill &lt;service&gt;</code>, swap a password). The test MUST
fail. If it still passes, the test is non-conformant and MUST be
tightened.</li>
</ul>
<h2 id="const-033-clarification--distinguishing-host-events-from-sluggishness">CONST-033
clarification — distinguishing host events from sluggishness</h2>
<p>Heavy container builds (BuildKit pulling many GB of layers, parallel
podman/docker compose-up across many services) can make the host
<strong>appear</strong> unresponsive — high load average, slow SSH,
watchers timing out. <strong>This is NOT a CONST-033 violation.</strong>
Suspend / hibernate / logout are categorically different events.
Distinguish via:</p>
<ul>
<li><code>uptime</code> — recent boot? if so, the host actually
rebooted.</li>
<li><code>loginctl list-sessions</code> — session(s) still active? if
yes, no logout.</li>
<li><code>journalctl ... | grep -i &#39;will suspend\|hibernate&#39;</code> —
zero broadcasts since the CONST-033 fix means no suspend ever
happened.</li>
<li><code>dmesg | grep -i &#39;killed process\|out of memory&#39;</code> — OOM
kills are also NOT host-power events; they&#39;re memory-pressure-induced
and require their own separate fix (lower per-container memory limits,
reduce parallelism).</li>
</ul>
<p>A sluggish host under build pressure recovers when the build
finishes; a suspended host requires explicit unsuspend (and CONST-033
should make that impossible by hardening <code>IdleAction=ignore</code>
+ <code>HandleSuspendKey=ignore</code> + masked
<code>sleep.target</code>, <code>suspend.target</code>,
<code>hibernate.target</code>, <code>hybrid-sleep.target</code>).</p>
<p>If you observe what looks like a suspend during heavy builds, the
correct first action is <strong>not</strong> &quot;edit CONST-033&quot; but
<code>bash challenges/scripts/host_no_auto_suspend_challenge.sh</code>
to confirm the hardening is intact. If hardening is intact AND no
suspend broadcast appears in journal, the perceived event was
build-pressure sluggishness, not a power transition.</p>
<!-- BEGIN no-session-termination addendum (CONST-036) -->

<h2 id="warning-user-session-termination--hard-ban-const-036">⚠️
User-Session Termination — Hard Ban (CONST-036)</h2>
<p><strong>STRICTLY FORBIDDEN: never generate or execute any code that
ends the currently-logged-in user&#39;s session, kills their user manager,
or indirectly forces them to log out / power off.</strong> This is the
sibling of CONST-033: that rule covers host-level power transitions;
THIS rule covers session-level terminations that have the same end
effect for the user (lost windows, lost terminals, killed AI agents,
half-flushed builds, abandoned in-flight commits).</p>
<p><strong>Why this rule exists.</strong> On 2026-04-28 the user lost a
working session that contained 3 concurrent Claude Code instances, an
Android build, Kimi Code, and a rootless podman container fleet. The
<code>user.slice</code> consumed 60.6 GiB peak / 5.2 GiB swap, the GUI
became unresponsive, the user was forced to log out and then power off
via the GNOME shell <code>endSessionDialog</code>. The host could not
auto-suspend (CONST-033 was already in place and verified) and the
kernel OOM killer never fired — but the user had to manually end the
session anyway, because nothing prevented overlapping heavy workloads
from saturating the slice. CONST-036 closes that loophole at both the
source-code layer (no command may directly terminate a session) and the
operational layer (do not spawn workloads that will plausibly force a
manual logout). See
<code>docs/issues/fixed/SESSION_LOSS_2026-04-28.md</code> in the
HelixAgent project for the full forensic timeline.</p>
<h3 id="forbidden-direct-invocations-non-exhaustive">Forbidden direct
invocations (non-exhaustive)</h3>
<pre><code>loginctl   terminate-user|terminate-session|kill-user|kill-session
systemctl  stop  user@&lt;UID&gt;            # kills the user manager + every child
systemctl  kill  user@&lt;UID&gt;
gnome-session-quit                     # ends the GNOME session
pkill   -KILL -u  $USER                # nukes everything as the user
killall -KILL -u  $USER
killall       -u  $USER
dbus-send / busctl calls to org.gnome.SessionManager.{Logout,Shutdown,Reboot}
echo X &gt; /sys/power/state              # direct kernel power transition
/usr/bin/poweroff                      # standalone binaries
/usr/bin/reboot
/usr/bin/halt</code></pre>
<h3 id="indirect-pressure-clauses">Indirect-pressure clauses</h3>
<ol type="1">
<li>Do NOT spawn parallel heavy workloads casually — sample
<code>free -h</code> first; keep <code>user.slice</code> under 70% of
physical RAM.</li>
<li>Long-lived background subagents go in <code>system.slice</code>, not
<code>user.slice</code> (rootless podman containers die with the user
manager).</li>
<li>Document AI-agent concurrency caps in CLAUDE.md per submodule.</li>
<li>Never script &quot;log out and back in&quot; recovery flows — restart the
service, not the session.</li>
</ol>
<h3 id="verification">Verification</h3>
<div class="sourceCode" id="cb26"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb26-1"><a href="#cb26-1" aria-hidden="true" tabindex="-1"></a><span class="fu">bash</span> challenges/scripts/no_session_termination_calls_challenge.sh  <span class="co"># source clean</span></span>
<span id="cb26-2"><a href="#cb26-2" aria-hidden="true" tabindex="-1"></a><span class="fu">bash</span> challenges/scripts/no_suspend_calls_challenge.sh              <span class="co"># CONST-033 still clean</span></span>
<span id="cb26-3"><a href="#cb26-3" aria-hidden="true" tabindex="-1"></a><span class="fu">bash</span> challenges/scripts/host_no_auto_suspend_challenge.sh          <span class="co"># host hardened</span></span></code></pre></div>
<p>All three must PASS.</p>
<!-- END no-session-termination addendum (CONST-036) -->

<!-- BEGIN const035-strengthening-2026-04-29 -->

<h2 id="const-035--end-user-usability-mandate-2026-04-29-strengthening">CONST-035
— End-User Usability Mandate (2026-04-29 strengthening)</h2>
<p>A test or Challenge that PASSES is a CLAIM that the tested behavior
<strong>works for the end user of the product</strong>. The HelixAgent
project has repeatedly hit the failure mode where every test ran green
AND every Challenge reported PASS, yet most product features did not
actually work — buggy challenge wrappers masked failed assertions,
scripts checked file existence without executing the file,
&quot;reachability&quot; tests tolerated timeouts, contracts were honest in
advertising but broken in dispatch. <strong>This MUST NOT
recur.</strong></p>
<p>Every PASS result MUST guarantee:</p>
<p>a. <strong>Quality</strong> — the feature behaves correctly under
inputs an end user will send, including malformed input, edge cases, and
concurrency that real workloads produce. b. <strong>Completion</strong>
— the feature is wired end-to-end from public API surface down to
backing infrastructure, with no stub / placeholder / &quot;wired lazily
later&quot; gaps that silently 503. c. <strong>Full usability</strong> — a
CLI agent / SDK consumer / direct curl client following the documented
model IDs, request shapes, and endpoints SUCCEEDS without having to know
which of N internal aliases the dispatcher actually accepts.</p>
<p>A passing test that doesn&#39;t certify all three is a
<strong>bluff</strong> and MUST be tightened, or marked
<code>t.Skip(&quot;...SKIP-OK: #&lt;ticket&gt;&quot;)</code> so absence of
coverage is loud rather than silent.</p>
<h3 id="bluff-taxonomy-each-pattern-observed-in-helixagent-and-now-forbidden">Bluff
taxonomy (each pattern observed in HelixAgent and now forbidden)</h3>
<ul>
<li><strong>Wrapper bluff</strong> — assertions PASS but the wrapper&#39;s
exit-code logic is buggy, marking the run FAILED (or the inverse:
assertions FAIL but the wrapper swallows them). Every aggregating
wrapper MUST use a robust counter
(<code>! grep -qs &quot;|FAILED|&quot; &quot;$LOG&quot;</code> style) — never inline
arithmetic on a command that prints AND exits non-zero.</li>
<li><strong>Contract bluff</strong> — the system advertises a capability
but rejects it in dispatch. Every advertised capability MUST be
exercised by a test or Challenge that actually invokes it.</li>
<li><strong>Structural bluff</strong> —
<code>check_file_exists &quot;foo_test.go&quot;</code> passes if the file is
present but doesn&#39;t run the test or assert anything about its content.
File-existence checks MUST be paired with at least one functional
assertion.</li>
<li><strong>Comment bluff</strong> — a code comment promises a behavior
the code doesn&#39;t actually have. Documentation written before / about
code MUST be re-verified against the code on every change touching the
documented function.</li>
<li><strong>Skip bluff</strong> — <code>t.Skip(&quot;not running yet&quot;)</code>
without a <code>SKIP-OK: #&lt;ticket&gt;</code> marker silently passes.
Every skip needs the marker; CI fails on bare skips.</li>
</ul>
<p>The taxonomy is illustrative, not exhaustive. Every Challenge or test
added going forward MUST pass an honest self-review against this
taxonomy before being committed.</p>
<!-- END const035-strengthening-2026-04-29 -->

<hr />
<h2 id="article-xi-119--anti-bluff-forensic-anchor-cascaded-from-parent-constitutionmd">Article
XI §11.9 — Anti-Bluff Forensic Anchor (cascaded from parent
CONSTITUTION.md)</h2>
<blockquote>
<p>Verbatim user mandate (2026-04-29, reasserted multiple times across
2026-05): <em>&quot;We had been in position that all tests do execute with
success and all Challenges as well, but in reality the most of the
features does not work and can&#39;t be used! This MUST NOT be the case and
execution of tests and Challenges MUST guarantee the quality, the
completion and full usability by end users of the product!&quot;</em></p>
</blockquote>
<p>Operative rule: <strong>The bar for shipping is not &quot;tests pass&quot; but
&quot;users can use the feature.&quot;</strong> Every PASS in this codebase MUST
carry positive runtime evidence captured during execution. Metadata-only
/ configuration-only / absence-of-error / grep-based PASS without
runtime evidence are critical defects regardless of how green the
summary line looks. No false-success results are tolerable.</p>
<p>This anchor MUST remain in this submodule&#39;s CONSTITUTION.md,
CLAUDE.md, and AGENTS.md alongside CONST-047 — see the parent
repository&#39;s <code>CONSTITUTION.md</code> for the full text.</p>
<hr />
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-048-full-automation-coverage-mandate-cascaded-from-constitution-submodule-11425">CONST-048:
Full-Automation-Coverage Mandate (cascaded from constitution submodule
§11.4.25)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Make sure that every
feature, every functionality, every flow, every use case, every edge
case, every service or application, on every platform we support is
covered with full automation tests which will confirm anti-bluff policy
and provide the proof of fully working capabilities, working
implementation as expected, no issues, no bugs, fully documented, tests
covered! Nothing less than this does not give us a chance to deliver
stable product! This is mandatory constraint which MUST BE respected
without ignoring, skipping, slacking or forgetting it!&quot;</em></p>
</blockquote>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD No feature / functionality / flow /
use case / edge case / service / application on any supported platform
of this submodule is deliverable until covered by automation tests
proving six invariants: (1) anti-bluff posture with captured runtime
evidence (CONST-035); (2) proof of working capability end-to-end on
target topology; (3) implementation matching documented promise; (4) no
open issues/bugs surfaced; (5) full documentation in sync; (6)
four-layer test floor (pre-build + post-build + runtime + paired
mutation).</p>
<h1 id="cascade-requirement-this-anchor-verbatim-or-by-const-048-id-reference-must-remain-in-this-submodules-constitutionmd-claudemd-and-agentsmd-and-propagate-recursively-to-any-nested-owned-by-us-submodule-see-parent-projects-constitutionmd-const-048-and-constitution-submodule-constitutionmd-11425-for-the-full-mandate"><strong>Cascade
requirement:</strong> This anchor (verbatim or by CONST-048 ID
reference) MUST remain in this submodule&#39;s CONSTITUTION.md, CLAUDE.md,
and AGENTS.md, and propagate recursively to any nested owned-by-us
submodule. See parent project&#39;s <code>CONSTITUTION.md</code> §CONST-048
and constitution submodule <code>Constitution.md</code> §11.4.25 for the
full mandate.</h1>
<p>No feature / functionality / flow / use case / edge case / service /
application on any supported platform of HelixCode may be considered
deliverable until covered by automation tests proving six invariants:
(1) anti-bluff posture (CONST-035) with captured runtime evidence; (2)
proof of working capability end-to-end on target topology (no mocks
beyond unit tests — see CONST-050); (3) implementation matches
documented promise; (4) no open issues/bugs surfaced — cross-checked
against §11.4.15 / §11.4.16 trackers; (5) full documentation in sync per
§11.4.12; (6) four-layer test floor per §1 (pre-build + post-build +
runtime + paired mutation).</p>
<p>Consuming projects MUST publish a coverage ledger (feature × platform
× invariant-1..6 × status) regenerated as part of the release-gate
sweep. Gaps tracked per §11.4.15 (<code>UNCONFIRMED:</code> /
<code>PENDING_FORENSICS:</code> / <code>OPERATOR-BLOCKED:</code> with
§11.4.21 audit) — rows that quietly omit a platform are CONST-048
violations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-048</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
release-gate layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.25 for the full mandate.</p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-049-constitution-submodule-update-workflow-mandate-cascaded-from-constitution-submodule-11426">CONST-049:
Constitution-Submodule Update Workflow Mandate (cascaded from
constitution submodule §11.4.26)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Every time we add something
into our root (constitution Submodule) Constitution, CLAUDE.MD and
AGENTS.MD we MUST FIRST fetch and pull all new changes / work from
constitution Submodule first! All changes we apply MUST BE commited and
pushed to all constitution Submodule upstreams! In case of conflict, IT
MUST BE carefully resolved! Nothing can be broken, made faulty,
corrupted or unusable! After merging full validation and verification
MUST BE done!&quot;</em></p>
</blockquote>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD Before ANY modification to
<code>constitution/{Constitution,CLAUDE,AGENTS}.md</code> in the parent
project, the agent or operator MUST execute the 7-step pipeline: (1)
fetch + pull first inside the constitution submodule worktree; (2) apply
the change with §11.4.17 classification + verbatim mandate quote; (3)
validate (meta-test + no merge-conflict markers + cross-file
consistency); (4) commit + push to EVERY configured upstream of the
constitution submodule (governance files only — never
<code>git add -A</code>); (5) careful conflict resolution preserving
union of governance content (force-push forbidden per CONST-043 / §9.2);
(6) post-merge <code>git submodule update --remote --init</code> +
re-run cascade verifier (CONST-047); (7) bump consuming project&#39;s
<code>.gitmodules</code> pointer to the new constitution HEAD in the
SAME commit as cascade work.</p>
<h1 id="cascade-requirement-this-anchor-verbatim-or-by-const-049-id-reference-must-remain-in-this-submodules-constitutionmd-claudemd-and-agentsmd-and-propagate-recursively-to-any-nested-owned-by-us-submodule-see-parent-projects-constitutionmd-const-049-and-constitution-submodule-constitutionmd-11426-for-the-full-mandate"><strong>Cascade
requirement:</strong> This anchor (verbatim or by CONST-049 ID
reference) MUST remain in this submodule&#39;s CONSTITUTION.md, CLAUDE.md,
and AGENTS.md, and propagate recursively to any nested owned-by-us
submodule. See parent project&#39;s <code>CONSTITUTION.md</code> §CONST-049
and constitution submodule <code>Constitution.md</code> §11.4.26 for the
full mandate.</h1>
<p>Before ANY modification to <code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>, or
<code>constitution/AGENTS.md</code>, the agent or operator MUST execute
the following 7-step pipeline in order:</p>
<ol type="1">
<li><strong>Fetch + pull first</strong> inside the constitution
submodule worktree — every configured remote fetched, then
<code>git pull --ff-only</code> (or <code>--rebase</code> if non-FF;
NEVER <code>--strategy=ours</code> /
<code>--allow-unrelated-histories</code> without explicit
authorization).</li>
<li><strong>Apply the change</strong> with §11.4.17 classification +
verbatim mandate quote.</li>
<li><strong>Validate before commit</strong> —
<code>meta_test_inheritance.sh</code> (or equivalent), no merge-conflict
markers, cross-file consistency.</li>
<li><strong>Commit + push to ALL upstreams</strong> — governance files
only (NEVER <code>git add -A</code>); push to every configured remote.
One-upstream commit = CONST-049 violation (also CONST-038/§6.W and
§2.1).</li>
<li><strong>Conflict resolution</strong> preserving union of governance
content. Force-push to bypass conflicts is FORBIDDEN (CONST-043 /
§9.2).</li>
<li><strong>Post-merge validation</strong> —
<code>git submodule update --remote --init</code> + re-run cascade
verifier (CONST-047) confirming the new clause reaches every owned
submodule.</li>
<li><strong>Bump consuming project pointer</strong> —
<code>.gitmodules</code>-tracked submodule pointer advanced to the new
constitution HEAD in the SAME commit as cascade work.</li>
</ol>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-049</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a force-push without
CONST-043 / §9.2 authorization. No escape hatch. See constitution
submodule <code>Constitution.md</code> §11.4.26 for the full
mandate.</p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-050-no-fakes-beyond-unit-tests--100-test-type-coverage-mandate-cascaded-from-constitution-submodule-11427">CONST-050:
No-Fakes-Beyond-Unit-Tests + 100%-Test-Type-Coverage Mandate (cascaded
from constitution submodule §11.4.27)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Mocks, stubs, placeholders,
TODOs or FIXMEs are allowed to exist ONLY in Unit tests! All other test
types MUST interract with real fully implemented System! No fakes, empty
implementations or bluffing is allowed of any kind! All codebase of the
project MUST BE 100% covered with every supported test type: unit tests,
integration tests, e2e tests, full automation tests, security tests,
ddos tests, scaling tests, chaos tests, stress tests, performance tests,
benchmarking tests, ui tests, ux tests, Challenges (fully incorporating
our Challenges Submodule — <a href="https://github.com/vasic-digital/Challenges">https://github.com/vasic-digital/Challenges</a>).
EVERYTHING MUST BE tested using HelixQA (fully incorporating HelixQA
Submodule — <a href="https://github.com/HelixDevelopment/HelixQA">https://github.com/HelixDevelopment/HelixQA</a>).
HelixQA MUST BE used with all possible written tests suites (test banks)
for every applications, service, platform, etc and execution of the full
HelixQA QA autonomous sessions! All required dependency Submodules MUST
BE added into the project as well (fully recursive!!!).&quot;</em></p>
</blockquote>
<p>Two cooperating invariants:</p>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD <strong>(A)
No-fakes-beyond-unit-tests.</strong> Mocks, stubs, fakes, placeholders,
<code>TODO</code>, <code>FIXME</code>, &quot;for now&quot;, &quot;in production this
would&quot;, or empty-implementation patterns are PERMITTED only in unit-test
sources. Every other test type — integration, E2E, full automation,
security, DDoS, scaling, chaos, stress, performance, benchmarking, UI,
UX, Challenges, HelixQA — MUST exercise this submodule&#39;s real, fully
implemented system against real infrastructure. Production code MUST NOT
import mock paths.</p>
<p><strong>(B) 100% test-type coverage.</strong> Codebase MUST be
covered by every supported test type the domain warrants: unit,
integration, E2E, full-automation, security, DDoS, scaling, chaos,
stress, performance, benchmarking, UI, UX, Challenges
(vasic-digital/Challenges submodule fully incorporated), HelixQA
(HelixDevelopment/HelixQA submodule fully incorporated, with full
autonomous QA sessions executing every registered test bank with
captured wire evidence).</p>
<p><strong>Required dependency submodules</strong> (recursive per
CONST-047): Challenges + HelixQA + any other functionality submodules
under vasic-digital/HelixDevelopment orgs this submodule depends on.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-050 ID reference) MUST remain in this submodule&#39;s CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project&#39;s <code>CONSTITUTION.md</code>
§CONST-050 and constitution submodule <code>Constitution.md</code>
§11.4.27 for the full mandate.</p>
<h2 id="const-051-submodules-as-equal-codebase--decoupling--dependency-layout-mandate-cascaded-from-constitution-submodule-11428">CONST-051:
Submodules-As-Equal-Codebase + Decoupling + Dependency-Layout Mandate
(cascaded from constitution submodule §11.4.28)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;All existing Submodules in
the project that we are controlling and belong to some our organizations
(vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory - we
can ALWAYS check dynamically using GitHub and GitLab CLIs) are equal
parts of the project&#39;s codebase! We MUST work on that code as much as we
do with main project&#39;s codebase! All on equal basis! Equally important!
