AGENTS.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>AGENTS</title>
  <style>
    /* Default styles provided by pandoc.
    ** See https://pandoc.org/MANUAL.html#variables-for-html for config info.
    */
    html {
      color: #1a1a1a;
      background-color: #fdfdfd;
    }
    body {
      margin: 0 auto;
      max-width: 36em;
      padding-left: 50px;
      padding-right: 50px;
      padding-top: 50px;
      padding-bottom: 50px;
      hyphens: auto;
      overflow-wrap: break-word;
      text-rendering: optimizeLegibility;
      font-kerning: normal;
    }
    @media (max-width: 600px) {
      body {
        font-size: 0.9em;
        padding: 12px;
      }
      h1 {
        font-size: 1.8em;
      }
    }
    @media print {
      html {
        background-color: white;
      }
      body {
        background-color: transparent;
        color: black;
        font-size: 12pt;
      }
      p, h2, h3 {
        orphans: 3;
        widows: 3;
      }
      h2, h3, h4 {
        page-break-after: avoid;
      }
    }
    p {
      margin: 1em 0;
    }
    a {
      color: #1a1a1a;
    }
    a:visited {
      color: #1a1a1a;
    }
    img {
      max-width: 100%;
    }
    svg {
      height: auto;
      max-width: 100%;
    }
    h1, h2, h3, h4, h5, h6 {
      margin-top: 1.4em;
    }
    h5, h6 {
      font-size: 1em;
      font-style: italic;
    }
    h6 {
      font-weight: normal;
    }
    ol, ul {
      padding-left: 1.7em;
      margin-top: 1em;
    }
    li > ol, li > ul {
      margin-top: 0;
    }
    blockquote {
      margin: 1em 0 1em 1.7em;
      padding-left: 1em;
      border-left: 2px solid #e6e6e6;
      color: #606060;
    }
    code {
      font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
      font-size: 85%;
      margin: 0;
      hyphens: manual;
    }
    pre {
      margin: 1em 0;
      overflow: auto;
    }
    pre code {
      padding: 0;
      overflow: visible;
      overflow-wrap: normal;
    }
    .sourceCode {
     background-color: transparent;
     overflow: visible;
    }
    hr {
      border: none;
      border-top: 1px solid #1a1a1a;
      height: 1px;
      margin: 1em 0;
    }
    table {
      margin: 1em 0;
      border-collapse: collapse;
      width: 100%;
      overflow-x: auto;
      display: block;
      font-variant-numeric: lining-nums tabular-nums;
    }
    table caption {
      margin-bottom: 0.75em;
    }
    tbody {
      margin-top: 0.5em;
      border-top: 1px solid #1a1a1a;
      border-bottom: 1px solid #1a1a1a;
    }
    th {
      border-top: 1px solid #1a1a1a;
      padding: 0.25em 0.5em 0.25em 0.5em;
    }
    td {
      padding: 0.125em 0.5em 0.25em 0.5em;
    }
    header {
      margin-bottom: 4em;
      text-align: center;
    }
    #TOC li {
      list-style: none;
    }
    #TOC ul {
      padding-left: 1.3em;
    }
    #TOC > ul {
      padding-left: 0;
    }
    #TOC a:not(:hover) {
      text-decoration: none;
    }
    code{white-space: pre-wrap;}
    span.smallcaps{font-variant: small-caps;}
    div.columns{display: flex; gap: min(4vw, 1.5em);}
    div.column{flex: auto; overflow-x: auto;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    /* The extra [class] is a hack that increases specificity enough to
       override a similar rule in reveal.js */
    ul.task-list[class]{list-style: none;}
    ul.task-list li input[type="checkbox"] {
      font-size: inherit;
      width: 0.8em;
      margin: 0 0.8em 0.2em -1.6em;
      vertical-align: middle;
    }
    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
    /* CSS for syntax highlighting */
    html { -webkit-text-size-adjust: 100%; }
    pre > code.sourceCode { white-space: pre; position: relative; }
    pre > code.sourceCode > span { display: inline-block; line-height: 1.25; }
    pre > code.sourceCode > span:empty { height: 1.2em; }
    .sourceCode { overflow: visible; }
    code.sourceCode > span { color: inherit; text-decoration: inherit; }
    div.sourceCode { margin: 1em 0; }
    pre.sourceCode { margin: 0; }
    @media screen {
    div.sourceCode { overflow: auto; }
    }
    @media print {
    pre > code.sourceCode { white-space: pre-wrap; }
    pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
    }
    pre.numberSource code
      { counter-reset: source-line 0; }
    pre.numberSource code > span