... We MUST NEVER modify Submodules to bring into them any project
specific context since they all MUST BE ALWAYS fully decoupled, project
not-aware, fully reusable and modular (by any other project(s)),
completely testable! All Submodule dependencies that are used by
Submodule MUST BE acessed from the root of the project! We MUST NOT have
nested Submodule dependencies but accessing each from proper location
from the root of the project - directly from project&#39;s root
project_name/submodule_name or some more proper structure
project_name/submodules/submodule_name!&quot;</em></p>
</blockquote>
<p>Three cooperating invariants apply to every owned-by-us submodule
(orgs: vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory, plus
any subsequently authorised org — discoverable via
<code>gh org list</code> / <code>glab</code>):</p>
<p><strong>(A) Equal-codebase.</strong> This submodule is an EQUAL part
of every consuming project&#39;s codebase. The consuming project&#39;s
engineering practice — analysis, extension, test creation, gap-filling,
bug-fix, documentation (user manuals, guides, diagrams, graphs, SQL
definitions, website pages, all materials) — applies to this submodule
on equal basis. Coverage ledgers (CONST-048) list this submodule as an
in-scope target.</p>
<p><strong>(B) Decoupling / reusability.</strong> This submodule MUST
remain fully decoupled from any specific consuming project. NEVER inject
project-specific context (hardcoded paths, hostnames, asset names,
naming schemes). Stay project-not-aware, reusable, modular, completely
testable as a standalone repository. When parent-project info is needed,
use configuration injection (env var, config file, constructor
parameter) — never a hardcoded reach.</p>
<p><strong>(C) Dependency-layout.</strong> Any dependency this submodule
consumes MUST be accessible from the consuming project&#39;s root at
<code>&lt;root&gt;/&lt;name&gt;/</code> or
<code>&lt;root&gt;/submodules/&lt;name&gt;/</code>. <strong>Nested
own-org submodule chains are FORBIDDEN</strong> — this submodule MUST
NOT have its own <code>.gitmodules</code> entries pulling in further
owned-by-us repos. Third-party submodules are exempt.</p>
<h1 id="cascade-requirement-this-anchor-verbatim-or-by-const-051-id-reference-must-remain-in-this-submodules-constitutionmd-claudemd-and-agentsmd-and-propagate-recursively-to-any-nested-owned-by-us-submodule-see-parent-projects-constitutionmd-const-051-and-constitution-submodule-constitutionmd-11428-for-the-full-mandate"><strong>Cascade
requirement:</strong> This anchor (verbatim or by CONST-051 ID
reference) MUST remain in this submodule&#39;s CONSTITUTION.md, CLAUDE.md,
and AGENTS.md, and propagate recursively to any nested owned-by-us
submodule. See parent project&#39;s <code>CONSTITUTION.md</code> §CONST-051
and constitution submodule <code>Constitution.md</code> §11.4.28 for the
full mandate.</h1>
<p><strong>(A) No-fakes-beyond-unit-tests.</strong> Mocks, stubs, fakes,
placeholders, <code>TODO</code>, <code>FIXME</code>, &quot;for now&quot;, &quot;in
production this would&quot;, or empty-implementation patterns are PERMITTED
only in unit-test sources (<code>*_test.go</code> files invoked without
the integration build tag; <code>HelixCode/tests/unit/</code>; etc.).
Every other test type — integration, E2E, full automation, security,
DDoS, scaling, chaos, stress, performance, benchmarking, UI, UX,
Challenges, HelixQA — MUST exercise the real, fully implemented
HelixCode system against real infrastructure (real PostgreSQL, real
Redis, real LLM endpoints, real containers, real captured devices).
Production code (anything under <code>HelixCode/cmd/</code>,
<code>HelixCode/applications/</code>,
<code>HelixCode/internal/&lt;pkg&gt;/&lt;file&gt;.go</code> not ending
<code>_test.go</code>) MUST NOT import from
<code>HelixCode/internal/mocks/</code>.</p>
<p><strong>(B) 100% test-type coverage.</strong> HelixCode&#39;s codebase
MUST be covered by every supported test type the domain warrants:</p>
<ul>
<li><strong>Unit</strong> — fast, isolated, mocks permitted per
(A).</li>
<li><strong>Integration</strong> — multi-component, no mocks, real
backing services.</li>
<li><strong>End-to-end (E2E)</strong> — full user-flow exercise on
target topology.</li>
<li><strong>Full automation</strong> — orchestrated suites exercising
every feature × platform combination (CONST-048 coverage ledger).</li>
<li><strong>Security</strong> — authn/authz boundaries, CONST-042
secret-leak scans, input-fuzzing, dependency-CVE scanning, threat-model
verification.</li>
<li><strong>DDoS</strong> — request-flood resilience at advertised
throughput tier.</li>
<li><strong>Scaling</strong> — horizontal + vertical scale behaviour
under linear load growth.</li>
<li><strong>Chaos</strong> — controlled failure injection (network
partition, process kill, disk full, clock skew).</li>
<li><strong>Stress</strong> — sustained load above advertised tier.</li>
<li><strong>Performance</strong> — latency / throughput / tail-latency
invariants vs SLO baselines.</li>
<li><strong>Benchmarking</strong> — micro + macro suites with historical
p95-drift detection.</li>
<li><strong>UI</strong> — visual-regression + DOM-state +
interaction-flow coverage on every target platform&#39;s UI surface.</li>
<li><strong>UX</strong> — flow-correctness + accessibility + i18n +
visual-cue ordering (§11.4.23 composition).</li>
<li><strong>Challenges</strong> — <code>vasic-digital/Challenges</code>
submodule (at <code>./Challenges/</code>) fully incorporated;
per-feature Challenge scripts with captured runtime evidence.</li>
<li><strong>HelixQA</strong> — <code>HelixDevelopment/HelixQA</code>
submodule (at <code>./HelixQA/</code>) fully incorporated; ALL written
test banks executed; full autonomous QA sessions run as part of release
gates with captured wire evidence per check.</li>
</ul>
<p><strong>Required dependency submodules</strong> (recursive per
CONST-047):</p>
<ul>
<li>Challenges —
<code>git@github.com:vasic-digital/Challenges.git</code> — incorporated
at <code>./Challenges/</code>.</li>
<li>HelixQA — <code>git@github.com:HelixDevelopment/HelixQA.git</code> —
incorporated at <code>./HelixQA/</code>.</li>
<li>Any additional functionality submodules under
<code>vasic-digital/*</code> / <code>HelixDevelopment/*</code> orgs that
HelixCode depends on — incorporate rather than duplicate work the orgs
already maintain.</li>
</ul>
<p>Submodule pointers MUST be bumped to upstream HEAD in the SAME commit
as any dependent cascade work (CONST-049 step 7). Pointer drift =
CONST-050 violation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-050</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
release-gate layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.27 for the full mandate.</p>
<h2 id="const-051-submodules-as-equal-codebase--decoupling--dependency-layout-mandate-cascaded-from-constitution-submodule-11428-1">CONST-051:
Submodules-As-Equal-Codebase + Decoupling + Dependency-Layout Mandate
(cascaded from constitution submodule §11.4.28)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;All existing Submodules in
the project that we are controlling and belong to some our organizations
(vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory - we
can ALWAYS check dynamically using GitHub and GitLab CLIs) are equal
parts of the project&#39;s codebase! We MUST work on that code as much as we
do with main project&#39;s codebase! All on equal basis! Equally important!
We MUST take it into the account, analyze it, extend it, create missing
tests, do full testing of it, fill the gaps (if any), fix any issues
that we discover or they pop-up, write and extend the documentation,
user guides, manulas, diagrams, graphs, SQL definitions, Website(s) and
all other relevant materials! We MUST NEVER modify Submodules to bring
into them any project specific context since they all MUST BE ALWAYS
fully decoupled, project not-aware, fully reusable and modular (by any
other project(s)), completely testable! All Submodule dependencies that
are used by Submodule MUST BE acessed from the root of the project! We
MUST NOT have nested Submodule dependencies but accessing each from
proper location from the root of the project - directly from project&#39;s
root project_name/submodule_name or some more proper structure
project_name/submodules/submodule_name!&quot;</em></p>
</blockquote>
<p>Three cooperating invariants apply to every HelixCode-owned submodule
(those whose upstream <code>origin</code> lives under
<code>vasic-digital</code>, <code>HelixDevelopment</code>,
<code>red-elf</code>, <code>ATMOSphere1234321</code>,
<code>Bear-Suite</code>, <code>BoatOS123456</code>,
<code>Helix-Flow</code>, <code>Helix-Track</code>,
<code>Server-Factory</code>, or any subsequently authorised org):</p>
<p><strong>(A) Equal-codebase.</strong> Every owned-by-us submodule is
an <strong>equal part</strong> of HelixCode&#39;s codebase. The same
engineering practice — analysis, extension, test creation, gap-filling,
bug-fix, documentation (user manuals, guides, diagrams, graphs, SQL
definitions, website pages, all materials) — applies to each owned
submodule on equal basis. A round of work that improves only HelixCode&#39;s
main while leaving an owned-submodule deficiency unaddressed is a
CONST-051 violation, severity-equivalent to a §11.4 PASS-bluff at the
project-scope layer. The §11.4.25 / CONST-048 coverage ledger MUST list
every owned submodule as an in-scope target.</p>
<p><strong>(B) Decoupling / reusability.</strong> Owned submodules MUST
remain fully decoupled from HelixCode (and any other consuming project).
No HelixCode-specific context, hardcoded paths, hostnames, asset names,
or runtime assumptions may be introduced into an owned submodule&#39;s
source tree. When a submodule needs information from HelixCode, the
honest path is configuration injection (env var, config file,
constructor parameter) — never a hardcoded reach into the parent&#39;s tree.
Every owned submodule MUST be project-not-aware, fully reusable,
modular, and completely testable as a standalone repository.</p>
<p><strong>(C) Dependency-layout.</strong> Every dependency that an
owned submodule consumes MUST be accessible from HelixCode&#39;s root at one
of two canonical paths:</p>
<ul>
<li><code>&lt;repo_root&gt;/&lt;submodule_name&gt;/</code> (flat layout
— current HelixCode layout for Challenges, HelixQA, Containers,
Security, etc.)</li>
<li><code>&lt;repo_root&gt;/submodules/&lt;submodule_name&gt;/</code>
(grouped layout — alternate)</li>
</ul>
<p><strong>Nested own-org submodule chains are FORBIDDEN.</strong> A
submodule MUST NOT have its own <code>.gitmodules</code> entries pulling
in further owned-by-us repos. Every dependency required by submodule X
is added to HelixCode&#39;s root at the canonical path; X reaches it via
documented import / SDK path / runtime resolver — never via its own
nested submodule pointer. Third-party submodules (not under our orgs)
are exempt — they MAY appear at any depth.</p>
<p>The owned-org list is dynamically discoverable at any time via
<code>gh org list</code> / <code>glab</code> CLIs or the orgs&#39; public
APIs.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-051</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
codebase-completeness layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.28 for the full mandate (audit gates,
mutation pairs, workflow integration).</p>
<hr />
<h2 id="amendment-process">Amendment Process</h2>
<p>Constitution amendments require:</p>
<ol type="1">
<li>Written proposal with rationale</li>
<li>Challenge demonstrating the need</li>
<li>72-hour review period</li>
<li>Approval by project architect</li>
<li>Update to all submodule governance files</li>
</ol>
<hr />
<p><em>This Constitution is the supreme law of the HelixCode project. No
code, test, or process may contradict it.</em></p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-052-lowercase-snake_case-naming-mandate-cascaded-from-constitution-submodule-11429">CONST-052:
Lowercase-Snake_Case-Naming Mandate (cascaded from constitution
submodule §11.4.29)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;naming convention for
Submodules and directories (applied deep into hierarchy recursively) -
all directories and Submodules MSUT HAVE lowercase names with space
separator between the words of &#39;_&#39; character (snake-case)! All existing
Submodules and directories which are not following this rule MUST BE
renamed! However, since this will most likely break some of the
functionalities renaming we do MUST BE applied to all references to
particular Submodule or directory! ... There MUST BE reasonable
exceptions for this rules - source code for programming languages or
Submodules which apply different naming convention - Android, Java,
Kotlin and others. ... Upstreams directory which all of our projects and
Submodules have MUST BE renamed to the lowercase letters too, however
root project containing the install_upstreams system command (it is
exported in out paths in our .bashrc or .zshrc) MUST BE updated to fully
work with both Upstreams and upstreams directory. ... NOTE: Rules
lowercase / snake-case do apply to all project files as well and
references to it and from them!&quot;</em></p>
</blockquote>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD Every directory, submodule, and
file in this submodule MUST use lowercase snake_case names. Existing
non-compliant names MUST be renamed atomically with updates to every
reference (configs, docs, source-code imports, governance files).
Reference drift after rename = CONST-052 violation of equal severity to
the rename itself.</p>
<p><strong>Common-sense exceptions (technology-preserving):</strong>
language-mandated case for Java/Kotlin/Android/Apple/C#/Swift INSIDE
language-roots; vendor/upstream third-party submodules keep upstream
names; build artefacts (<code>node_modules</code>,
<code>__pycache__</code>, <code>.git</code>, <code>target</code>,
<code>build</code>, <code>bin</code>) keep tool-mandated names. The test
&quot;does renaming break the technology?&quot; trumps the rule.</p>
<p><strong><code>Upstreams/</code> → <code>upstreams/</code>
transition:</strong> the constitution submodule&#39;s
<code>install_upstreams.sh</code> (exported via
<code>.bashrc</code>/<code>.zshrc</code>) supports BOTH directory
layouts; lowercase wins when both present.</p>
<p><strong>Test coverage of renames</strong> (per CONST-050(B)):
regression test for reference resolution + full test-type matrix run +
anti-bluff wire-evidence captured.</p>
<h1 id="cascade-requirement-this-anchor-verbatim-or-by-const-052-id-reference-must-remain-in-this-submodules-constitutionmd-claudemd-and-agentsmd-and-propagate-recursively-to-any-nested-owned-by-us-submodule-see-parent-projects-constitutionmd-const-052-and-constitution-submodule-constitutionmd-11429-for-the-full-mandate"><strong>Cascade
requirement:</strong> This anchor (verbatim or by CONST-052 ID
reference) MUST remain in this submodule&#39;s CONSTITUTION.md, CLAUDE.md,
and AGENTS.md, and propagate recursively to any nested owned-by-us
submodule. See parent project&#39;s <code>CONSTITUTION.md</code> §CONST-052
and constitution submodule <code>Constitution.md</code> §11.4.29 for the
full mandate.</h1>
<p>Every directory, submodule, and file in HelixCode MUST use lowercase
snake_case names. Existing non-compliant names (<code>HelixCode/</code>,
<code>Challenges/</code>, <code>Containers/</code>,
<code>HelixAgent/</code>, <code>HelixQA/</code>, <code>Security/</code>,
<code>Github-Pages-Website/</code>, <code>Upstreams/</code>,
<code>Dependencies/</code>, etc.) MUST be renamed as part of the phased
migration opened by this clause. Every reference (configs, docs, links,
source-code imports, governance files) MUST be updated atomically with
the rename — reference drift after a rename is a CONST-052 violation of
equal severity to the rename itself.</p>
<p><strong>Common-sense exceptions (technology-preserving):</strong>
language-mandated case for Java/Kotlin/Android/Apple/C#/Swift INSIDE the
language root (submodule root follows our convention; subtree follows
language convention); vendor/upstream third-party submodules keep
upstream names; build artefacts (<code>node_modules</code>,
<code>__pycache__</code>, <code>.git</code>, <code>target</code>,
<code>build</code>, <code>bin</code>) keep tool-mandated names. The test
&quot;does renaming break the technology?&quot; trumps the rule.</p>
<p><strong><code>Upstreams/</code> → <code>upstreams/</code>
transition:</strong> the constitution submodule&#39;s
<code>install_upstreams.sh</code> (exported via
<code>.bashrc</code>/<code>.zshrc</code>) supports BOTH
<code>Upstreams/</code> and <code>upstreams/</code> directory layouts
(commit <code>45d3678</code> of the constitution submodule); lowercase
wins when both present.</p>
<p><strong>Test coverage of renames</strong> (per CONST-050(B)): every
rename batch ships with (i) regression test verifying every reference
now resolves, (ii) full test-type matrix run post-rename, (iii)
anti-bluff wire-evidence captured.</p>
<p><strong>Phased execution</strong> per the operator&#39;s explicit
instruction: comprehensive brainstorming → phase-divided plan →
fine-grained tasks/subtasks → every change covered by every applicable
test type. §11.4.20 subagent delegation for cross-cutting rename
sweeps.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-052</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
reference-integrity layer. No escape hatch beyond the common-sense
exceptions enumerated above. See constitution submodule
<code>Constitution.md</code> §11.4.29 for the full mandate.</p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-053-gitignore--no-versioned-build-artifacts-mandate-cascaded-from-constitution-submodule-11430">CONST-053:
.gitignore + No-Versioned-Build-Artifacts Mandate (cascaded from
constitution submodule §11.4.30)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;every project module, every
Submodule, every servcie and apolication MUST HAVE proper .gitignore
file! We MUST NOT git version build artifacts, cache files, tmp files,
main .env file(s) or any files containing sensitive data, API keys or
token! Any build derivate which we can recreate by executing proper
mechanism for generating MUST NOT be versioned! We MUST pay attention
what is going to be commited every time we are preparing to execute
commit! If any violetion is detected it MUST be fixed before commit is
executed!&quot;</em></p>
</blockquote>
<p>Every project module, owned-by-us submodule, service, and application
MUST ship a proper <code>.gitignore</code>.
Forbidden-from-version-control classes:</p>
<ol type="1">
<li><strong>Build artefacts</strong>: <code>/bin/</code>,
<code>/build/</code>, <code>/dist/</code>, <code>/out/</code>,
<code>target/</code>, <code>*.exe</code>, <code>*.dll</code>,
<code>*.so</code>, <code>*.dylib</code>, <code>*.a</code>,
<code>*.o</code>, <code>*.class</code>, <code>*.pyc</code>,
generator-produced files when the generator is committed.</li>
<li><strong>Cache files</strong>: <code>__pycache__/</code>,
<code>.pytest_cache/</code>, <code>.mypy_cache/</code>,
<code>.ruff_cache/</code>, <code>node_modules/</code>,
<code>.next/</code>, <code>.cache/</code>, <code>.gradle/</code>,
<code>.terraform/</code>, language-server caches.</li>
<li><strong>Temp files</strong>: <code>*.tmp</code>, <code>*.swp</code>,
<code>*~</code>, <code>.DS_Store</code>, <code>Thumbs.db</code>,
<code>*.orig</code>, <code>*.rej</code>.</li>
<li><strong>Sensitive-data files</strong>: <code>.env</code>,
<code>.env.*</code> (allow <code>.env.example</code> placeholder only —
no real secrets even as examples), <code>*.pem</code>,
<code>*.key</code>, <code>*.crt</code>, <code>id_rsa*</code>,
<code>id_ed25519*</code>, <code>.netrc</code>, <code>secrets/</code>,
<code>api_keys.sh</code>.</li>
<li><strong>Generated reports/logs</strong>: <code>*.log</code>,
<code>coverage.out</code>, <code>htmlcov/</code>, runtime captures
unless reference assets.</li>
<li><strong>OS/IDE personal state</strong>: <code>.idea/</code>,
<code>.history/</code>, <code>.vscode/</code> (except shared
settings).</li>
</ol>
<p><strong>Anti-bluff invariant</strong>: <code>.gitignore</code> line
alone is not sufficient — no file matching the forbidden patterns may be
CURRENTLY TRACKED. A tracked <code>*.log</code> despite the ignore-line
is a violation of equal severity to no ignore-line at all.</p>
<p><strong>Pre-commit attention</strong>: every commit author (human OR
agent) MUST inspect <code>git diff --staged</code> +
<code>git status</code> BEFORE executing the commit. Forbidden-class
hits abort the commit until fixed (un-stage, add to
<code>.gitignore</code>, scrub if already-tracked). Gate
<code>CM-GITIGNORE-PRECOMMIT-AUDIT</code> + paired mutation.</p>
<p><strong>Secret-leak intersection (CONST-042 / §11.4.10):</strong> a
<code>.env</code> leak is BOTH a CONST-053 and a CONST-042 violation;
rotation + post-mortem required.</p>
<p><strong>Recreatable-content test</strong>: if a documented mechanism
regenerates the file from sources, it is a build derivative and MUST be
ignored. The committed sources MUST include the generator.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-053</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. See constitution submodule
<code>Constitution.md</code> §11.4.30 for the full mandate.</p>
<h2 id="const-054-submodule-dependency-manifest-mandate-cascaded-from-constitution-submodule-11431">CONST-054:
Submodule-Dependency-Manifest Mandate (cascaded from constitution
submodule §11.4.31)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;We MUST HAVE mechanism for
each Submodule to determine / know what are its Submodule dependencies
so new projects or palces we are incorporate them can add these
Submodules to the project root and make them available! Suggested idea
is configuration file with expected Submodules Git ssh urls perhaps? New
project can read it, and recursively add each Submodule to the root of
the project and install / expose it to veryone.&quot;</em></p>
</blockquote>
<p>Every owned-by-us submodule MUST ship <code>helix-deps.yaml</code> at
its root declaring its own-org dependencies. Schema:
<code>schema_version</code>,
<code>deps: [{name, ssh_url, ref, why, layout: flat|grouped}]</code>,
<code>transitive_handling.{recursive,conflict_resolution}</code>,
<code>language_specific_subtree</code>. Tooling:
<code>incorporate-submodule &lt;ssh-url&gt;</code> adds the submodule at
the parent project&#39;s canonical path (CONST-051(C)), reads
<code>helix-deps.yaml</code>, recurses for each declared dep, aborts on
conflicting refs, emits <code>&lt;root&gt;/.helix-manifest.yaml</code>
audit record.</p>
<p>Anti-bluff guarantee: every manifest paired with a Challenge that
bootstraps a throwaway consuming project, runs
<code>incorporate-submodule</code>, asserts produced layout matches the
manifest, runs the submodule&#39;s own tests against the bootstrapped
layout, captures wire evidence per §11.4.2. A manifest without this
proof is a CONST-054 violation.</p>
<p>§11.4.31 / CONST-054 is the <strong>operational complement</strong>
of CONST-051(C): nested own-org submodule chains are FORBIDDEN —
manifests are the bridge that lets consumers reconstruct the dependency
graph at the parent root.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-054</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
dependency-graph layer. See constitution submodule
<code>Constitution.md</code> §11.4.31 for the full mandate.</p>
<h2 id="const-055-post-constitution-pull-validation-mandate-cascaded-from-constitution-submodule-11432">CONST-055:
Post-Constitution-Pull Validation Mandate (cascaded from constitution
submodule §11.4.32)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Every time we fetch and pull
new changes on constitution Submodule we MUST process the whole project
and all Submodule (deep recursively) for validation and verification
taht every single rule or mandatory constraint is followed and
respected! If it is not, IT MUST BE!&quot;</em></p>
</blockquote>
<p>Whenever a project&#39;s constitution submodule is fetched + pulled with
any content change, the project MUST run
<code>scripts/verify-all-constitution-rules.sh</code> BEFORE the new
constitution HEAD is treated as canonical for any other work. The sweep
re-runs the governance-cascade verifier AND every implementable rule
gate (CONST-053 <code>.gitignore</code> audit, CONST-051(C)
nested-own-org-chain audit, CONST-052 case audit, CONST-050(A)
mock-from-production audit, CONST-035 anti-bluff smoke, etc.) against
the post-pull tree. Failures populate the project&#39;s Issues tracker per
§11.4.15 (Status: <code>Reopened</code>, Type: <code>Bug</code>);
closure requires positive-evidence per §11.4.</p>
<p>Pull-time invocation:
<code>git submodule update --remote constitution</code> triggers the
sweep automatically (post-update hook OR commit-wrapper invocation).
Operator-explicit manual invocation also available.</p>
<p>Anti-bluff: the sweep&#39;s own meta-test (paired mutation per §1.1)
plants a known violation of each enforced gate and asserts the sweep
reports FAIL for the planted gate. A sweep that exits PASS without
running every implementable gate is a CONST-055 violation.</p>
<p>CONST-055 is the <strong>enforcement engine</strong> for every other
§11.4.x and CONST-NNN rule — without it, new rules cascade as anchors
but never get enforced.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-055</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
constitutional-enforcement layer. See constitution submodule
<code>Constitution.md</code> §11.4.32 for the full mandate.</p>
<h2 id="const-056-mandatory-install_upstreams-on-cloneadd-mandate-cascaded-from-constitution-submodule-11436">CONST-056:
Mandatory install_upstreams on clone/add Mandate (cascaded from
constitution submodule §11.4.36)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Every Submodule or Git
repository we add or clone MUST BE upstreams installed using
Upstreamable utility which MUST BE available through exported paths of
the host system (in .bashrc or .zhrc) using install_upstreams command
executed from the root of the cloned (added) repository - only if in it
is Upstreams or upstreams directory present with bash script files
(recipes) for all repository&#39;s upstreams!&quot;</em></p>
</blockquote>
<p>Every clone / add of a Git repository under HelixCode MUST be
followed by <code>install_upstreams</code> invocation from the
repository&#39;s root IF its tree contains <code>upstreams/</code> (or
legacy <code>Upstreams/</code> per CONST-052 transition) populated with
<code>*.sh</code> recipe files. The utility (installed on operator&#39;s
<code>PATH</code> via <code>.bashrc</code>/<code>.zshrc</code>;
implementation in the constitution submodule&#39;s
<code>install_upstreams.sh</code> — already supports BOTH directory
names since constitution commit <code>45d3678</code>) reads the recipe
files, configures every declared upstream as a named git remote, and
fans out <code>origin</code> push URLs.</p>
<p>Skipping the invocation when <code>upstreams/</code> is present
silently breaks §2.1 (multi-upstream push is the norm) — the next push
lands on only one upstream. Gate
<code>CM-INSTALL-UPSTREAMS-ON-CLONE</code> + paired mutation.
Automation: the future <code>incorporate-submodule</code> per CONST-054
auto-invokes; manual invocation supported. Pre-commit check:
<code>git remote -v | grep -c push</code> reports expected count.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-056</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.36 for the full mandate.</p>
<h2 id="const-057-type-aware-closure-status-vocabulary-cascaded-from-constitution-submodule-11433">CONST-057:
Type-aware Closure-Status Vocabulary (cascaded from constitution
submodule §11.4.33)</h2>
<p>Every project tracking work items by Type per §11.4.16 MUST close
them with the Type-appropriate terminal <code>**Status:**</code> value,
drawn from this 3-element closed map:</p>
<table>
<thead>
<tr>
<th>Item <code>**Type:**</code></th>
<th>Closure <code>**Status:**</code> value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>Bug</code></td>
<td><code>Fixed (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Feature</code></td>
<td><code>Implemented (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Task</code></td>
<td><code>Completed (→ Fixed.md)</code></td>
</tr>
</tbody>
</table>
<p>The <code>(→ Fixed.md)</code> suffix is preserved across all three so
the existing migration-discipline tooling (atomic Issues.md → Fixed.md
move per §11.4.19) keeps working without per-Type branching. Generators
(<code>generate_issues_summary.sh</code>,
<code>generate_fixed_summary.sh</code>, the §11.4.23 colorizer) MUST
treat the three terminal values as semantically equivalent (all &quot;closed,
positive evidence captured&quot;) while preserving the literal in the emitted
document.</p>
<p>Closing a <code>Feature</code> with <code>Fixed (→ Fixed.md)</code>
or a <code>Task</code> with <code>Implemented (→ Fixed.md)</code> is a
CONST-057 violation. Gate <code>CM-CLOSURE-VOCAB-TYPE-AWARE</code> walks
every Fixed.md heading + every Issues.md heading whose
<code>**Status:**</code> is one of the three terminal values and asserts
the Status-Type match. Composes with §11.4.15 / §11.4.16 / §11.4.19 /
§11.4.23.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-057</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.33 for the full mandate.</p>
<h2 id="const-058-reopened-source-attribution-mandate-cascaded-from-constitution-submodule-11434">CONST-058:
Reopened-Source Attribution Mandate (cascaded from constitution
submodule §11.4.34)</h2>
<p>Every Issues.md (or equivalent project tracker) heading whose
<code>**Status:**</code> is <code>Reopened</code> MUST carry, within 8
non-blank lines of the heading, a <code>**Reopened-Details:**</code>
line capturing four sub-facts:</p>
<ul>
<li><strong>By:</strong> <code>AI</code> or <code>User</code>
(source-of-truth observer who flipped the status). <code>AI</code>
covers in-loop reopens (test failure, gate regression, captured-evidence
retrospect). <code>User</code> covers operator-side observations (manual
testing, end-user report, design reconsideration).</li>
<li><strong>On:</strong> ISO date (<code>YYYY-MM-DD</code>).</li>
<li><strong>Reason:</strong> one-line cause classification — chosen from
the closed vocabulary
<code>{ test-failed | manual-testing-detected | captured-evidence-contradicts | end-user-report | cycle-re-discovered | design-reconsidered }</code>.
Other values permitted with explicit
<code>Reason: &lt;free text&gt;</code> annotation but the closed list
MUST be tried first.</li>
<li><strong>Evidence:</strong> path to or short description of the
captured artefact justifying the reopen — log file, recording, gate
failure ID, operator quote, etc. Reopens without evidence are §11.4.6 /
§11.4.7 violations (demotion from Fixed requires captured evidence under
the conditions that re-exposed the defect).</li>
</ul>
<p>The Issues_Summary.md Status column MUST distinguish the four
<code>Reopened</code> sub-states by source so a sweep query for &quot;reopens
by AI in the last 30 days&quot; is mechanically possible. Suggested column
rendering: <code>Reopened (AI: test-failed)</code> vs
<code>Reopened (User: manual-testing)</code>. Gate
<code>CM-ITEM-REOPENED-DETAILS</code> mirrors
<code>CM-ITEM-OPERATOR-BLOCKED-DETAILS</code> (§11.4.21 walk pattern).
Composes with §11.4.6 / §11.4.7 / §11.4.15 / §11.4.21.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-058</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.34 for the full mandate.</p>
<h2 id="const-059-canonical-root-inheritance-clarity-cascaded-from-constitution-submodule-11435">CONST-059:
Canonical-Root Inheritance Clarity (cascaded from constitution submodule
§11.4.35)</h2>
<p>The <strong>constitution submodule&#39;s</strong> three files
(<code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>,
<code>constitution/AGENTS.md</code>) ARE the <strong>canonical
root</strong> (also called the <strong>parent</strong> files). They
contain only universal rules per §11.4.17.</p>
<p>The consuming project&#39;s <strong>repository-root files</strong>
(<code>&lt;project-root&gt;/CLAUDE.md</code>,
<code>&lt;project-root&gt;/AGENTS.md</code>, optionally
<code>&lt;project-root&gt;/Constitution.md</code>) are <strong>consumer
extensions</strong>. They MUST start with the inheritance pointer
(either the Claude-Code native <code>@constitution/CLAUDE.md</code>
import or the portable
<code>## INHERITED FROM constitution/CLAUDE.md</code> heading). They
contain only project-specific rules per §11.4.17.</p>
<p><strong>When in doubt about which file to edit:</strong> universal
rule → constitution submodule&#39;s file; project-specific rule → consumer&#39;s
file. Default consumer-side when uncertain (§11.4.17 — narrower scope is
cheap to widen).</p>
<p><strong>Terminology:</strong> &quot;the parent CLAUDE.md&quot; / &quot;the root
Constitution&quot; → constitution-submodule file at
<code>constitution/&lt;filename&gt;</code>; &quot;the project CLAUDE.md&quot; /
&quot;this project&#39;s AGENTS.md&quot; → consumer-side file at
<code>&lt;project-root&gt;/&lt;filename&gt;</code>.</p>
<p><strong>No silent demotion or silent promotion.</strong> Moving a
rule between layers MUST be a visible commit — <code>git mv</code> of a
section if it&#39;s a clean clone, or explicit
<code>Lifted from &lt;project&gt; to constitution per §11.4.35</code> /
<code>Demoted from constitution to &lt;project&gt; per §11.4.35</code>
commit-message annotation.</p>
<p>Gate <code>CM-CANONICAL-ROOT-CLARITY</code> verifies (a) consumer&#39;s
<code>CLAUDE.md</code> opens with the inheritance pointer, (b)
constitution submodule&#39;s three files are present at the expected path,
(c) no <code>## INHERITED FROM</code> block in the constitution
submodule&#39;s own files (those ARE the source-of-truth, not consumers).
Composes with §11.4.17.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-059</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.35 for the full mandate.</p>
<h2 id="const-060-fetch-before-edit-mandate-cascaded-from-constitution-submodule-11437">CONST-060:
Fetch-before-edit Mandate (cascaded from constitution submodule
§11.4.37)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>&quot;Make sure that
feedback_fetch_before_edit memory rule is part of our constitution
Submodule - the root Consitution, AGENTS.MD and CLAUDE.MD. Validate and
verify that Proejct-Toolkit and all Submodules do inherit all of them!
Follow the constitution Submodule documentation for details.&quot;</em></p>
</blockquote>
<p>The FIRST git-touching action of every session, on every consuming
project (owned or third-party), MUST be:</p>
<div class="sourceCode" id="cb27"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb27-1"><a href="#cb27-1" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> fetch <span class="at">--all</span> <span class="at">--prune</span></span>
<span id="cb27-2"><a href="#cb27-2" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> log <span class="at">--oneline</span> HEAD..@{u}</span>
<span id="cb27-3"><a href="#cb27-3" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> submodule foreach <span class="at">--recursive</span> <span class="st">&#39;git fetch --all --prune --quiet&#39;</span></span></code></pre></div>
<p>If <code>HEAD..@{u}</code> is non-empty, integrate the upstream
changes BEFORE any local edit. Acting on stale local state produces
three failure modes documented in the originating §11.4.37 incident
(multi-agent / parallel-session work): (1) <strong>redundant
work</strong> — the agent re-does what a parallel session already
finished, (2) <strong>false confidence</strong> — completion reports for
already-done work, (3) <strong>divergent history</strong> — duplicate
sibling commits that double the conflict surface on next push.</p>
<p><strong>Anti-bluff invariant</strong>: the fetch+log check MUST
produce captured evidence — the actual <code>HEAD..@{u}</code> output,
even if empty. Skipping the check on the basis of &quot;I just fetched&quot; or
&quot;nothing could have changed in the last N minutes&quot; is a §11.4.6
(no-guessing) violation: the remote state is not knowable without a
fetch.</p>
<p><strong>Cascade requirement</strong>: This anchor (verbatim or by
<code>CONST-060</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
parallel-session-coordination layer. See constitution submodule
<code>Constitution.md</code> §11.4.37 for the full mandate.
&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD</p>
<!-- BEGIN helix-constitution-inheritance + anti-bluff escalation -->

<h2 id="anti-bluff-end-user-quality-guarantee-escalated-via-helixconstitution">Anti-Bluff
End-User Quality Guarantee (Escalated via HelixConstitution)</h2>
<p><strong>Canonical authority:</strong>
<code>HelixConstitution/Constitution.md</code> §7.1 + §11.4.</p>
<p><strong>Forensic anchor — verbatim operator mandate
(2026-04-28):</strong></p>
<blockquote>
<p>&quot;We had been in position that all tests do execute with success and
all Challenges as well, but in reality the most of the features does not
work and can&#39;t be used! This MUST NOT be the case and execution of tests
and Challenges MUST guarantee the quality, the completition and full
usability by end users of the product! This MUST BE part of Constitution
of our project, its CLAUDE.MD and AGENTS.MD if it is not there already,
and to be applied to all Submodules&#39;s Constitution, CLAUDE.MD and
AGENTS.MD as well (if not there already)!&quot;</p>
</blockquote>
<p><strong>When writing a test in this submodule, ask:</strong> if every
line of the unit under test were replaced with a trivial stub, would
this test still pass? If yes, the test is bluff. Rewrite it to exercise
the real behaviour.</p>
<p>Every PASS MUST carry positive runtime evidence.
Consuming-project-specific evidence requirements are defined by each
consuming project&#39;s Constitution.</p>
<!-- END helix-constitution-inheritance + anti-bluff escalation -->

<p><strong>§11.4.52 — Autonomous-Validation Mandate (User mandate,
2026-05-18)</strong></p>
<p><strong>Forensic anchor — verbatim user mandate
(2026-05-18):</strong> &quot;Make sure we have full automation tests which
will do all this work in full automation! IMPORTANT: Make sure that all
existing tests and Challenges do work in anti-bluff manner — they MUST
confirm that all tested codebase really works as expected! execution of
tests and Challenges MUST guarantee the quality, the completition and
full usability by end users of the product! This MUST BE part of
Constitution of our project, its CLAUDE.MD and AGENTS.MD if it is not
there already, and to be applied to all Submodules&#39;s Constitution,
CLAUDE.MD and AGENTS.MD as well.&quot;</p>
<p>Every user-facing feature MUST have at least one autonomous
validation path: end-to-end via <code>adb shell</code> + scripted
automation, captured runtime evidence per §11.4.5, PASS/FAIL verdict
WITHOUT human presence to drive UI, observe screen, or make decisions.
Operator-attended tests are SUPPLEMENTARY, never PRIMARY. A feature
whose ONLY validation path is operator-attended is a §11.4.52 violation
— the path does not scale to CI, does not run on every commit, does not
survive operator unavailability, and produces the exact &quot;tests pass but
feature doesn&#39;t work for users&quot; failure mode §11.4 forbids.</p>
<p>Acceptable autonomous paths: (a) programmatic instrumentation APK
(SDK-API exercises like <code>MediaCodec.createDecoderByName</code> +
structured JSON result file); (b) headless intent dispatch + state poll
(<code>am start --es</code> / <code>am broadcast</code> +
<code>dumpsys</code> / <code>/proc/&lt;pid&gt;/maps</code> /
<code>media.metrics</code> polling); (c) ADB-driven uiautomator (ONLY if
hierarchy has ≥1 clickable node — empty hierarchy demands fallback to
APK/intent); (d) network-side sink probe per §11.4.13; (e) HelixQA
autonomous QA session per §11.4.27.</p>
<p>Coverage ledger (§11.4.25) classifies each feature as
<code>AUTONOMOUS_VERIFIED</code> / <code>AUTONOMOUS_DESIGNED</code> /
<code>OPERATOR_ATTENDED_ONLY</code> / <code>NOT_APPLICABLE</code>.