      { position: relative; left: -4em; counter-increment: source-line; }
    pre.numberSource code > span > a:first-child::before
      { content: counter(source-line);
        position: relative; left: -1em; text-align: right; vertical-align: baseline;
        border: none; display: inline-block;
        -webkit-touch-callout: none; -webkit-user-select: none;
        -khtml-user-select: none; -moz-user-select: none;
        -ms-user-select: none; user-select: none;
        padding: 0 4px; width: 4em;
        color: #aaaaaa;
      }
    pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa;  padding-left: 4px; }
    div.sourceCode
      {   }
    @media screen {
    pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
    }
    code span.al { color: #ff0000; font-weight: bold; } /* Alert */
    code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
    code span.at { color: #7d9029; } /* Attribute */
    code span.bn { color: #40a070; } /* BaseN */
    code span.bu { color: #008000; } /* BuiltIn */
    code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
    code span.ch { color: #4070a0; } /* Char */
    code span.cn { color: #880000; } /* Constant */
    code span.co { color: #60a0b0; font-style: italic; } /* Comment */
    code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
    code span.do { color: #ba2121; font-style: italic; } /* Documentation */
    code span.dt { color: #902000; } /* DataType */
    code span.dv { color: #40a070; } /* DecVal */
    code span.er { color: #ff0000; font-weight: bold; } /* Error */
    code span.ex { } /* Extension */
    code span.fl { color: #40a070; } /* Float */
    code span.fu { color: #06287e; } /* Function */
    code span.im { color: #008000; font-weight: bold; } /* Import */
    code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
    code span.kw { color: #007020; font-weight: bold; } /* Keyword */
    code span.op { color: #666666; } /* Operator */
    code span.ot { color: #007020; } /* Other */
    code span.pp { color: #bc7a00; } /* Preprocessor */
    code span.sc { color: #4070a0; } /* SpecialChar */
    code span.ss { color: #bb6688; } /* SpecialString */
    code span.st { color: #4070a0; } /* String */
    code span.va { color: #19177c; } /* Variable */
    code span.vs { color: #4070a0; } /* VerbatimString */
    code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
  </style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">AGENTS</h1>
</header>
<h2 id="inherited-from-helix-constitution">INHERITED FROM Helix
Constitution</h2>
<blockquote>
<p>Base agent rules live in the Helix Constitution submodule at the
parent project's <code>constitution/AGENTS.md</code> and the universal
<code>constitution/Constitution.md</code> it references. <strong>READ
THOSE FIRST.</strong> The base file is authoritative for any topic not
covered here. Module-specific rules below extend them; they never weaken
them.</p>
</blockquote>
<p>Critical universal rules every CLI agent (Claude Code, Cursor, Aider,
Codex, Gemini CLI) MUST honour while working in this module:</p>
<ul>
<li><strong>No bluffing.</strong> Every PASS carries positive evidence.
Constitution §11.4.</li>
<li><strong>Mutation-paired gates.</strong> Every new gate has a paired
mutation proving it catches regressions. Constitution §1.1.</li>
<li><strong>No guessing language</strong> (<code>likely</code>,
<code>probably</code>, <code>maybe</code>, <code>seems</code>).
Constitution §11.4.6.</li>
<li><strong>Credentials never tracked.</strong> <code>.env</code>
patterns git-ignored; runtime-load only. Constitution §11.4.10.</li>
<li><strong>Never force-push.</strong> Force-push requires explicit
per-session authorization AND a green §9.1.5 post-op gate. Constitution
§9.</li>
<li><strong>CONTINUATION.md kept in sync</strong> in every non-trivial
commit. Constitution §12.10.</li>
<li><strong>60% RAM cap.</strong> Heavy work wrapped in bounded
execution scope. Constitution §12.6.</li>
</ul>
<p>Canonical reference: <a
href="https://github.com/HelixDevelopment/HelixConstitution">https://github.com/HelixDevelopment/HelixConstitution</a></p>
<hr />
<h1 id="agentsmd--helixcode-authoritative-agent-guide">AGENTS.md —
HelixCode Authoritative Agent Guide</h1>
<h2 id="helixcode-agent-guidelines">HelixCode Agent Guidelines</h2>
<p><strong>Version</strong>: 3.0.0 (Updated with full architecture