<code>OPERATOR_ATTENDED_ONLY</code> blocks release until migrated; cite
tracked work item per §11.4.15 + §11.4.16. Autonomous paths themselves
MUST be anti-bluff: positive captured evidence + paired meta-test
mutation per §1.1.</p>
<p>Composes with §11.4.25 (full-automation coverage), §11.4.27 (no-fakes
+ 100% type coverage), §11.4.39 (per-feature on-device end-user
validation), §11.4.43 (TDD RED-first), §11.4.48 (UI-driven — fallback to
APK/intent when uiautomator hierarchy empty), §11.4.49 (dual-approach),
§11.4.50 (deterministic consistency), §11.4.51 (live-ADB-first).</p>
<p>Pre-build gates: <code>CM-COVENANT-114-52-PROPAGATION</code> +
<code>CM-AF-AUTONOMOUS-PATH-PER-FEATURE</code>. Paired mutations. No
escape hatch — no <code>--allow-operator-attended-only</code>,
<code>--skip-autonomous-path</code>,
<code>--manual-validation-suffices</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule
Constitution.md §11.4.52.</p>
<h1 id="non-compliance-is-a-release-blocker-regardless-of-context">Non-compliance
is a release blocker regardless of context.</h1>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="const-061-pre-force-push-merge-first-mandate-cascaded-from-constitution-submodule-11441">CONST-061:
Pre-Force-Push Merge-First Mandate (cascaded from constitution submodule
§11.4.41)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-17): <em>&quot;make sure we bring
everything from branches to our side before forc push is done! Afer
everything is safely and fully merged and all potential conflicts (if
any) resolved, then do force push! make sure nothing isnlost, broken or
corrupted on bith sides! add these rules in our root Constitution,
CLAUDE.MD, AGENTS.MD (constitution Submodule) if itnis not added
already! Extremely important rules and mandatory constraints we MUST
HAVE and fully respect!&quot;</em></p>
</blockquote>
<p>Any force-push (<code>--force</code>,
<code>--force-with-lease</code>, <code>+&lt;ref&gt;</code>, equivalent
history-rewrite) authorised under CONST-043 MUST be preceded by a
mechanical 4-step merge-first pipeline:</p>
<ol type="1">
<li><strong>Fetch every remote</strong> —
<code>git fetch --all --prune --tags</code> against origin + every
upstream; capture output.</li>
<li><strong>Integrate every divergent commit locally</strong> — rebase /
merge / operator-confirmed cherry-pick per appropriate strategy for
every non-empty <code>HEAD..&lt;remote&gt;/&lt;branch&gt;</code>
range.</li>
<li><strong>Audit the integrated tree</strong> — no conflict markers
anywhere
(<code>grep -rn &#39;^&lt;&lt;&lt;&lt;&lt;&lt;&lt; \|^=======$\|^&gt;&gt;&gt;&gt;&gt;&gt;&gt; &#39;</code>
returns empty in governance + source + test files); no file silently
dropped; previously-passing tests still pass; captured-evidence
artefacts still validate.</li>
<li><strong>Force-push</strong> — only after steps 1-3 produce clean
integration evidence: <code>git push --force-with-lease</code> (NEVER
<code>--force</code> alone unless authorised per §9.2 sub-clause
6).</li>
</ol>
<p><strong>Two-gate composition with CONST-043.</strong> §11.4.41 does
NOT relax CONST-043&#39;s operator-approval requirement — it adds a SECOND
mechanical gate. CONST-043 alone authorises a push that loses remote
work; §11.4.41 alone risks pushing without operator awareness. Both
required.</p>
<p><strong>Three failure modes prevented:</strong> (a) remote-side
content loss when parallel sessions land work between fetches; (b)
stale-state acts when <code>--force-with-lease</code> reads stale local
refs without prior fetch; (c) conflict-driven corruption when markers
get committed verbatim (observed 2026-05-17 in helix_qa + containers
governance files).</p>
<p><strong>Verification artefact</strong>: every governed force-push
emits a <code>docs/changelogs/&lt;tag&gt;.md</code> &quot;Force-push
merge-first audit&quot; section capturing fetch output, per-remote divergence
log, integration strategy, conflict-marker scan, test delta, push output
with lease SHA, + CONST-043 authorisation quote. Gate
<code>CM-FORCE-PUSH-MERGE-FIRST</code> + paired mutation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-061</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
remote-data-integrity layer. See constitution submodule
<code>Constitution.md</code> §11.4.41 for the full mandate.</p>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD <strong>§11.4.53 — Fixed_Summary
parity mandate (User mandate, 2026-05-18)</strong></p>
<p><strong>Forensic anchor — verbatim user mandate
(2026-05-18T17:55Z):</strong> &quot;Note: Just like for Issues we have
Issues_Summary, for Fixed we MUST HAVE Fixed_Summary - like all other
docs: ALWAYS in sync and up to date and ALWAYS exported into the PDF and
HTML! Add this mandatory rule / constraint into the root (constitution
Submodule) Constitution, AGENTS.MD and CLAUDE.MD.&quot;</p>
<p><code>docs/Fixed_Summary.md</code> is the symmetric short-form
summary of <code>docs/Fixed.md</code>. MUST be regenerated whenever
<code>Fixed.md</code> changes. HTML + PDF exports MUST travel with the
markdown (identical mtimes within <code>sync_issues_docs.sh</code>
granularity). Stale exports are §11.4.53 violations regardless of
whether the underlying <code>.md</code> is correct. Same discipline as
§11.4.12 Issues_Summary applied to Fixed.md.</p>
<p>Generator: <code>scripts/testing/generate_fixed_summary.sh</code>
(canonical, executable, emits markdown table with <code>Status</code> +
<code>Type</code> columns per §11.4.19 column-alignment). Auto-sync
wrapper: <code>scripts/testing/sync_issues_docs.sh</code> regenerates
BOTH summaries in one shot, exports HTML + PDF, colorizes per §11.4.23,
re-renders PDFs. MUST be invoked after any edit to
<code>Fixed.md</code>. No <code>--issues-only</code> flag exists, and
§11.4.53 prohibits adding one.</p>
<p>Sort order: closure date DESC (most-recent-Fixed first), §-letter /
Fix-# secondary. Documented at the top of the generated file.</p>
<p>Composes with §11.4.12 (Issues_Summary sibling — canonical pair),
§11.4.19 (atomic Issues→Fixed migration trigger + column-alignment),
§11.4.23 (colorizer post-processes both summaries), §11.4.33 (type-aware
closure vocabulary — Fixed_Summary respects
<code>Fixed (→ Fixed.md)</code> / <code>Implemented (→ Fixed.md)</code>
/ <code>Completed (→ Fixed.md)</code> terminal values), §11.4.44
(revision header applies to <code>Fixed_Summary.md</code>), §12.10
(CONTINUATION.md resumption guarantee).</p>
<p>Pre-build gates: <code>CM-FIXED-SUMMARY-SYNC</code> (6 invariants —
Fixed_Summary exists + HTML/PDF mtime ≥ md mtime + Fixed_Summary mtime ≥
Fixed mtime + generator + sync wrapper invokes generator) +
<code>CM-COVENANT-114-53-PROPAGATION</code> (anchor literal across
canonical files). Paired mutations strip the anchor literal AND move the
generator aside AND backdate Fixed_Summary mtime. No escape hatch — no
<code>--skip-fixed-summary-sync</code>, <code>--issues-only</code>,
<code>--summary-not-applicable</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule
Constitution.md §11.4.53.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.58 — Parallel-development methodology (User mandate,
2026-05-19)</strong></p>
<p>Project work proceeds through the <strong>Parallel Work Unit (PWU)
pipeline</strong> rather than sequential Phase-chain. Each PWU has:
ATM-NNN identifier (§11.4.54), Issues.md entry (§11.4.15+§11.4.16),
file-scope manifest, §11.4.43 RED test, source patch, pre-build gate,
post-flash test, paired §1.1 meta-test mutation, HelixQA Challenge bank
entry, captured-evidence directory (§11.4.5+§11.4.52).</p>
<p><strong>5-stage pipeline:</strong> Stage 1 DEVELOP (parallel PWU
agents in worktrees) → Stage 2 MERGE (serial conductor + §11.4.41 4-step
merge-first) → Stage 3 REBUILD+FLASH (parallel where hardware allows) →
Stage 4 VALIDATE (parallel D3+D4+meta-test+coverage) → Stage 5 SWEEP
(parallel HelixQA + Fixed.md migration + README refresh). Stage 1 of
round N+1 overlaps with Stages 4-5 of round N.</p>
<p><strong>Synchronization:</strong> 4-layer lock hierarchy (parent
flock / per- submodule git / contention-path advisory locks for 10
forbidden cross- PWU paths / per-PWU worktree). Disjoint-scope PWUs
fully parallel.</p>
<p><strong>Anti-bluff merge-time enforcement (mandatory, all
four):</strong> C1 §11.4.43 RED-test captured. C2 §1.1 paired meta-test
mutation FAILs the gate. C3 §11.4.50 3-iter (or 10-iter)
deterministic-consistency. C4 §11.4.5 captured-evidence per feature
type. Metadata-only / configuration-only / absence-of-error /
grep-without-runtime PASS REJECTED. HelixQA Challenge bank coverage
MANDATORY for every user- visible PWU.</p>
<p><strong>Phase 39.EX infrastructure gates (5 gates land the parallel
infrastructure itself):</strong>
<code>CM-PWU-PARALLEL-VALIDATION-ORCHESTRATOR</code>,
<code>CM-PWU-HELIXQA-PER-DOMAIN-RUNNER</code>,
<code>CM-PWU-WORKER-POOL-LOCKING</code>,
<code>CM-PWU-FILE-SCOPE-PARTITION</code>,
<code>CM-PWU-AUTO-MERGE-GATE-6CONDITIONS</code>. Each ships a paired
meta-test mutation per §1.1.</p>
<p>Pre-build gates <code>CM-PWU-LOCK-HIERARCHY</code> +
<code>CM-PWU-ANTI-BLUFF-COVERAGE</code></p>
<ul>
<li><code>CM-PWU-MERGE-QUEUE-DISCIPLINE</code> +
<code>CM-PWU-PARALLEL-AGENT-LIMIT</code> +
<code>CM-COVENANT-114-58-PROPAGATION</code>. Paired mutations cover each
gate. No escape hatch.</li>
</ul>
<p>Canonical authority: constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.58. Project-specific implementation reference: <a href="docs/guides/PARALLEL_DEVELOPMENT_METHODOLOGY.md"><code>docs/guides/PARALLEL_DEVELOPMENT_METHODOLOGY.md</code></a>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.65 — Universal Markdown export mandate (User mandate,
2026-05-19)</strong></p>
<p>Every Markdown document inside the project that is NOT part of an
application or service&#39;s source-code tree MUST have synchronized
<code>.html</code> and <code>.pdf</code> siblings. Includes:
project-root <code>*.md</code>, <code>docs/**/*.md</code>,
<code>scripts/**/*.md</code> (doc-format companion docs),
owned-submodule top-level README.md / CLAUDE.md / AGENTS.md /
CHANGELOG.md and their <code>docs/**/*.md</code>,
<code>constitution/**/*.md</code>, owned HelixQA submodules&#39;
equivalents. Excludes: <code>external/**</code>,
<code>prebuilts/**</code>, <code>packages/modules/**</code>,
<code>kernel-5.10/**</code>, <code>out/**</code>, <code>build/**</code>,
application/service source-code trees, and third-party submodules NOT in
the owned set. Every edit triggers regeneration via
<code>scripts/testing/sync_all_markdown_exports.sh</code> (pandoc HTML +
weasyprint PDF, <code>timeout 60</code> per file, capped at 500
candidates). HTML + PDF mtime MUST be ≥ source <code>.md</code> mtime at
all times.</p>
<p>Pre-build gates <code>CM-UNIVERSAL-MARKDOWN-EXPORT-SYNC</code> +
<code>CM-COVENANT-114-65-PROPAGATION</code>. Paired meta-test mutations.
Composes with §11.4.12 / §11.4.18 / §11.4.23 / §11.4.44 / §11.4.45 /
§11.4.53 / §11.4.59 / §11.4.60 / §11.4.63 / §11.4.64. No escape hatch —
no <code>--skip-md-exports</code>, <code>--no-pdf-only</code>,
<code>--md-export-not-applicable</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.65.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.66 — Blocker-resolution interactive-clarification
mandate (User mandate, 2026-05-19)</strong></p>
<p>When any task is blocked (operator decision, hardware access,
external authorization, ambiguous scope), the agent MUST: (1) research
what&#39;s doable from the agent side without operator input; (2) calculate
minimum-viable operator input; (3) construct 2–4 mutually-exclusive
options with one marked &quot;Recommended&quot; and each stating what the agent
does after that answer; (4) present via the platform&#39;s interactive
question mechanism (<code>AskUserQuestion</code> on Claude Code) — NEVER
free-text &quot;what would you like?&quot; for closed- set decisions; (5) after
the answer, resume work without follow-up round-trips. Composes with
§11.4.6 / §11.4.7 / §11.4.40 / §11.4.41 / §11.4.42 / §11.4.52. No silent
waiting; no bulk-text questions when interactive options would do.</p>
<p>Pre-build gate <code>CM-COVENANT-114-66-PROPAGATION</code> enforces
the anchor literal across the 42-file consumer fleet. Paired meta- test
mutation strips the literal → gate FAILs. No escape hatch — no
<code>--skip-ask</code>, <code>--silent-wait</code>,
<code>--free-form-only</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.66.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.67 — Shell-script target-shell-parseability mandate
(User mandate, 2026-05-19)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-19):</strong> &quot;any issue we spot must be fixed, bash scripts as
well if they are broken!&quot;</p>
<ul>
<li>&quot;Make sure that this is mandatory rule!&quot;</li>
</ul>
<p>Every shell script that may be invoked under a target shell other
than the one in its shebang MUST parse cleanly under that target shell.
Forensic incident:
<code>device/rockchip/rk3588/tests/test_all_fixes.sh:114</code> used
bash-only <code>exec &gt; &gt;(tee -a &quot;$f&quot;) 2&gt;&amp;1</code> on a
<code>sh script.sh</code> callsite — Android mksh parses the whole
script BEFORE executing, so the runtime
<code>[ -n &quot;${BASH_VERSION:-}&quot; ]</code> guard could not save it. Fixed
by wrapping in <code>eval &#39;exec &gt; &gt;(tee …) 2&gt;&amp;1&#39;</code> so
the parser sees only a string.</p>
<p>Closed-set scope: every tracked <code>.sh</code> under
<code>device/rockchip/rk3588/tests/</code>, <code>scripts/</code>,
<code>scripts/testing/</code> (and equivalent paths in owned
submodules). OUT of scope: <code>external/</code>,
<code>prebuilts/</code>, <code>packages/modules/</code>,
<code>kernel-5.10/</code>, <code>out/</code>, <code>build/</code>,
<code>scripts/legacy/</code>. Mandatory invariants: (1) every in-scope
script parses under <code>sh -n</code>; (2) bash-only constructs
(<code>&gt;(...)</code>, <code>&lt;(...)</code>, <code>[[ ]]</code>,
<code>&lt;&lt;&lt;</code>, arrays, <code>${var^^}</code>, etc.) MUST be
wrapped in <code>eval</code> OR guarded by bash-only loading; (3)
shebangs honest — <code>#!/bin/bash</code> only if bash actually
expected; (4) fix at source per §11.4.1, never at callsites. Composes
with §11.4.1 / §11.4.4 / §11.4.6 / §11.4.50 / §11.4.51.</p>
<p>Pre-build gate <code>CM-SCRIPT-TARGET-SHELL-PARSEABLE</code> runs
<code>sh -n</code> on every in-scope script. Propagation gate
<code>CM-COVENANT-114-67-PROPAGATION</code> enforces the anchor literal
across the 44-file consumer fleet. Paired mutations: inject bash-only
outside <code>eval</code> → parse gate FAILs; strip <code>11.4.67</code>
literal → propagation gate FAILs. No escape hatch — no
<code>--skip-parseability-check</code>, <code>--bash-only-script</code>,
<code>--runtime-guard-suffices</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.67.</p>
<h1 id="non-compliance-is-a-release-blocker-regardless-of-context-1">Non-compliance
is a release blocker regardless of context.</h1>
<h2 id="const-068-shell-script-target-shell-parseability-mandate-cascaded-from-constitution-submodule-11467">CONST-068:
Shell-script target-shell-parseability mandate (cascaded from
constitution submodule §11.4.67)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-19): <em>&quot;any issue we spot must be
fixed, bash scripts as well if they are broken!&quot;</em> + <em>&quot;Make sure
that this is mandatory rule!&quot;</em></p>
</blockquote>
<blockquote>
<p>Verbatim 2026-05-19 operator mandate: <em>&quot;all existing tests and
Challenges do work in anti-bluff manner - they MUST confirm that all
tested codebase really works as expected! We had been in position that
all tests do execute with success and all Challenges as well, but in
reality the most of the features does not work and can&#39;t be used! This
MUST NOT be the case and execution of tests and Challenges MUST
guarantee the quality, the completition and full usability by end users
of the product!&quot;</em></p>
</blockquote>
<p>Every committed shell script MUST be parseable by its target
interpreter (<code>sh -n</code> for <code>/bin/sh</code>,
<code>bash -n</code> for <code>/bin/bash</code>, etc.) AND MUST declare
a shebang matching its actual syntax usage. Bash-only constructs
(<code>&gt;(...)</code>, <code>&lt;(...)</code>, <code>[[ ]]</code>,
<code>&lt;&lt;&lt;</code>, arrays, <code>${var^^}</code>, etc.) used in
scripts that may be invoked via <code>sh script.sh</code> MUST be
wrapped in <code>eval</code> so the parser sees only a string (target
shells like mksh parse the entire script before executing — runtime
guards cannot save a parse-time rejection). Honest shebangs only:
<code>#!/bin/bash</code> only if bash actually expected;
<code>#!/bin/sh</code> requires POSIX-clean body. Fix at source per
§11.4.1, never at callsites. Composes with §11.4.1 / §11.4.4 / §11.4.6 /
§11.4.50 / §11.4.51. Pre-build gate
<code>CM-SCRIPT-TARGET-SHELL-PARSEABLE</code> runs <code>sh -n</code> on
every in-scope script. No escape hatch — no
<code>--skip-parseability-check</code>, <code>--bash-only-script</code>,
<code>--runtime-guard-suffices</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-068</code> ID reference) MUST appear in every owned
submodule&#39;s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.67 for the full mandate.</p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="11468--positive-sink-side--downstream-evidence-mandate-cascaded-from-constitution-submodule-11468">§11.4.68
— Positive Sink-Side / Downstream Evidence Mandate (cascaded from
constitution submodule §11.4.68)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;We still do not hear any
audio played from D3 device! Arvus Web Dashboard when we play music from
D3 shows nothing for Codec In Use! This MUST BE investigated and fixed!
How come we passed the tests with Arvus validation? What were values for
the Codec In Use field? Empty means nothing! This is not working! It
MUST BE FIXED, TESTED AND VERIFIED WITH FULL AUTOMATION TESTING
ASAP!!!&quot;</em></p>
</blockquote>
<p>A test that asserts audio or video routing PASS MUST capture and
verify <strong>positive sink-side or downstream evidence</strong> —
never config-only, never metadata-only, never PCM-open-state-only. At
least one of the closed enumeration MUST be captured for every
audio/video routing PASS: (1) sink-side codec-state with non-empty
Codec-In-Use matching the expected codec regex; (2) strictly-positive
PCM frames-written delta from
<code>/proc/asound/.../status hw_ptr</code>; (3) ALSA ELD/EDID-Like-Data
showing negotiated channel count + format; (4) ffprobe-on-captured-mp4
with non-zero frame count + expected codec/resolution/fps; (5)
recording-analyzer event match per §11.4.2/§11.4.5; (6) tinycap RMS
amplitude above the line-level floor. Empty /
<code>&lt;unreachable&gt;</code> / <code>&lt;N.E.&gt;</code> /
<code>&lt;None&gt;</code> placeholders are NOT positive evidence; a
missing-but-required sink is <code>OPERATOR-BLOCKED</code>
(release-blocker), never SKIP, never PASS. No escape hatch — no
<code>--skip-sink-evidence</code>, <code>--allow-empty-codec</code>,
<code>--sink-unreachable-is-pass</code>,
<code>--metadata-only-suffices</code> flag exists.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.68</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
sink-side-evidence layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.68 for the
full mandate.</p>
<p>&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD <strong>§11.4.69 — Universal
sink-side positive-evidence taxonomy + mechanical enforcement (User
mandate, 2026-05-20)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-20):</strong></p>
<blockquote>
<p>&quot;THIS MUST HAPPEN NEVER AGAIN!!! We MUST HAVE this all working! Not
just for audio but for every single piece of the System!!! Proper full
automation when executed with success MUST MEAN that manual testing will
be as much positive at least regarding the success results! ... Solution
MUST BE universal, generic that solves working flows for all System
components and for all future and all existing projects! ... Everything
we do MUST BE validated and verified with rock-solid proofs and
anti-bluff policy enforcement and fulfillment!&quot;</p>
</blockquote>
<p>Universal generalisation of §11.4.68 (audio-specific) across every
user-visible feature class. Closes the PASS-bluff pattern where tests
reported green while end users hit broken features (2026-05-19→20 D3
audio &quot;82/84 PASS&quot; + empty Arvus Codec-In-Use).</p>
<p><strong>The mandate.</strong> Every user-visible feature MUST map to
one entry in the closed-set §11.4.69 sink-side evidence taxonomy
(audio_output, audio_input, video_display, network_throughput,
network_connectivity, bluetooth_a2dp, bluetooth_pair, touch_input,
sensor, gpu_render, storage_read, storage_write, mediacodec_decode,
mediacodec_encode, miracast, cast, boot_service, package_install,
permission_grant, wifi_link, wifi_throughput, ethernet_link,
display_topology, drm_playback, subtitle_render — open to additions).
Every PASS for a feature in the taxonomy MUST cite a captured-evidence
artefact path matching the required evidence shape.</p>
<p><strong>Helper contracts (additive during grace; mandatory after
2026-06-19):</strong></p>
<ul>
<li><code>ab_pass_with_evidence &lt;description&gt; &lt;evidence_path&gt;</code>
— the new canonical PASS helper. Verifies path exists AND non-empty;
emits
<code>PASS: &lt;description&gt; [evidence: &lt;path&gt;]</code>.</li>
<li><code>ab_skip_with_reason &lt;description&gt; &lt;closed-set-reason&gt;</code>
— reasons: <code>geo_restricted</code>, <code>operator_attended</code>,
<code>hardware_not_present</code>, <code>topology_unsupported</code>,
<code>network_unreachable_external</code>,
<code>feature_disabled_by_config</code>. Forbids
<code>network_unreachable_external</code> for any taxonomy feature with
a sink-side probe.</li>
<li>Bare <code>ab_pass</code> deprecated — WARN pre-grace, FAIL
post-grace (2026-06-19).</li>
</ul>
<p><strong>Mechanical enforcement.</strong> Three pre-build gates +
three paired §1.1 meta-test mutations:</p>
<ul>
<li><code>CM-SINK-EVIDENCE-PER-FEATURE</code> — walks tests for
<code># §11.4.69 FEATURE: &lt;class&gt;</code> annotation + verifies
taxonomy probe + <code>ab_pass_with_evidence</code> use.</li>
<li><code>CM-NO-FAIL-OPEN-SKIP</code> — audits sink-side probe helpers;
FAILs if any code path converts empty/unreachable response to
PASS-counting SKIP for a feature class with a sink-side probe.</li>
<li><code>CM-AB-PASS-WITH-EVIDENCE-EVERYWHERE</code> — pre-grace WARN,
post- grace FAIL on bare <code>ab_pass</code> calls.</li>
</ul>
<p><strong>Composes with</strong> §11.4.1 (FAIL-bluffs forbidden),
§11.4.2 (recorded-evidence), §11.4.5 (audio + video 5-layer quality),
§11.4.6 (no-guessing), §11.4.13 (sink-side captured-evidence), §11.4.27
(no-fakes-beyond-unit), §11.4.50 (deterministic consistency), §11.4.52
(autonomous-validation), §11.4.68 (audio-specific sink-side — §11.4.69
is the universal generalisation).</p>
<p><strong>No escape hatch</strong> — no <code>--skip-evidence</code>,
<code>--config-only-pass</code>, <code>--allow-fail-open-skip</code>,
<code>--legacy-ab-pass-permitted</code> flag. The discipline exists
because the 2026-05-20 forensic incident demonstrated the failure: tests
reported audio-routing PASS while the user heard nothing and the Arvus
Codec-In-Use field was empty.</p>
<p>Propagation gate <code>CM-COVENANT-114-69-PROPAGATION</code> enforces
this anchor literal across the ~44-file consumer fleet. Paired mutation
strips the literal → gate FAILs.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.69.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p>=======</p>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="11470--subagent-driven-execution-is-the-default-cascaded-from-constitution-submodule-11470">§11.4.70
— Subagent-Driven Execution Is The Default (cascaded from constitution
submodule §11.4.70)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;Always do if possible
Subagent-driven! Add this into our root (constitution Submodule)
Constitution.md, CLAUDE.md and AGENTS.md. This should be the default
choice ALWAYS!&quot;</em></p>
</blockquote>
<p>When executing implementation plans (or any task-decomposed execution
flow), the <strong>default execution model is subagent-driven</strong>
per <code>superpowers:subagent-driven-development</code>. Inline
execution is permitted ONLY when (a) the task is trivial AND fits a
single sub-300-line edit, OR (b) the operator explicitly requests inline
at brainstorm-handoff time. Subagent-driven is the default because it
gives isolated context per task, naturally enforces two-stage review, is
parallel-PWU compatible (§11.4.58), creates an anti-bluff seam (§11.4),
and survives operator absence. No escape hatch —
<code>--inline-execution-required</code>, <code>--no-subagents</code>,
<code>--monolithic-execution</code> are NOT permitted flags. Skipping
subagent-driven for non-trivial work without recorded operator
authorisation is itself a §11.4 PASS-bluff.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.70</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
execution-model layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.70 for the
full mandate.</p>
<h2 id="11471--pre-push-fetch--investigate--integrate-mandate-cascaded-from-constitution-submodule-11471">§11.4.71
— Pre-Push Fetch + Investigate + Integrate Mandate (cascaded from
constitution submodule §11.4.71)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;before pushing changes to
any upstream for any repository - main repo or Submodule, we MUST fetch
and pull all changes. Once these are obtained WE MUST investigate what
is different compared to head position we were on last time before
fetching and pulling new changes! We MUST understand what is done and
for what purpose, easpecially how that does affect our project and our
System in general! Any mandatory changes or improvements required by
fresh changes we just have brough in MUST BE incorporated, covered with
all supported types of the tests which will produce as a result of its
success execution REAL PROOFS of working for all componetns and
functionalities covered and work fully in anti-bluff manner!&quot;</em></p>
</blockquote>
<p>The everyday-push variant of §11.4.41. EVERY push (every repository —
main + every submodule) MUST follow the 5-step cycle: (1) fetch all
remotes (<code>git fetch --all --prune --tags</code>, capture stdout);
(2) pull all upstream branches whose tip differs, resolving conflicts
per consumer judgment (never
auto-<code>--ours</code>/<code>--theirs</code>); (3) investigate the
diff vs OUR previous HEAD — read EVERY foreign commit&#39;s body, understand
what/why/how-it-affects-our-system; (4) integrate mandatory changes with
§11.4.4(b) four-layer coverage + §11.4.43 TDD-fix discipline, every PASS
carrying §11.4.5 captured-evidence (REAL PROOFS, not metadata-only); (5)
only then push, verifying with <code>git ls-remote</code> post-push. No
escape hatch — no <code>--skip-fetch</code>,
<code>--no-investigate</code>, <code>--fast-push</code>,
<code>--trust-upstream</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.71</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
push-discipline layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.71 for the
full mandate.</p>
<h2 id="11472--audio-top-priority-mandate-cascaded-from-constitution-submodule-11472">§11.4.72
— Audio Top-Priority Mandate (cascaded from constitution submodule
§11.4.72)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;Make sure all fixes for
audio are always top priority in main working stream!&quot;</em></p>
</blockquote>
<p>The conductor (main working stream — Claude Code session, AI agent,
or human operator) MUST treat audio fixes as the highest-priority class
on the serial dispatch queue. Any time the conductor faces a choice
between dispatching an audio task vs a non-audio task on the SAME serial
resource, the audio task wins. Parallel BACKGROUND subagents (research,
refactors, infrastructure documentation) MAY run concurrently with audio
work but do NOT preempt audio on the main-stream serial dispatch queue.
No escape hatch — there is no &quot;but this non-audio task is faster&quot; or
&quot;but this research is more interesting&quot; override; audio-stack
regressions are user-perceptible and high-impact while research and
refactors can wait.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.72</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a process violation at
the dispatch-priority layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.72 for the
full mandate.</p>
<h2 id="11473--main-specification-document-versioning--revision-discipline-cascaded-from-constitution-submodule-11473">§11.4.73
— Main-Specification Document Versioning + Revision Discipline (cascaded
from constitution submodule §11.4.73)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;Make sure everything we add
now in previous and upcoming requests IS ALWAYS applied to the main
specification — if we have one. Since all these are not major changes we
could increase Specification version per change for secondary version
instead of the primary. Primary version MUST BE increased for much
bigger levels of changes! Add this into root (constitution Submodule)
Constitution.md, CLAUDE.md and AGENTS.md as mandatory rule / constraint
applicable ONLY IF we have something like the main specification
document or we do recognize something like the main specification
document. Document MUST BE updated ALWAYS to follow the versioning rules
we are appling here + revision and other properties we have!&quot;</em></p>
</blockquote>
<p>Applies <strong>only when a project recognises a main specification
document</strong>. When it does: (1) every additive operator
requirement, refinement, or accepted recommendation MUST be applied to
the spec before or as part of the implementing work; (2) spec versioning
has two axes — <em>primary</em> (V1/V2/V3, bumped for major rewrites by
explicit operator decision, old versions archived) and
<em>secondary</em> (the §11.4.61 metadata-table <code>Revision</code>
integer, bumped for every other change); (3) the metadata table MUST
stay current (<code>Revision</code>, <code>Last modified</code>,
<code>Status summary</code>, <code>Fixed</code>); (4) propagated copies
of the rule MUST reference the active
<code>specification.V&lt;primary&gt;.md</code>, not a stale archive; (5)
on primary bump the old file moves to
<code>&lt;spec-dir&gt;/archive/</code> with
<code>Status: superseded</code>. Classification: universal, applicable
conditionally per the scope condition.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.73</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a release blocker when a
project has a main spec and lets it drift. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.73 for the full mandate.</p>
<h2 id="11474--submodule-catalogue-first-discovery--extend-dont-reimplement-cascaded-from-constitution-submodule-11474">§11.4.74
— Submodule-Catalogue-First Discovery + Extend-Don&#39;t-Reimplement
(cascaded from constitution submodule §11.4.74)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;We MUST ALWAYS check which
already developed features / functionalities do exist as a part of our
comprehensive Submodules catalogue located in vasic-digital and
HelixDevelopment organizations on GitHub and GitLab both! Project MUST
BE aware of all its existence so we do not implement same things
multiple times if they are already done as some of existing universal,
reusable general development purpose Submodules! For any missing
features that some Submodules we incorporate may be missing we MUST
IMPLEMENT the properly and extend those Submodules furter! We do control
all of the and we CAN and MUST maintain and extend the regularly! All
development cycle rules we have MUST BE applied to them and fully
respected!&quot;</em></p>
</blockquote>
<p>Before scaffolding ANY new module, package, helper, or utility, the
contributor (human or AI agent) MUST: (1) survey the canonical Submodule
catalogue — <code>vasic-digital</code> and <code>HelixDevelopment</code>
on both GitHub AND GitLab; (2) inventory existing Submodules; (3) reuse
before reimplement — if a Submodule provides the functionality (or 80%+
of it), add it as a Git submodule rather than write fresh; (4) extend
in-place when 80%+ matches but features are missing — add the missing
features TO THAT SUBMODULE (PR upstream + bump pointer), never as a
duplicating consuming-project helper; (5) apply all development-cycle
rules to those Submodules; (6) document the survey result in the
feature&#39;s tracker entry with a <code>Catalogue-Check:</code> field
(<code>reuse &lt;org/repo&gt;@&lt;sha&gt;</code> /
<code>extend &lt;org/repo&gt;@&lt;sha&gt;</code> /
<code>no-match &lt;date&gt;</code>). Classification: universal.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.74</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a process violation;
duplicate implementations landed without catalogue check are release
blockers. <strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.74 for the full mandate.
&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD</p>
<p><strong>§11.4.85 — Stress + Chaos Test Mandate (User mandate,
2026-05-24)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-24):</strong></p>
<blockquote>
<p>&quot;Every fix or improvement you do MUST BE covered with full automation
stress and chaos tests so we are sure nothing can break the
functionality and all edge cases are monitored and polished and
additionally fixed if that is needed! Everything must produce rock solid
proofs and follow fully no-bluff policy!&quot;</p>
</blockquote>
<p>Every fix or improvement landed in this project MUST ship with
full-automation <strong>stress</strong> AND <strong>chaos</strong> test
suites that exercise edge cases, sustained load, concurrent contention,
and failure-injection. Happy-path coverage alone is a §11.4 / §107
PASS-bluff at the resilience layer.</p>
<p><strong>Stress</strong> (closed-set, mechanically auditable):
sustained load (N ≥ 100 iterations OR ≥ 30 s wall-clock; per-iteration
latency p50/p95/p99 recorded) + concurrent contention (N ≥ 10 parallel
invocations; no deadlock, no resource leak) + boundary conditions (empty
/ max / off-by-one input; every boundary produces a categorised result,
never an uncaught exception).</p>
<p><strong>Chaos</strong> (closed-set, applied per fix-class
appropriateness): process-death injection (kill primary or upstream
mid-call; categorised recovery) + network-fault injection
(drop/delay/reorder; <code>category=network|upstream</code> per
§11.4.69) + input-corruption injection (corrupt .env / config / input
file mid-test; detected + reported) + resource-exhaustion injection
(disk full, OOM, FD exhaustion; refuse cleanly OR degrade gracefully —
NEVER crash) + state-corruption injection (mid-flight lock loss,
partial-write fault; recovery restores consistent state).</p>
<p>Anti-bluff (mandatory). Every stress + chaos test PASS cites a
captured-evidence artefact path per §11.4.5 + §11.4.69 (per-iteration
<code>latency.json</code>, <code>categorised_errors.txt</code>,
<code>state_delta_snapshot.json</code>,
<code>recovery_trace.log</code>). Helper library
<code>stress_chaos.sh</code> provides <code>ab_stress_run</code>,
<code>ab_stress_concurrent</code>,
<code>ab_chaos_kill_pid_during</code>,
<code>ab_chaos_drop_network_during</code>,
<code>ab_chaos_corrupt_file_during</code>,
<code>ab_chaos_oom_pressure_during</code>,
<code>ab_chaos_disk_full_during</code>, each composing with
<code>ab_pass_with_evidence</code> / <code>ab_skip_with_reason</code>.
Chaos-injection cleanup is non-negotiable — corrupt-restore,
disk-fill-cleanup, process-restart MUST run in
<code>trap &#39;...&#39; EXIT</code>; cleanup failure = §11.4.14 violation.</p>
<p>4-layer coverage per §11.4.4(b): pre-build gate (stress + chaos test
files exist + executable + parseable under sh -n + bash -n per §11.4.67;
helper library exists; the fix&#39;s pre-build gate cites the stress + chaos
test file path) + paired meta-test mutation per §1.1 (stripping
chaos-injection or per-iteration evidence capture → gate FAILs) +
on-device test (if LIVE_ADB_TESTABLE per §11.4.51, dispatched against
real device, evidence under
<code>qa-results/&lt;run-id&gt;/stress_chaos/</code>) + HelixQA
Challenge entry (if user-visible feature per §11.4.4(b) layer 4).</p>
<p>Composes with §11.4 / §107 (resilience IS end-user quality), §11.4.1
(FAIL-bluffs forbidden), §11.4.5 (captured-evidence quality applies to
latency distribution + error categories), §11.4.6 (no guessing —
categorised errors only), §11.4.43 (TDD RED-first under load/chaos),
§11.4.50 (N iterations identical exit + identical evidence-hashes),
§11.4.52 (autonomous validation), §11.4.69 (universal sink-side
positive-evidence taxonomy), §11.4.83 (recovery transcripts ARE
end-user-channel proofs).</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.85.</p>
<p>Non-compliance is a release blocker regardless of context. No escape
hatch — no <code>--skip-stress</code>, <code>--no-chaos</code>,
<code>--happy-path-suffices</code>, <code>--stress-test-later</code>
flag exists.</p>
<p><strong>§11.4.87 — Endless-loop autonomous work + zero-idle agent
dispatch + anti-bluff testing mandate (User mandate,
2026-05-26)</strong></p>
<p>When operator instructs an AI agent to &quot;continue in endless loop
fully autonomously&quot; (or semantically-equivalent), the agent MUST treat
as HARD-CONTRACT covenant covering five obligations: (A) continue until
<code>docs/Issues.md</code> non-terminal Status entries = 0 AND
<code>docs/CONTINUATION.md</code> §3 Active work empty AND no subagent
in-flight AND no external dep in-flight; (B) dispatch background
subagents for parallelisable work — main + subagents concurrent,
&quot;waiting for results&quot; is the ONLY idle reason; (C) every closure lands
four-layer test coverage per §11.4.4(b) with captured-evidence &quot;physical
proofs&quot; (tinycap WAV + RMS / screen recording + ffprobe / dumpsys +
sink-probe / uiautomator dump / sysfs snapshots) — metadata-only /
config-only / absence-of-error / grep-without-runtime PASS are critical
defects; (D) §11.4 anti-bluff covenant family operative end-to-end
(tests AND HelixQA Challenges bound equally per forensic anchor &quot;tests
pass but features don&#39;t work&quot;); (E) loop terminates ONLY on
all-conditions-met, explicit operator STOP, host-safety demand (§12
family), or scheduled wake on known-future-actionable signal.</p>
<p>Composes with §11.4 / §11.4.1 / §11.4.2 / §11.4.4 / §11.4.5 / §11.4.6
/ §11.4.7 / §11.4.20 / §11.4.27 / §11.4.42 / §11.4.43 / §11.4.50 /
§11.4.52 / §11.4.58 / §11.4.68 / §11.4.69 / §11.4.70 / §11.4.83 /
§11.4.85 / §11.4.86 / §12.10. Pre-build gate
<code>CM-COVENANT-114-87-PROPAGATION</code> + paired §1.1 mutation.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a href="Constitution.md"><code>Constitution.md</code></a> §11.4.87.</p>
<h1 id="non-compliance-is-a-release-blocker-regardless-of-context-no-escape-hatch----idle-ok---skip-endless-loop---bluff-permitted-for-this-task---metadata-only-test-suffices---no-physical-proof-required-are-forbidden-flags">Non-compliance
is a release blocker regardless of context. No escape hatch —
<code>--idle-OK</code>, <code>--skip-endless-loop</code>,
<code>--bluff-permitted-for-this-task</code>,
<code>--metadata-only-test-suffices</code>,
<code>--no-physical-proof-required</code> are FORBIDDEN flags.</h1>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>9f5637d2d695cd5fcf8349d1f1b8bf780fa5d865</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<h2 id="11475--mechanical-enforcement-without-exception-cascaded-from-constitution-submodule-11475">§11.4.75
— Mechanical Enforcement Without Exception (cascaded from constitution
submodule §11.4.75)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;Why do these violations
still happen!? This is a serious problem! We cannot rely on stability
nor consistency if we cannot respect our Constitution, mandatory rules
and constraints! Is there a way to make this always respected, followed
and applied without exception fully and unconditionally!? WE MUST HAVE
THIS WORKING FLAWLESSLY!!! Do investigate the root causes of such
problems! Once all problems are identified WE MUST apply proper
mechanisms for this not to happen NEVER EVER AGAIN!&quot;</em></p>
</blockquote>
<p>The §11.4 covenant historically relied on agent + operator vigilance;
three 2026-05-19→20 forensic incidents proved that late-binding
enforcement fires hours-to-days after the violator commit reaches every
remote. §11.4.75 closes the gap with FIVE independent mechanical
enforcement layers — bypassing any single layer does not bypass the
discipline: (1) local <code>pre-commit</code> git hook (refuses staged
<code>.md</code> lacking sibling <code>.html</code>+<code>.pdf</code>);
(2) <code>commit_all.sh</code> integration
(<code>_constitution_sibling_check</code> +
auto-<code>sync_all_markdown_exports.sh</code> self-repair); (3) local
<code>pre-push</code> git hook (re-runs siblings + propagation-gate
subset); (4) <code>post-commit</code> auto-repair hook (auto-generates
orphan-<code>.md</code> siblings, idempotent + recursion-guarded); (5)
local-only final-gate ritual (remote CI DISABLED per User mandate —
operator runs <code>pre_build_verification.sh</code> + meta-test before
every tag per §11.4.40). Helper contracts:
<code>scripts/install_git_hooks.sh</code>,
<code>scripts/git_hooks/{pre-commit,pre-push,post-commit,commit-msg}</code>,
<code>_constitution_sibling_check</code>. The <code>commit-msg</code>
hook enforces a <code>Bypass-rationale: &lt;reason&gt;</code> footer
when <code>--no-verify</code> is detected;
<code>docs/audit/bypass_events.md</code> accumulates the audit trail.