audit) <strong>Date</strong>: 2026-04-30 <strong>Scope</strong>: All AI
agents, human contributors, and automated processes working on HelixCode
<strong>Authority</strong>: Derived from HelixAgent AGENTS.md with
HelixCode-specific enhancements</p>
<hr />
<h2 id="project-overview">Project Overview</h2>
<p>HelixCode is an enterprise-grade distributed AI development platform
built in Go. It enables intelligent task division, work preservation,
cross-platform development workflows, and multi-provider LLM integration
through a unified REST API, CLI, Terminal UI, Desktop, and Mobile client
architecture.</p>
<p><strong>Current Status</strong>: The <code>internal/</code>
foundation is largely solid (auth, database, server, worker, task,
workflow, tools, editor, notification, MCP, <strong>verifier</strong>
are real implementations). Critical bluff and stub areas remain in
select entry points and peripheral packages. All agents MUST prioritize
zero-bluff implementation.</p>
<p><strong>LLMsVerifier Integration Status</strong>:
<code>internal/verifier/</code> package is now implemented with REST API
client, two-tier cache, circuit breaker health monitor, background
poller, score adapter, and event publisher. BLUFF-002 (hardcoded CLI
models) and BLUFF-004 (hardcoded external models) are FIXED. BLUFF-005
(scoring ignores verifier data) is FIXED in
<code>ModelManager.SelectOptimalModel()</code>.</p>
<p><strong>Key Features</strong>:</p>
<ul>
<li><strong>Distributed Computing</strong>: SSH-based worker pools with
health monitoring, auto-installation, and consensus</li>
<li><strong>Multi-Provider LLM Integration</strong>: 15+ providers
(OpenAI, Anthropic, Gemini, Ollama, Azure, Bedrock, Groq, Mistral,
Cohere, xAI, DeepSeek, Qwen, OpenRouter, HuggingFace, Llama.cpp)</li>
<li><strong>Development Workflows</strong>: Automated planning,
building, testing, refactoring with real shell execution</li>
<li><strong>Task Management</strong>: Intelligent task division with
priorities, dependencies, checkpointing, and Redis caching</li>
<li><strong>MCP Protocol</strong>: Full Model Context Protocol server
over WebSocket with tool dispatch</li>
<li><strong>Multi-Client Architecture</strong>: REST API (Gin), Cobra
CLI, Terminal UI (tview), Desktop (Fyne), Mobile (gomobile),
WebSocket</li>
<li><strong>Memory Systems</strong>: In-memory, filesystem, Redis,
Memcached, Cognee, ChromaDB, Qdrant, Weaviate integrations</li>
<li><strong>Advanced Editor</strong>: Multi-format code editing (diff,
whole-file, search/replace, line-based) with backups</li>
<li><strong>Tools Ecosystem</strong>: 40+ tools across filesystem,
shell, web, browser, mapping, multiedit, confirmation, notebook,
git</li>
<li><strong>Notifications</strong>: Multi-channel support (Slack, Email,
Telegram, Discord, Yandex Messenger, Max)</li>
</ul>
<hr />
<h2 id="technology-stack">Technology Stack</h2>
<p><strong>Core Technologies</strong>:</p>
<ul>
<li><strong>Language</strong>: Go 1.24.0 with toolchain go1.24.9</li>
<li><strong>Module</strong>: <code>dev.helix.code</code></li>
<li><strong>HTTP Framework</strong>: Gin v1.11.0</li>
<li><strong>Authentication</strong>: JWT v4.5.2, bcrypt + argon2</li>
<li><strong>Database</strong>: PostgreSQL 15+ via pgx/v5 (optional)</li>
<li><strong>Cache</strong>: Redis 7+ via go-redis/v9 (optional)</li>
<li><strong>Configuration</strong>: Viper v1.21.0</li>
<li><strong>CLI Framework</strong>: Cobra v1.8.0</li>
<li><strong>Testing</strong>: Testify v1.11.1</li>
</ul>
<p><strong>UI Technologies</strong>:</p>
<ul>
<li><strong>Desktop</strong>: Fyne v2.7.0</li>
<li><strong>Terminal UI</strong>: tview v0.42.0</li>
<li><strong>Mobile</strong>: gomobile bindings</li>
</ul>
<p><strong>External Integrations</strong>:</p>
<ul>
<li><strong>Browser Automation</strong>: chromedp v0.14.2</li>
<li><strong>Web Scraping</strong>: goquery v1.10.3</li>
<li><strong>Tree-sitter</strong>: go-tree-sitter</li>
<li><strong>Identity</strong>: Azure SDK, AWS SDK v2</li>
<li><strong>Vector/Memory</strong>: Cognee, ChromaDB, Qdrant, Weaviate
clients</li>
<li><strong>Container Orchestration</strong>: digital.vasic.containers
(vasic-digital/Containers submodule)</li>
</ul>
<hr />
<h2 id="working-directory--build-system">Working Directory &amp; Build
System</h2>
<p><strong>CRITICAL</strong>: All build and test commands must be run