Five gates with paired §1.1 mutations:
<code>CM-COVENANT-114-75-PROPAGATION</code>,
<code>CM-GIT-HOOKS-INSTALL-SCRIPT</code>,
<code>CM-GIT-HOOKS-SOURCE-DIR</code>,
<code>CM-COMMIT-ALL-SIBLING-CHECK</code>,
<code>CM-CI-WORKFLOW-PRESENT</code>. No escape hatch — no
<code>--skip-hooks</code>, <code>--bypass-enforcement</code>,
<code>--allow-orphan-md</code>, <code>--ci-not-applicable</code>,
<code>--mechanical-enforcement-not-needed</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.75</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-75-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
enforcement layer. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.75 for the full
mandate.</p>
<h2 id="11476--containers-submodule-mandate-cascaded-from-constitution-submodule-11476">§11.4.76
— Containers-Submodule Mandate (cascaded from constitution submodule
§11.4.76)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;For any work or requirements
of running services or codebase inside the Containers (Docker / Podman /
Qemy / Emulators, and so on) we MUST USE / INCORPORATE the Containers
Submodule properly: <a href="https://github.com/vasic-digital/containers">https://github.com/vasic-digital/containers</a>
(<a href="mailto:git@github.com">git@github.com</a>:vasic-digital/containers.git).
Containers Submodule contains all means for us to Containerize our code
and services! If any feature or Containing System is missing or not
supported we MUST EXTEND IT properly like we do all of our projects! No
bluff work is allowed of any kind!&quot;</em></p>
</blockquote>
<p>For ANY containerized workload (Docker / Podman / Qemu / Kubernetes /
container-backed emulators), every consuming project MUST: (1) install
<code>vasic-digital/containers</code>
(<code>digital.vasic.containers</code>) as a Git submodule; (2) consume
via <code>replace</code> directive during development + pinned commit
SHAs in production; (3) boot infra on-demand via <code>pkg/boot</code> +
<code>pkg/compose</code> + <code>pkg/health</code> so operators are
never required to start <code>podman machine</code> /
<code>docker compose up</code> manually — the boot is part of the test
entry point (the on-demand-infra invariant); (4) extend the Submodule
(PR upstream) for missing runtimes / lifecycle primitives — never
reimplement in-project (per §11.4.74); (5) anti-bluff: integration tests
claiming to exercise containerized components MUST actually boot them
via the Submodule — short-circuit fakes that bypass boot are a §11.4
violation. Tracker rows touching containerization MUST record
<code>Catalogue-Check: extend vasic-digital/containers@&lt;sha&gt;</code>
(or <code>reuse</code>). Planned gate <code>CM-CONTAINERS-USED</code>
scans container-touching PRs for
<code>digital.vasic.containers/...</code> imports; paired mutation
strips the import + asserts FAIL.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.76</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-76-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.76 for the full
mandate.</p>
<h2 id="11477--regeneration-mechanism-required-mandate-cascaded-from-constitution-submodule-11477">§11.4.77
— Regeneration-Mechanism-Required Mandate (cascaded from constitution
submodule §11.4.77)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;We must be sure that after
excluding anything from Git versioning we still have the mechanism which
will out of the box obtain or re-generate missing content!&quot;</em></p>
</blockquote>
<p>Every <code>.gitignore</code> entry excluding (a) &gt;~100 MiB OR (b)
any artefact essential to building / running / testing the project MUST
carry a documented + automated mechanism to either re-obtain (download
from authoritative source: vendor tarball, SDK installer,
npm/pip/cargo/go-mod/container registry, dedicated git submodule,
S3/GCS) OR re-generate (run from tracked source via build pipeline,
code-gen, asset render, captured-evidence replay, container build).
Required artefacts per qualifying entry: (1)
<code>.gitignore-meta/&lt;entry-slug&gt;.yaml</code> declaring pattern +
mechanism-type + script-path + expected-disk-usage +
vendor-url-or-source + integrity hash + requires-network +
requires-credentials; (2) a non-interactive entry in
<code>scripts/setup.sh</code> post-clone bootstrap; (3) a pre-build gate
verifying regenerated content present OR a recent
<code>.gitignore-meta/.regenerated/&lt;slug&gt;.ok</code> stamp; (4)
README + <code>docs/guides/*.md</code> describing the mechanism + manual
fallback + time/disk budget + §11.4.10 credentials. Bare
<code>.gitignore</code> additions without the mechanism are a §11.4
PASS-bluff variant — codebase appears complete but a fresh clone cannot
build/run. No escape hatch — no <code>--skip-regen-mechanism</code>,
<code>--gitignore-is-enough</code>,
<code>--operator-already-has-content</code> flag. Planned gate
<code>CM-GITIGNORE-REGEN-MECHANISM</code> + paired §1.1 mutation (strip
a required YAML key → gate FAILs).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.77</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-77-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.77 for the
full mandate.</p>
<h2 id="11478--codegraph-code-intelligence-mandate-cascaded-from-constitution-submodule-11478">§11.4.78
— CodeGraph Code-Intelligence Mandate (cascaded from constitution
submodule §11.4.78)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;Make codegraph MANDATORY
CHOICE for this purpose for all of our project ... All project which do
not have configured and installed codegraph yet MUST DO IT and MUST USE
IT!&quot;</em></p>
</blockquote>
<p>Every consuming project worked on by AI coding agents MUST install,
initialize, and use <strong>CodeGraph</strong>
(<code>https://github.com/colbymchenry/codegraph</code>, npm
<code>@colbymchenry/codegraph</code>) — a local SQLite semantic
code-knowledge-graph exposed to agents over MCP (100% local, no cloud).
(1) Install globally via npm with a user-writable npm prefix (no
<code>sudo</code>). (2) <code>codegraph init</code> +
<code>codegraph index</code>: <code>.codegraph/config.json</code> is
tracked, <code>.codegraph/codegraph.db</code> is gitignored with
<code>codegraph index</code> as its §11.4.77 regeneration mechanism; the
<code>config.json</code> <code>exclude</code> list MUST exclude every
credential/secret path per §11.4.10. (3) Wire
<code>codegraph serve --mcp</code> into every CLI agent (Claude Code
<code>.mcp.json</code>, OpenCode <code>opencode.json</code>, Qwen Code
<code>.qwen/settings.json</code>, Crush <code>.crush.json</code>,
host-local otherwise) referencing the bare <code>codegraph</code>
command on <code>PATH</code> (no hardcoded host path). (4) Cover the
integration with an anti-bluff suite whose per-agent end-to-end layer
uses an unforgeable challenge (a fact obtainable only by calling a
CodeGraph MCP tool, e.g. index node count via
<code>codegraph_status</code>); a genuinely un-drivable agent is a
documented SKIP per §11.4.3, never a faked PASS. (5) Document in
<code>docs/CODEGRAPH.md</code>, kept in sync per §11.4.12 / §11.4.65.
CodeGraph is consumed as the published npm package (§11.4.74) — not a
git submodule, adds no Git remote. Planned gate
<code>CM-CODEGRAPH-WIRED</code> + paired §1.1 mutation (strip a
secret-exclusion → gate FAILs).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.78</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-78-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.78 for the full
mandate.</p>
<h2 id="11479--own-org-submodules-must-be-included-in-the-codegraph-index-cascaded-from-constitution-submodule-11479">§11.4.79
— Own-Org Submodules MUST Be Included in the CodeGraph Index (cascaded
from constitution submodule §11.4.79)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>&quot;All Submodules we use in the
project and that are part of organizations to which we have the full
access via GitHub, GitLab and other CLIs MUST BE included into the
codegraph database and initialized / scanned / synced!&quot;</em></p>
</blockquote>
<p>Refines §11.4.78&#39;s exclude-list with a per-submodule-ownership split:
(a) own-org submodules (full write access via the project&#39;s CLIs —
canonical orgs <code>vasic-digital</code> +
<code>HelixDevelopment</code>) MUST be INCLUDED in the index; (b)
third-party submodules (the §11.4.74 <code>no-match → vendor</code>
path) MUST be EXCLUDED. Operational steps: (1)
<code>git submodule update --remote --merge</code> to pull latest before
re-indexing, respecting load-bearing pins on third-party submodules; (2)
adjust <code>.codegraph/config.json</code> exclude list to keep own-org
paths in scope; (3) re-index via
<code>scripts/codegraph_setup.sh</code>; (4) verify via
<code>scripts/codegraph_validate.sh</code> with ≥1 probe resolving a
symbol living ONLY inside an own-org submodule; (5) paired §1.1 mutation
— temporarily add the own-org submodule to exclude → validate MUST FAIL
on the cross-submodule probe → restore. An index that lies about
reachable symbols is a PASS-bluff against AI agents. Own-org submodules
silently excluded without an audit trail in
<code>.codegraph/config.json</code> comments is a release blocker.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.79</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-79-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.79 for the full
mandate.</p>
<h2 id="11480--codegraph-regular-update--sync-automation-mandate-cascaded-from-constitution-submodule-11480">§11.4.80
— CodeGraph Regular-Update + Sync Automation Mandate (cascaded from
constitution submodule §11.4.80)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>&quot;We MUST regularly check for
the updates and execute codegraph npm updates so the latest version of
it is always installed on the host machine! ... Make sure we have proper
full automation bash scripts which will run regularly and that these are
part of the constitution Submodule ... Make sure all updates, sync
processes we do and important codegraph related events are all
documented under docs/codegraph in Status and Status_Summary documents
... and regularly export them like all other Status docs into the PDF
and HTML!&quot;</em></p>
</blockquote>
<p>Three deliverables (all living in the constitution submodule,
inherited by reference per §3 — consuming projects invoke at
<code>${CONST_DIR}/scripts/codegraph_*.sh</code>, never copy): (1)
<code>scripts/codegraph_update.sh</code> — npm-installs latest
<code>@colbymchenry/codegraph</code> after a registry version check;
appends old/new version to <code>docs/codegraph/Status.md</code>;
anti-bluff verifies <code>codegraph --version</code> reflects the new
version after install (npm exit 0 ≠ working binary). (2)
<code>scripts/codegraph_sync.sh</code> — after a successful update runs
<code>codegraph status</code> → <code>codegraph sync .</code> →
<code>codegraph status</code> → the project&#39;s
<code>scripts/codegraph_validate.sh</code>; appends every step&#39;s output
to BOTH the project&#39;s and the constitution&#39;s
<code>docs/codegraph/Status.md</code>. (3)
<code>docs/codegraph/Status.md</code> + <code>Status_Summary.md</code>
append-only ledgers, exported to <code>.html</code> + <code>.pdf</code>
per §11.4.65. Cadence: weekly floor (per §11.4.45). A consuming project
that has not run <code>codegraph_update.sh</code> in &gt;2 weeks AND has
open AI-agent work is a release blocker. Paired §1.1 mutation: downgrade
installed version → script detects drift → restore.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.80</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-80-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.80 for the full
mandate.</p>
<h2 id="11481--cross-platform-parity-mandate-cascaded-from-constitution-submodule-11481">§11.4.81
— Cross-Platform-Parity Mandate (cascaded from constitution submodule
§11.4.81)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>&quot;Any Linux-only blocker /
issue we have MUST BE created macOS and other supported platforms
equivalent! So, depending on platform proper implementation will be used
for particular OS! EVERYTHING MUST BE PROPERLY EXTENDED AND
UPDATED!&quot;</em></p>
</blockquote>
<p>Every consuming project whose supported-platforms manifest lists more
than one OS MUST, for every feature/test/gate/challenge/mutation
depending on platform-specific primitives, ship a per-OS-equivalent
implementation chosen at runtime via <code>uname -s</code> (or
equivalent detection). Three sub-mandates: <strong>(A) Per-OS
implementation REQUIRED</strong> — Linux
cgroup/systemd/<code>/proc</code> primitives MUST have documented per-OS
equivalents (POSIX <code>setrlimit</code>/<code>ulimit</code>, macOS
<code>launchd</code>, BSD <code>rctl</code>, Windows Job Object) chosen
via runtime dispatch. <strong>(B) Per-OS tests REQUIRED</strong> — every
platform-dependent gate test MUST have
<code>case &quot;$(uname -s)&quot; in</code> branches with positive captured
evidence per §11.4.2 + §11.4.5 in each branch; SKIP-with-reason
acceptable ONLY when the platform genuinely cannot enforce the
invariant. <strong>(C) Honest kernel-gap citation + adjacent equivalent
test REQUIRED</strong> — where a Linux primitive has NO equivalent due
to a documented kernel limitation (canonical: XNU does not enforce
<code>RLIMIT_AS</code> for unprivileged processes), the test MUST detect
the gap at runtime, SKIP with exact kernel reason + reproducer +
honest-gap-doc link, AND provide an ADJACENT test exercising the closest
invariant the platform CAN enforce (e.g.
<code>RLIMIT_CPU</code>+<code>SIGXCPU</code> as the macOS proxy), itself
anti-bluff with a paired §1.1 mutation. Gate
<code>CM-CROSS-PLATFORM-PARITY</code> scans for
<code>case &quot;$(uname -s)&quot;</code> blocks asserting a non-SKIP branch (or
honest-gap citation) per platform in the manifest; paired mutation
strips a Darwin branch → gate FAILs. No escape hatch.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.81</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-81-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker on multi-platform projects.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.81 for the full mandate.</p>
<h2 id="11482--iteration-speedup-discipline-mandate-cascaded-from-constitution-submodule-11482">§11.4.82
— Iteration-Speedup Discipline Mandate (cascaded from constitution
submodule §11.4.82)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>&quot;How can we speed-up this
whole development and fixing process? ... Do not forget to all speed
optimizations critical rules and mandatory constraints MUST BE all added
into our root (constitution Submodule) Constitution.md, CLAUDE.md,
AGENTS.md and QWEN.md and all other relevant constitution Submodules
files!&quot;</em></p>
</blockquote>
<p>Iteration cycle time is a first-order quality enabler. Every
consuming project&#39;s build / test / commit / debug pipeline MUST adopt
these speedup disciplines AS MANDATORY (each independently enforceable):
(A) Phase-1 forensic (<code>superpowers:systematic-debugging</code>)
before any speculative source patch — speculative patches without
FACT-grade root cause are §11.4.6 + §11.4.82 violations; (B)
Live-ADB-First (or live-equivalent) before any rebuild — strengthens
§11.4.51 to a release-blocker mandate; (C) 30-second pre-flight before
launching rebuild orchestrators (device/sink reachability, host
memory/disk, no stale locks, no orphan processes); (D) persistent build
caches outside containers
(<code>ccache</code>/<code>sccache</code>/Gradle daemon bind-mounted to
host); (E) module-only rebuild for loadable-module-only changes; (F)
parallel multi-device testing with separate
<code>qa-results/&lt;TS&gt;/&lt;device-tag&gt;/</code> outputs; (G)
subagent scope discipline + worktree isolation (≤30 min budget,
single-responsibility, <code>isolation: &quot;worktree&quot;</code> default); (H)
lock-file + stale-process hygiene (clean <code>.git/index.lock</code>,
disable auto git-gc in concurrent repos); (I) cycle telemetry per
§11.4.24 (commit hash, per-phase wall-clock, speedup-flag set, outcome —
aggregated weekly). Gate <code>CM-ITERATION-SPEEDUP-DISCIPLINE</code>
audits recent cycles for telemetry citing which of (A)-(I) applied;
paired §1.1 mutation strips the speedup-flag column → gate FAILs. No
escape hatch — no <code>--skip-phase1-forensic</code>,
<code>--no-pre-flight</code>, <code>--rebuild-everything-always</code>,
<code>--unlimited-subagent-scope</code>, <code>--ignore-locks</code>,
<code>--no-telemetry</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.82</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-82-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.82 for the full mandate.</p>
<h2 id="11483--docsqa-end-user-evidence-mandate-cascaded-from-constitution-submodule-11483">§11.4.83
— docs/qa/ End-User Evidence Mandate (cascaded from constitution
submodule §11.4.83)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>&quot;every feature that ships
MUST carry a recorded e2e communication transcript + any attached
materials under <code>docs/qa/&lt;run-id&gt;/</code> (per-feature
subdirectories). A feature with no QA transcript is itself a §107
PASS-bluff — it claims to work but has no auditable runtime evidence.
Bot-driven automation MUST preserve full bidirectional communication
threads as proof.&quot;</em></p>
</blockquote>
<p>Every feature that ships MUST carry a recorded end-to-end
communication transcript plus any attached materials (screenshots,
request/response payloads, audio, file uploads) committed under
<code>docs/qa/&lt;run-id&gt;/</code> — one directory per feature run.
Operative rule: (1) every consuming project MUST maintain a
<code>docs/qa/</code> tree, each new feature under
<code>docs/qa/&lt;run-id&gt;/</code> where <code>&lt;run-id&gt;</code>
is monotonic + greppable (timestamp / ATM-NNN / other workable-item ID
per §11.4.54); (2) transcripts MUST be full bidirectional — every
prompt/command sent + every response received (one-sided is not a
transcript); (3) attached materials MUST be committed in-repo (no
external-only links — that is a §11.4.13 sink-side violation); (4)
bot-driven / agent-driven QA automation MUST preserve the full
conversation thread as the proof artefact; (5) release gates MUST refuse
to tag a version that has any feature-shipping commit without its
matching <code>docs/qa/&lt;run-id&gt;/</code> directory. A feature with
no QA transcript is a §11.4 / §107 PASS-bluff. Composes with §11.4.2 /
§11.4.5 / §11.4.13 / §11.4.65 / §11.4.69 / §1.1.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.83</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-83-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no
<code>--qa-evidence-optional</code> escape hatch. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.83 for the full mandate.</p>
<h2 id="11484--working-tree-quiescence-rule-for-subagent-commits-cascaded-from-constitution-submodule-11484">§11.4.84
— Working-Tree Quiescence Rule for Subagent Commits (cascaded from
constitution submodule §11.4.84)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>&quot;no subagent commit may
proceed while any concurrent mutation gate is in flight in the same
checkout. Before <code>git add</code>, the committing agent MUST
<code>grep</code> its own working tree for mutation markers
(<code>MUTATED for paired</code>, <code>// always pass</code>,
<code>return json.Marshal</code> shortcut paths, etc.). Any unexplained
file in the staging area triggers ABORT.&quot;</em></p>
</blockquote>
<p>No subagent (or main-thread) commit may proceed while any concurrent
mutation gate, paired-mutation experiment, or other in-flight mutation
is live in the same checkout. Before <code>git add</code>, the
committing agent MUST grep its own working tree for mutation markers
(<code>MUTATED for paired</code>, <code>// always pass</code>,
<code>return json.Marshal</code> shortcut paths,
<code>// MUTATION</code> / <code># MUTATION</code> annotations,
<code>_mutated_*</code> filename suffixes, etc.) and explicitly account
for every modified file in the staging area; any unexplained file →
ABORT. (Forensic case: a logo-fix subagent&#39;s <code>git add</code> swept
an <code>// always pass</code> JWT-verify mutation residue into an
unrelated commit pushed to all four mirrors — a real security-defect
window.) Operative rule: (1) pre-<code>git add</code> greps for mutation
markers + cross-checks <code>git status --porcelain</code> against the
subagent&#39;s declared scope; unaccounted entries → ABORT; (2) any active
mutation gate MUST be serialised (mutate → assert FAIL → restore →
assert PASS) and the working tree verifiably clean before any unrelated
commit; (3) concurrent subagents in the SAME checkout MUST coordinate
through a lockfile (<code>.git/MUTATION_IN_PROGRESS</code>) — cleaner
solution is <code>git worktree add</code> per subagent (composes with
§11.4.20/§11.4.70); (4) post-commit
<code>mutation-residue-scanner</code> MUST run before push — any commit
containing a mutation marker → push BLOCKED.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.84</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-84-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. A mutation marker that lands in a tagged commit is
a critical defect regardless of how briefly it persisted.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.84 for the full mandate.</p>
<h2 id="11486--rostercorpus-backed-status-doc-auto-sync-mandate-cascaded-from-constitution-submodule-11486">§11.4.86
— Roster/Corpus-Backed Status-Doc Auto-Sync Mandate (cascaded from
constitution submodule §11.4.86)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-25): <em>&quot;Make sure that assets and
players Status docs are ALWAYS regularly updated and in sync like all
others Status docs — any time we add or modify the assets content(s) or
we change or add new / remove existing pre-installed video and audio
player apps! This MUST WORK OUT OF THE BOX!&quot;</em></p>
</blockquote>
<p>Some Status docs (§11.4.45) are backed by a tracked roster (installed
apps/components) or a tracked asset corpus (test/media asset directory)
rather than narrative alone. Their freshness MUST NOT depend on operator
vigilance — the moment a roster/corpus member changes (app
added/removed/renamed; asset added/modified/removed) the Status doc +
Status_Summary + HTML + PDF MUST resync out of the box, mechanically.
Mechanism (all must hold): (1) drift-proof fingerprint — sha256 of the
sorted member list (NOT mtime), persisted in a sidecar beside the Status
doc; (2) a sync helper that regenerates the fingerprint + re-exports
HTML+PDF via the §11.4.65 exporter, wired so sync is automatic; (3) a
pre-build gate that FAILs when the live fingerprint differs from the
persisted one (mirrors §11.4.12 <code>CM-ISSUES-SUMMARY-SYNC</code> +
§11.4.45 <code>sync_integration_status</code>); (4) a paired §1.1
mutation corrupting the fingerprint and asserting the gate FAILs.
Classification: universal — the consuming project supplies the specific
docs, roster/corpus sources, helper, and gate name per §11.4.35.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.86</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-86-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no
<code>--skip-roster-sync</code>, <code>--allow-status-drift</code>,
<code>--roster-sync-not-applicable</code> flag. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.86 for the full mandate.</p>
<h2 id="11488--background-push-mandate-commit-lock-release-immediately-after-commit-push-runs-detached-cascaded-from-constitution-submodule-11488">§11.4.88
— Background-Push Mandate: Commit-Lock Release Immediately After Commit,
Push Runs Detached (cascaded from constitution submodule §11.4.88)</h2>
<p>Forensic anchor (2026-05-26): a single <code>commit_all.sh</code>
held its flock ~5 hours because <code>do_push</code> ran synchronously
after the commit landed — every subsequent commit blocked on a slow
mirror push irrelevant to the local commit&#39;s durability. Implementation
seam for §11.4.87(B) zero-idle. The mandate: (A)
<code>.git/.commit_all.lock</code> MUST be released IMMEDIATELY after
<code>git commit</code> returns 0 — the commit is durable on local disk
regardless of remote push outcome; (B) push runs detached via
<code>nohup ./push_all.sh ... &gt; &lt;log&gt; 2&gt;&amp;1 &amp;</code>
+ <code>disown</code> — the orchestrator&#39;s exit code reports COMMIT
success, NOT push success; (C) <code>push_all.sh</code> acquires
per-remote flock <code>.git/.push.&lt;remote&gt;.lock</code> so
concurrent invocations targeting the same remote serialize but
different-remote invocations run in parallel; (D) backgrounded push
failures land in
<code>qa-results/push_failures/&lt;ts&gt;_&lt;remote&gt;.log</code> —
the next autonomous-loop tick checks per §11.4.87(A) &quot;no external
dependency in-flight&quot; gate; (E) synchronous-push escape: explicit
<code>--sync-push</code> CLI flag preserves legacy behaviour for
§11.4.41 force-push merge-first audit paths. Gates
<code>CM-COVENANT-114-88-PROPAGATION</code> +
<code>CM-BACKGROUND-PUSH-WIRED</code> + paired §1.1 mutations.
Synchronous push (without <code>--sync-push</code>) = §11.4 PASS-bluff
at the execution layer.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.88</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-88-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no escape hatch beyond
<code>--sync-push</code> for force-push events. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.88 for the full mandate.</p>
<h2 id="11489--background-test-execution-mandate-cascaded-from-constitution-submodule-11489">§11.4.89
— Background Test Execution Mandate (cascaded from constitution
submodule §11.4.89)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;Any tests we are executing,
especially long test cycles, MUST BE performed in background in parallel
with main work stream! This MUST NOT block our capabilities to work on
queued workable items. Main work stream can be blocked or sit iddle only
if absolutely needed and if it depends hard on results of some
background execution.&quot;</em></p>
</blockquote>
<p>Symmetric anchor to §11.4.88 (background push) at the test-execution
layer. Mandate: (A) long-running tests (&gt;30 s expected:
<code>pre_build</code>, <code>meta_test</code>,
<code>test_all_fixes</code>, <code>recent_work_validate</code>, HelixQA
banks, 4-phase cycles, full-suite retests, audio supervisors,
dual-display recorders) MUST run via
<code>nohup ... &gt; &lt;log&gt; 2&gt;&amp;1 &amp;</code> +
<code>disown</code> with the log under a known dir
(<code>qa-results/&lt;test_id&gt;_&lt;ts&gt;.log</code>); (B) the main
stream proceeds to the §11.4.42 priority queue immediately; (C)
hard-dependency gating — poll an exit-status file or
<code>pgrep -af &lt;test&gt;</code> before steps that need the exit
code, surfacing as §11.4.66 interactive options if the test is still
running; (D) failures land in <code>&lt;log&gt;</code> files, the next
loop tick checks; (E) foreground execution permitted ONLY for &lt;30 s
tests OR explicit operator authorisation; (F) per-script flock
serialises same-script invocations, different-script invocations
parallel. Gates <code>CM-COVENANT-114-89-PROPAGATION</code> +
<code>CM-BACKGROUND-TEST-EXECUTION-WIRED</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.89</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-89-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no escape hatch beyond explicit
per-invocation operator authorisation. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.89 for the full mandate.</p>
<h2 id="11490--obsolete-status--per-item-obsolescence-audit-cascaded-from-constitution-submodule-11490">§11.4.90
— Obsolete Status + Per-Item Obsolescence Audit (cascaded from
constitution submodule §11.4.90)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;Bug No 6 ... seems obsolete
after latest request for new behavior ... mark obsolete tickets with
some light gray background ... text - the description to be
strikethrough styled ... review all existing open or resolved workable
items if they are obsolete - not valid any more ... There MUST NOT be
any mistake! No bluff is allowed of any kind!&quot;</em></p>
</blockquote>
<p>The §11.4.15 Status closed-set is extended with a terminal
<code>Obsolete (→ Fixed.md)</code> value (orthogonal to Type per
§11.4.16). Obsolescence reasons (closed vocabulary):
<code>superseded-by-design-change | superseded-by-later-mandate | feature-removed | duplicate-of | unsupported-topology</code>.
Every Obsolete heading MUST carry an <code>**Obsolete-Details:**</code>
line (Since + Reason + Superseding-item + Triple-check evidence) within
8 non-blank lines. The §11.4.23 colorizer adds a
<code>cell-status-obsolete</code> class — light-gray
<code>#E0E0E0</code> background + strikethrough description. Audit
cadence: every release-gate sweep per §11.4.40 + §11.4.42; triple-check
is non-negotiable per the operator mandate. Composes with §11.4.15 /
§11.4.16 / §11.4.19 / §11.4.21 / §11.4.23 / §11.4.33 / §11.4.34 /
§11.4.40 / §11.4.42 / §11.4.66 / §11.4.71. Gates
<code>CM-COVENANT-114-90-PROPAGATION</code> +
<code>CM-ITEM-OBSOLETE-DETAILS</code> +
<code>CM-OBSOLETE-COLORIZER-WIRED</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.90</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-90-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.90 for the full mandate.</p>
<h2 id="11491--summary-doc-clarity-mandate-cascaded-from-constitution-submodule-11491">§11.4.91
— Summary-Doc Clarity Mandate (cascaded from constitution submodule
§11.4.91)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;Summary docs -
Issues_Summary some not clear one line descriptions - like &#39;Composes
with&#39; ... For each workable item we MUST HAVE clearly understandable
meaning ... every team member can clearly understand what that
particular workable item is exactly about! There cannot be
misunderstanding or unclearity of any kind and no bluff
allowed!&quot;</em></p>
</blockquote>
<p>Every summary entry (Issues_Summary, Fixed_Summary, README doc-link,
Status_Summary pages 1+2, all one-liners) MUST contain a self-contained
meaningful description ≥ 6 words OR ≥ 40 chars naming SUBJECT +
PROBLEM/GOAL. Forbidden one-liner anti-patterns: section labels
(<code>Composes with</code>, <code>Closure criteria</code>,
<code>Fix direction</code>, etc.); bare metadata fragments
(<code>Critical</code>, <code>Bug</code>, <code>In progress</code>,
etc.); section-marker echoes; a §-letter alone. Generators
(<code>generate_issues_summary.sh</code> /
<code>generate_fixed_summary.sh</code> /
<code>update_readme_doc_links.sh</code> /
<code>generate_status_summary.sh</code>) MUST extract from the H1/H2
heading line per the §11.4.54 ATM-NNN convention, NEVER from arbitrary
downstream text, and MUST refuse anti-pattern rows — emitting a
<code>(MISSING DESCRIPTION — fix source heading)</code> placeholder with
visual highlight. Gate <code>CM-SUMMARY-CLARITY-DESCRIPTIONS</code>
scans every summary; an anti-pattern match = FAIL. Audit cadence: every
§11.4.40 + §11.4.42 sweep.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.91</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-91-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.91 for the full mandate.</p>
<h2 id="11492--multi-pass-change-evaluation-discipline-cascaded-from-constitution-submodule-11492">§11.4.92
— Multi-Pass Change-Evaluation Discipline (cascaded from constitution
submodule §11.4.92)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;Every change to the project
or codebase we do MUST BE evaluated in several passes and in in-depth
analisys for potential new issues or problems it can introduce! ... no
bluff of any kind! After we do change or set of changes this mandatory
steps MUST BE taken!&quot;</em></p>
</blockquote>
<p>Every non-trivial change MUST pass a 5-pass evaluation BEFORE it is
commit-ready: <strong>(Pass 1)</strong> main-task verification — change
achieves the stated goal, captured-evidence per §11.4.5/§11.4.69;
<strong>(Pass 2)</strong> regression-blast-radius analysis — enumerate
every direct dependency, demonstrate no contract break; <strong>(Pass
3)</strong> cross-feature interaction analysis — audit parallel features
sharing state/timing/hardware/shell environment; <strong>(Pass
4)</strong> deep-research validation per §11.4.8 — external precedent OR
&quot;NO external solution found — original work&quot; + CodeGraph queries per
§11.4.78/§11.4.79; <strong>(Pass 5)</strong> anti-bluff confirmation per
§11.4 / §11.4.1 / §11.4.6 / §11.4.27 / §11.4.50 / §11.4.52 / §11.4.69 /
§11.4.83 — no new bluff surface introduced. Each pass is documented
(commit footers OR <code>docs/</code> entries OR
<code>qa-results/</code> evidence). Only after all 5 passes complete may
commit/push/test/release proceed. Trivial exemption: typo /
revision-bump / MD-export-regen IF zero source touched AND the commit
message cites the exemption explicitly. Gates
<code>CM-COVENANT-114-92-PROPAGATION</code> +
<code>CM-MULTI-PASS-EVALUATION-EVIDENCE</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.92</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-92-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.92 for the full mandate.</p>
<h2 id="11493--sqlite-backed-single-source-of-truth-for-workable-items-cascaded-from-constitution-submodule-11493">§11.4.93
— SQLite-Backed Single-Source-of-Truth for Workable Items (cascaded from
constitution submodule §11.4.93)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;There MUST be single source
of truth for all of our workable items - SQlite database ... proper
scripts (we recommend Go programs) ... reduce a chance for sync to be
broken ... generate always all docs from DB or to re-generate Db from
all docs we have in opposite direction&quot;</em></p>
</blockquote>
<p>The text-based Issues/Fixed/Summary/CONTINUATION constellation is
converted to a SQLite-DB-backed single source of truth. Schema mandatory
tables: <code>items</code> (atm_id PK + Type + Status incl. Obsolete +
Severity + title + description ≥40 chars + created/modified +
composes_with JSON + current_location); <code>item_history</code>
(append-only audit per §11.4.34 By/Reason/Evidence);
<code>obsolete_details</code> (§11.4.90);
<code>operator_block_details</code> (§11.4.21);
<code>firebase_metadata</code> (§11.4.47); <code>meta</code> (schema
version + last sync + integrity hash). A Go binary at
<code>cmd/workable-items/</code> provides <code>sync md-to-db</code> /
<code>db-to-md</code> / <code>diff</code> / <code>validate</code> /
<code>add</code> / <code>close</code>; bidirectional regen is
byte-identical round-trip (closed-set whitespace/section-order
tolerance). <code>commit_all.sh</code> refuses on non-empty diff;
<code>sync_issues_docs.sh</code> invokes the Go binary; pre-build runs
<code>workable-items validate</code>. Anti-bluff: unit + integration +
stress (1000-row insert + 10 concurrent writers) + chaos (mid-write
SIGKILL + corrupt-DB recovery + disk-full) + paired §1.1 mutation +
HelixQA Challenge <code>CME-WORKABLE-ITEMS-001</code>. The Go binary
lives in the constitution submodule
(<code>constitution/scripts/workable-items/</code>) per §11.4.74. Gates
<code>CM-COVENANT-114-93-PROPAGATION</code> +
<code>CM-WORKABLE-ITEMS-DB-PRESENT</code> +
<code>CM-WORKABLE-ITEMS-MD-DB-IN-SYNC</code> + paired §1.1 mutations.
(NOTE: the DB tracking rule is AMENDED by §11.4.95 — DB is TRACKED, not
gitignored.)</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.93</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-93-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — text-based-only trackers are a
§11.4 PASS-bluff at the data-architecture layer. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.93 for the full mandate.</p>
<h2 id="11494--zero-idle-priority-first-parallel-by-default-operating-mode-cascaded-from-constitution-submodule-11494">§11.4.94
— Zero-Idle Priority-First Parallel-By-Default Operating Mode (cascaded
from constitution submodule §11.4.94)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;We MUST NEVER sit iddle /
wait or sleep if there is possibility for us to work on something ...
Always check if there is a possibility to work on something while we are
not working actively on something! Pick always by priority - most
critical workable items and other tasks MUST BE done first! ... Stay
still / iddle if nothing is left to be done at all or waiting for
something that is blocking us / you!!!&quot;</em></p>
</blockquote>
<p>§11.4.94 binds §11.4.20 + §11.4.42 + §11.4.58 + §11.4.70 + §11.4.72 +
§11.4.82 + §11.4.87 + §11.4.88 + §11.4.89 into a single always-on
enforcement: (A) idle ONLY when every queued item is genuinely blocked
on an external dependency (hardware / network upstream / build/test
completion the conductor cannot accelerate) OR operator STOP OR §12
host-safety — &quot;don&#39;t see what to do&quot; is NEVER valid; (B) before ANY
wake/sleep the conductor MUST survey parallel-work feasibility per
§11.4.42 + §11.4.72 + §11.4.87, identify non-contending items, and
dispatch in parallel per §11.4.20/§11.4.70 (subagent) + §11.4.58 (PWU
disjoint scope) + §11.4.89 (background long tests); (C) priority order
MANDATORY — pick highest-severity + §11.4.72 audio-first the conductor
can autonomously progress; (D) subagent-driven default for non-trivial;
(E) background default for &gt;30 s wall-clock work via
<code>nohup</code>+<code>disown</code>; (F) stability-preserving
(composes with §11.4.92 multi-pass + §11.4.84 quiescence + §12.6–§12.9
host safety); (G) progress updates surfaced at milestone boundaries.
Gates <code>CM-COVENANT-114-94-PROPAGATION</code> +
<code>CM-PARALLEL-WORK-AUDIT</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.94</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-94-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.94 for the full mandate.</p>
<h2 id="11496--safe-parallel-work-with-long-build-catalogue--mandate-cascaded-from-constitution-submodule-11496">§11.4.96
— Safe-Parallel-Work-With-Long-Build Catalogue + Mandate (cascaded from
constitution submodule §11.4.96)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;Are there except AOSP build
process any other active jobs being done at the moment? Can we work on
something in parallel while build is in progress so we slowly cleanup
our slate? ... do as much as possible work in background in parallel
with main work stream and oreferrably using subagents-driven
approach!&quot;</em></p>
</blockquote>
<p>An operational catalogue for the canonical long-running workload
(multi-hour containerised build per §12.9). <strong>SAFE during
build:</strong> (A) MD/docs work; (B) generator/helper script work under
<code>scripts/</code>; (C) pre-build + meta-test gate authoring + paired
§1.1 mutations; (D) on-device test scripts; (E) constitution submodule
edits + push; (F) any submodule commit + push per §11.4.88; (G)
read-only live-ADB probes
(<code>dumpsys</code>/<code>getprop</code>/<code>cat /proc/...</code>/<code>screencap</code>/<code>logcat</code>);
(H) subagent dispatch per §11.4.20/§11.4.70 + §11.4.84 quiescence; (I)
web research + external API queries with §11.4.10 credentials; (J)
workable-items DB ops per §11.4.93+§11.4.95; (K) backgrounded pre-build
+ meta-test execution per §11.4.89. <strong>UNSAFE during
build:</strong> (α)
<code>git checkout</code>/<code>reset --hard</code>/<code>clean -df</code>
on the source tree (use <code>git worktree</code>); (β) mass file
deletes/renames under built source trees; (γ) submodule pointer updates
affecting built artefacts; (δ) <code>out/</code> mutations; (ε)
<code>make clean</code>/<code>m clobber</code>/<code>rm -rf out/</code>;
(ζ) container destruction; (η) disk-filling breaching §12.9 free-space
minimum; (θ) §12 host-session-safety breaches. Conductor responsibility:
before EVERY pause point during a long build, consult the catalogue,
identify (A)-(K) queue items per §11.4.42+§11.4.72, and dispatch ≥1 per
§11.4.20/§11.4.70 subagent default + §11.4.89 background. &quot;Build
running, nothing else to do&quot; is NEVER true per §11.4.94+§11.4.96. Gates
<code>CM-COVENANT-114-96-PROPAGATION</code> +
<code>CM-PARALLEL-WORK-DURING-BUILD-AUDIT</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.96</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-96-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.96 for the full mandate.</p>
<h2 id="11497--maximum-use-of-idle-time--progress-update-cadence-cascaded-from-constitution-submodule-11497">§11.4.97
— Maximum-Use-of-Idle-Time + Progress-Update Cadence (cascaded from
constitution submodule §11.4.97)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;keep it working, we should
do as much as possible, if not it all but as much as we can as long as
there is iddle time! it MUST be used! ... keep us updated about all
progress and all phisycal proofs and gathered data as you progress
through all open workable items!&quot;</em></p>
</blockquote>
<p>Operating-mode capstone strengthening §11.4.87 + §11.4.94 + §11.4.96:
(A) every minute of conductor idle time during which work could
autonomously progress AND is not genuinely blocked = a §11.4.97
violation; &quot;as much as possible, if not it all but as much as we can&quot; is
operative — dispatch CONTINUOUSLY through the entire idle window, not
just at scheduled wakes; (B) progress-update cadence — emit an
operator-facing 1-line update at every commit landed / subagent return /
constitutional anchor / captured evidence / milestone closure, no
operator prompt required; (C) continuous physical-proof gathering per
§11.4.5 + §11.4.6 + §11.4.69 — every autonomous closure cites
captured-evidence (evidence path goes into the §11.4.93
<code>item_history.evidence_path</code> when the DB lands); (D) composes
with §11.4.5/6/13/20/27/42/50/52/69/70/72/83/85/87/88/89/94/96; (E) the
idle-only-when-blocked closed-set is unchanged from §11.4.94(A). Gates
<code>CM-COVENANT-114-97-PROPAGATION</code> +
<code>CM-IDLE-TIME-AUDIT</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.97</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-97-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.97 for the full mandate.</p>
<h2 id="11469--universal-sink-side-positive-evidence-taxonomy--mechanical-enforcement-cascaded-from-constitution-submodule-11469">§11.4.69
— Universal Sink-Side Positive-Evidence Taxonomy + Mechanical
Enforcement (cascaded from constitution submodule §11.4.69)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>&quot;THIS MUST HAPPEN NEVER
AGAIN!!! We MUST HAVE this all working! Not just for audio but for every
single piece of the System!!! Proper full automation when executed with
success MUST MEAN that manual testing will be as much positive at least
regarding the success results! ... Solution MUST BE universal, generic
that solves working flows for all System components and for all future
and all existing projects! ... Everything we do MUST BE validated and
verified with rock-solid proofs and anti-bluff policy enforcement and
fulfillment!&quot;</em></p>
</blockquote>
<p>Universal generalisation of §11.4.68 (audio-specific) across every
user-visible feature class. Every user-visible feature MUST map to one
entry in the closed-set §11.4.69 sink-side evidence taxonomy
(<code>audio_output</code>, <code>audio_input</code>,
<code>video_display</code>, <code>network_throughput</code>,
<code>network_connectivity</code>, <code>bluetooth_a2dp</code>,
<code>bluetooth_pair</code>, <code>touch_input</code>,
<code>sensor</code>, <code>gpu_render</code>, <code>storage_read</code>,
<code>storage_write</code>, <code>mediacodec_decode</code>,
<code>mediacodec_encode</code>, <code>miracast</code>,
<code>cast</code>, <code>boot_service</code>,
<code>package_install</code>, <code>permission_grant</code>,
<code>wifi_link</code>, <code>wifi_throughput</code>,
<code>ethernet_link</code>, <code>display_topology</code>,
<code>drm_playback</code>, <code>subtitle_render</code> — open to
additions, never contraction). Every PASS for a feature in the taxonomy
MUST cite a captured-evidence artefact path matching the required
evidence shape. New helper contracts (additive during grace, mandatory
after 2026-06-19):
<code>ab_pass_with_evidence &lt;description&gt; &lt;evidence_path&gt;</code>
(verifies path exists + non-empty),
<code>ab_skip_with_reason &lt;description&gt; &lt;closed-set-reason&gt;</code>
(reasons: <code>geo_restricted</code>, <code>operator_attended</code>,
<code>hardware_not_present</code>, <code>topology_unsupported</code>,
<code>network_unreachable_external</code>,
<code>feature_disabled_by_config</code>; forbids
<code>network_unreachable_external</code> for any taxonomy feature with
a sink-side probe); bare <code>ab_pass</code> deprecated (WARN
pre-grace, FAIL post-grace). Three pre-build gates + paired §1.1
mutations: <code>CM-SINK-EVIDENCE-PER-FEATURE</code>,
<code>CM-NO-FAIL-OPEN-SKIP</code>,
<code>CM-AB-PASS-WITH-EVIDENCE-EVERYWHERE</code>. No escape hatch — no
<code>--skip-evidence</code>, <code>--config-only-pass</code>,
<code>--allow-fail-open-skip</code>,
<code>--legacy-ab-pass-permitted</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.69</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-69-PROPAGATION</code> enforces the anchor literal
across the consumer fleet; paired mutation strips the literal → gate
FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
sink-side-evidence layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.69 for the
full mandate.</p>
<h2 id="11485--stress--chaos-test-mandate-cascaded-from-constitution-submodule-11485">§11.4.85
— Stress + Chaos Test Mandate (cascaded from constitution submodule
§11.4.85)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-24): <em>&quot;Every fix or improvement you
do MUST BE covered with full automation stress and chaos tests so we are
sure nothing can break the functionality and all edge cases are
monitored and polished and additionally fixed if that is needed!
Everything must produce rock solid proofs and follow fully no-bluff
policy!&quot;</em></p>
</blockquote>
<p>Every fix or improvement landed MUST ship with full-automation
<strong>stress</strong> AND <strong>chaos</strong> test suites
exercising edge cases, sustained load, concurrent contention, and
failure-injection. Happy-path coverage alone is a §11.4 / §107
PASS-bluff at the resilience layer. <strong>Stress</strong>
(closed-set): sustained load (N ≥ 100 iterations OR ≥ 30 s wall-clock,
p50/p95/p99 latency recorded) + concurrent contention (N ≥ 10 parallel
invocations, no deadlock/leak) + boundary conditions
(empty/max/off-by-one, each categorised). <strong>Chaos</strong>
(closed-set, per fix-class appropriateness): process-death injection +
network-fault injection (drop/delay/reorder) + input-corruption
injection + resource-exhaustion injection (disk full, OOM, FD exhaustion
— refuse cleanly OR degrade, NEVER crash) + state-corruption injection
(mid-flight lock loss, partial-write). Every stress + chaos PASS MUST
cite a captured-evidence artefact path per §11.4.5 + §11.4.69. Helper
library <code>stress_chaos.sh</code> provides
<code>ab_stress_run</code>, <code>ab_stress_concurrent</code>,
<code>ab_chaos_kill_pid_during</code>,
<code>ab_chaos_drop_network_during</code>,
<code>ab_chaos_corrupt_file_during</code>,
<code>ab_chaos_oom_pressure_during</code>,
<code>ab_chaos_disk_full_during</code>, each composing with
<code>ab_pass_with_evidence</code> / <code>ab_skip_with_reason</code>.
Cleanup non-negotiable in <code>trap &#39;...&#39; EXIT</code> (cleanup failure
= §11.4.14 violation). Four-layer coverage per §11.4.4(b) + paired §1.1
mutation (strip chaos-injection or evidence-capture → gate FAILs). No
escape hatch — no <code>--skip-stress</code>, <code>--no-chaos</code>,
<code>--happy-path-suffices</code>, <code>--stress-test-later</code>
flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.85</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-85-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.85 for the full mandate.</p>
<h2 id="11487--endless-loop-autonomous-work--zero-idle-agent-dispatch--anti-bluff-testing-mandate-cascaded-from-constitution-submodule-11487">§11.4.87
— Endless-Loop Autonomous Work + Zero-Idle Agent Dispatch + Anti-Bluff
Testing Mandate (cascaded from constitution submodule §11.4.87)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-26): <em>&quot;continue in endless loop
fully autonomously&quot;</em> (and any semantically-equivalent phrasing).</p>
</blockquote>
<p>When the operator instructs an AI agent to continue in an endless
autonomous loop, the agent MUST treat it as a HARD-CONTRACT covenant:
(A) continue working until <code>docs/Issues.md</code> Status-column has
zero non-terminal entries AND <code>docs/CONTINUATION.md</code> §3
Active work is empty AND no background subagent is mid-execution AND no
external dependency is in-flight; (B) dispatch background subagents for
parallelisable work — main + every subagent operate concurrently,
&quot;waiting for results&quot; is the ONLY acceptable idle reason; (C) every
closure lands four-layer test coverage per §11.4.4(b) with
captured-evidence (audio/video/network/UI/sysfs physical proofs); (D)
the §11.4 anti-bluff covenant family (§11.4.1 / §11.4.2 / §11.4.6 /
§11.4.7 / §11.4.27 / §11.4.50 / §11.4.52 / §11.4.68 / §11.4.69 /
§11.4.83) is the operative truth-discipline — tests AND HelixQA
Challenges bound equally; (E) the loop terminates ONLY on
all-conditions-met, explicit operator STOP, host-session-safety demand,
or scheduled wake on a known-future-actionable signal. No escape hatch —
no <code>--idle-OK</code>, <code>--skip-endless-loop</code>,
<code>--bluff-permitted-for-this-task</code>,
<code>--metadata-only-test-suffices</code>,
<code>--no-physical-proof-required</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.87</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-87-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.87 for the full mandate.</p>
<h2 id="11495--workable-items-sqlite-db-is-tracked-in-git-never-gitignored-cascaded-from-constitution-submodule-11495">§11.4.95
— Workable-Items SQLite DB Is TRACKED in Git, NEVER Gitignored (cascaded
from constitution submodule §11.4.95)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>&quot;We shall not Git ignore our
workable items SQlite DB since it is our single source of truth ...
workable items SQlite DB regularly commited and pushed to all
upstreams!&quot;</em></p>
</blockquote>
<p>§11.4.93&#39;s earlier &quot;gitignored per §11.4.30&quot; clause is AMENDED — the
DB at <code>docs/workable_items.db</code> is TRACKED in git, NEVER
gitignored. It IS authoritative source data, NOT a build artefact. Every
<code>workable-items sync md-to-db</code> that mutates state MUST stage
+ commit + push the DB alongside the MD regen per §11.4.19 atomic-move +
§2.1 multi-upstream push. A WAL-checkpoint
(<code>PRAGMA wal_checkpoint(TRUNCATE)</code>) is required before
commit-stage so the transient <code>.db-wal</code> +
<code>.db-shm</code> sidecars (gitignored per §11.4.30) are safely
discardable. The §11.4.77 regeneration mechanism does NOT apply — the DB
IS the source. Destructive DB ops require §9.2 hardlinked-backup +
operator authorization; §11.4.41 force-push merge-first applies if DB
history ever needs rewrite. Gates
<code>CM-COVENANT-114-95-PROPAGATION</code> +
<code>CM-WORKABLE-ITEMS-DB-TRACKED</code> + paired §1.1 mutation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.95</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-95-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.95 for the full mandate.</p>
<hr />
<h2 id="11498--full-automation-anti-bluff-mandate-cascaded-from-constitution-submodule-11498">§11.4.98
— Full-Automation Anti-Bluff Mandate (cascaded from constitution
submodule §11.4.98)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>&quot;Make sure we have full
automation testing of all scenarios with real bot, main group and users
without any manual intervention or contribution of real user! Everything
MUST BE fully automatic and autonomous! These tests MUST BE able to
rerun endless times when needed! ... Make sure there is no false
positives in testing! Every test and its results MUST obtain real proofs
of everything working! No bluff is allowed!&quot;</em></p>
</blockquote>
<p>Closes the manual-intervention gap (§11.4 / §11.4.2 / §11.4.5 /
§11.4.50 / §11.4.85 / §11.4.87 / §11.4.89 / §11.4.94 did not explicitly
forbid it). A live/integration/e2e/Challenge test that requires a human
action during execution (typing a message, clicking UI, hand-triggering
a webhook, attaching a file — anything beyond startup) is by definition
a §11.4 PASS-bluff at the automation layer. (A) Every governed test —
unit/integration/e2e/Challenge/stress/chaos/live — MUST be fully
self-driving end-to-end, reporting PASS/FAIL/SKIP-with-reason without
any further human action after startup. (B) Single permissible
exception: one-time credential bootstrap performed OUTSIDE test
execution (<code>.env</code> from vault, shell exports, OAuth at first
install, MTProto session activation) — configuration, not test driving.
(C) Live messenger/channel/agent tests: no &quot;operator must type&quot; prompts
(drive programmatically via second account / webhook fixture /
loopback); no hard-coded session UUIDs that collide with the active dev
session (Herald 2026-05-28 <code>claude --resume</code> silent exit -1
lesson); no 60 s human-response windows (§11.4.50 determinism
violation); re-runnability proof — PASS at <code>-count=3</code>
consecutive automated invocations with self-cleaning state; §11.4.98
obsolescence audit classifies every existing test COMPLIANT vs
NON-COMPLIANT; no silent-skip-reported-as-PASS or
stale-evidence-as-fresh. (D) With §11.4.85 + §11.4.89 + §11.4.87 +
§11.4.94 forms a continuously-validated, non-flake, anti-bluff regime.
(F) Manual-dependency tests not rewritten within 30 days graduate to
§11.4.90 Obsolete citing §11.4.98.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.98</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-98-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.98 for the full mandate.</p>
<hr />
<h2 id="11499--latest-source-documentation-cross-reference-mandate-cascaded-from-constitution-submodule-11499">§11.4.99
— Latest-Source Documentation Cross-Reference Mandate (cascaded from
constitution submodule §11.4.99)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>&quot;Make sure we ALWAYS check
against latest versions of services we use web / online docs before
creating instructions! This situation is illustration of how we can
misguide ourselves or get banned! ... These are mandatory rules /
constraints and the result is consistency and safety of created
instructions, guides and manuals!&quot;</em></p>
</blockquote>
<p>Misguidance-by-stale-docs is the same severity class as a §11.4
PASS-bluff at the documentation layer (Herald 2026-05-28 case: a
first-draft MTProto guide recommended VoIP fallback numbers and omitted
the <code>recover@telegram.org</code> pre-login email — both
contradicted Telegram&#39;s official docs + the gotd/td maintainer guide and
could have caused a permanent account ban). Closes the gap §11.4.92 Pass
4 alludes to but does not mandate. (A) Before committing any
operator-facing instruction/guide/manual/troubleshooting/setup doc, the
author MUST: (1) fetch the LATEST official online documentation of the
documented service/library via WebFetch / MCP / direct browsing — NEVER
training data, memory, or prior committed docs; (2) cross-reference
every instruction step against that source; (3) seek secondary
authoritative sources (maintainer SUPPORT.md, official changelogs,
vetted community FAQs) when the official source is sparse/silent; (4)
cite source URLs + date in a <code>## Sources verified</code> footer in
the doc; (5) cite a
<code>Sources verified &lt;date&gt;: &lt;urls&gt;</code> footer in the
commit message. (B) Negative findings (gaps/silences/contradictions)
MUST be documented explicitly. (C) Docs older than 6 months are STALE —
re-verify before citing as operator authority, at every vN.0.0 release
boundary, on service breaking-change announcements, or on operator error
reports. (D) Risk-classified services (messengers, cloud APIs, payment
systems, AI/LLM providers, code-hosting, package managers) carry a
90-day max staleness + explicit safety warnings. (E) Composes with but
is INDEPENDENT of §11.4.92 Pass 4. (G) Commit missing either footer is
BLOCKED at release-gate; stale-beyond-grace docs graduate to §11.4.90
Obsolete (<code>Reason=stale-documentation</code>).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.99</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-99-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.99 for the full mandate.</p>
<hr />
<h2 id="114101--autonomous-decision-over-blocking-mandate-cascaded-from-constitution-submodule-114101">§11.4.101
— Autonomous-Decision-Over-Blocking Mandate (cascaded from constitution
submodule §11.4.101)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>&quot;when working in endless
working loop fully autonomously try to decide most properly about points
which would block execution and wait for us. If we haven&#39;t answered now
work would be blocked whole night! If possible and if that will not
cause any issues make proper and most reliable and safe decision so we
achieve maximal efficiency and work gets fully done!&quot;</em></p>
</blockquote>
<p>In autonomous / endless-loop mode (per §11.4.87), the agent MUST
minimize operator-blocking and make the safe, reliable, reversible
decision itself so work is not stalled (e.g. overnight) waiting for
input — §11.4.87 says keep working, §11.4.101 says HOW to clear the
decision points. <strong>Proceed-autonomously (closed-set, ALL must
hold):</strong> (a) the action is reversible OR has a captured pre-op
backup per §9.2; (b) the safe choice is determinable from captured
evidence per §11.4.6 (no guessing —
<code>LIKELY</code>/<code>probably</code>/<code>seems</code> is NOT a
determination); (c) a wrong choice&#39;s blast radius is bounded AND
recoverable; (d) it composes with anti-bluff §11.4, host-safety §12,
data-safety §9. <strong>Block-only-when (BLOCK via the §11.4.66
interactive mechanism ONLY when ALL hold):</strong> the action is
irreversible AND high-blast-radius AND the safe choice cannot be
determined from evidence — e.g. external-account state the agent cannot
inspect, hardware it cannot access, destructive ops without backup,
force-push (also §9.2 + §11.4.41), spending money or sending data to
third parties. <code>Operator-blocked</code> per §11.4.21 is reached
only after this rule fires AND the self-resolution-exhaustion audit
completes. An unavoidable block parks one work unit — it does NOT pause
the loop; the agent keeps progressing every non-blocked item in parallel
per §11.4.87 + §11.4.94 (posing the question then going idle is a
§11.4.94 + §11.4.97 violation). Classification: universal
(§11.4.17).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.101</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-101-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.101 for the full mandate.</p>
<h2 id="114102--mandatory-systematic-debugging-activation--always-loaded-skill-discovery--plugin-dependency-availability-cascaded-from-constitution-submodule-114102">§11.4.102
— Mandatory systematic-debugging activation + always-loaded
skill-discovery + plugin-dependency availability (cascaded from
constitution submodule §11.4.102)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-29): <em>&quot;Make sure that we ALWAYS
trigger / start the &quot;/superpowers:systematic-debugging&quot; skills when any
issues happen! ... we MUST activate the skill(s) and make strongest
efforts in full in depth analisys / debugging and determine root causes
of all problem ... we MUST make sure that &quot;/using-superpowers&quot; skill is
ALWAYS loaded, applied and used! All dependencies (plugins) that Claude
Code or other market places are offering MUST BE installed if these are
not already available for loading and use!&quot;</em></p>
</blockquote>
<p>Three cooperating invariants — the difference between guess-and-retry
and investigate-to-root-cause-first. <strong>(A) Mandatory
systematic-debugging activation.</strong> On ANY spotted issue / bug /
test failure / gate failure / regression / misalignment / inconsistency
/ unexpected behaviour, the agent MUST activate
<code>superpowers:systematic-debugging</code> (or the
platform-equivalent structured-debugging discipline) <strong>BEFORE
proposing, writing, or applying any fix</strong> — the <strong>Iron Law:
NO FIXES WITHOUT ROOT CAUSE INVESTIGATION FIRST.</strong> Full
four-phase arc: root-cause → pattern → hypothesis → implementation (the
fix is designed only against the proven root cause). Guess-and-retry,
symptom-patching, and re-running a failed test hoping it passes
(&quot;probably transient / flaky&quot;) WITHOUT a completed investigation are
§11.4.102 violations; calling a failure
<code>transient</code>/<code>flaky</code>/<code>intermittent</code>/<code>probably-timing</code>
without captured forensic evidence is simultaneously a §11.4.6
(no-guessing) and §11.4.7 (demotion-evidence) violation. <strong>(B)
Mandatory always-loaded <code>using-superpowers</code>.</strong>
<code>superpowers:using-superpowers</code> (or the platform-equivalent
skill-discovery / capability-index discipline) MUST be loaded and
applied at session start and consulted before any task — survey
available skills before acting on ANY request; if ANY skill could apply
(even at 1% relevance) it MUST be invoked rather than improvised from
memory. <strong>(C) Mandatory plugin / dependency availability.</strong>
Every skill plugin / marketplace package / capability dependency the
project relies on MUST be installed + loadable BEFORE the dependent work
proceeds; a missing plugin that blocks a mandated skill is a
release-blocker until installed + confirmed loadable (confirm by
observing the skill in the live capability list — install exit 0 ≠ skill
loadable, per the §11.4.80 lesson). Composes with §11.4.4 / §11.4.6 /
§11.4.7 / §11.4.8 / §11.4.43 / §11.4.70 / §11.4.82(A) / §11.4.92.
Classification: universal (§11.4.17). No escape hatch — no
<code>--skip-systematic-debugging</code>,
<code>--guess-and-retry-OK</code>,
<code>--symptom-patch-permitted</code>,
<code>--skip-skill-discovery</code>, <code>--plugin-optional</code>,
<code>--missing-plugin-is-warning</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.102</code> reference) MUST appear in every owned submodule&#39;s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-102-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.102 for the full mandate.</p>
</body>
</html>