from the <code>helix_code/</code> subdirectory, not the repository
root.</p>
<div class="sourceCode" id="cb1"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode</span></code></pre></div>
<h3 id="build-commands">Build Commands</h3>
<table>
<thead>
<tr>
<th>Command</th>
<th>Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>make build</code></td>
<td>Build server binary to <code>bin/helixcode</code></td>
</tr>
<tr>
<td><code>make test</code></td>
<td>Run <code>go test -v ./...</code></td>
</tr>
<tr>
<td><code>make test-all</code></td>
<td>Run tests + coverage + benchmarks + docs</td>
</tr>
<tr>
<td><code>make test-coverage</code></td>
<td>Generate coverage report</td>
</tr>
<tr>
<td><code>make test-benchmark</code></td>
<td>Run Go benchmarks</td>
</tr>
<tr>
<td><code>make logo-assets</code></td>
<td>Generate logo assets (required before first build)</td>
</tr>
<tr>
<td><code>make setup-deps</code></td>
<td>Run <code>go mod tidy</code></td>
</tr>
<tr>
<td><code>make fmt</code></td>
<td>Run <code>go fmt ./...</code></td>
</tr>
<tr>
<td><code>make lint</code></td>
<td>Run <code>golangci-lint run ./...</code></td>
</tr>
<tr>
<td><code>make clean</code></td>
<td>Clean build artifacts</td>
</tr>
<tr>
<td><code>make dev</code></td>
<td>Start development server</td>
</tr>
<tr>
<td><code>make prod</code></td>
<td>Cross-platform production build</td>
</tr>
<tr>
<td><code>make mobile</code></td>
<td>Build iOS + Android targets</td>
</tr>
<tr>
<td><code>make aurora-os</code></td>
<td>Build Aurora OS target</td>
</tr>
<tr>
<td><code>make harmony-os</code></td>
<td>Build Harmony OS target</td>
</tr>
</tbody>
</table>
<h3 id="full-infrastructure-test-commands">Full Infrastructure Test
Commands</h3>
<table>
<thead>
<tr>
<th>Command</th>
<th>Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>make test-infra-up</code></td>
<td>Start full Docker test infrastructure</td>
</tr>
<tr>
<td><code>make test-infra-down</code></td>
<td>Stop full Docker test infrastructure</td>
</tr>
<tr>
<td><code>make test-full</code></td>
<td>ALL tests with real infrastructure (zero skips)</td>
</tr>
<tr>
<td><code>make test-unit-full</code></td>
<td>Unit tests with real services</td>
</tr>
<tr>
<td><code>make test-integration-full</code></td>
<td>Integration tests with <code>-tags=integration</code></td>
</tr>
<tr>
<td><code>make test-e2e-full</code></td>
<td>E2E challenge tests via runner</td>
</tr>
<tr>
<td><code>make test-security-full</code></td>
<td>Security test suite</td>
</tr>
<tr>
<td><code>make test-load-full</code></td>
<td>Load tests</td>
</tr>
<tr>
<td><code>make test-complete</code></td>
<td>Sequential run of all full test types</td>
</tr>
<tr>
<td><code>make coverage-full</code></td>
<td>Coverage with full infrastructure</td>
</tr>
</tbody>
</table>
<h3 id="containerized-builds-no-host-dependencies">Containerized Builds
(NO Host Dependencies)</h3>
<table>
<thead>
<tr>
<th>Command</th>
<th>Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>make container-builder-image</code></td>
<td>Build the builder container image</td>
</tr>
<tr>
<td><code>make container-build</code></td>
<td>Build application inside container</td>
</tr>
<tr>
<td><code>make container-test</code></td>
<td>Run tests inside container</td>
</tr>
<tr>
<td><code>make container-lint</code></td>
<td>Run linter inside container</td>
</tr>
<tr>
<td><code>make container-shell</code></td>
<td>Interactive shell in builder container</td>
</tr>
<tr>
<td><code>make container-dev-up</code></td>
<td>Start containerized dev environment</td>
</tr>
<tr>
<td><code>make container-dev-down</code></td>
<td>Stop containerized dev environment</td>
</tr>
<tr>
<td><code>make container-release</code></td>
<td>Full release build in container</td>
</tr>
<tr>
<td><code>./scripts/containers/build-in-container.sh</code></td>
<td>Convenience wrapper script</td>
</tr>
</tbody>
</table>
<p>The builder container includes: Go 1.24, gcc, postgresql-client,
redis, docker-cli, golangci-lint, and all build tools. The only host
requirement is Docker/Podman.</p>
<h3 id="standalone-test-scripts">Standalone Test Scripts</h3>
<table>
<thead>
<tr>
<th>Script</th>
<th>Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>./run_tests.sh --unit</code></td>
<td>Unit tests</td>
</tr>
<tr>
<td><code>./run_tests.sh --integration</code></td>
<td>Integration tests</td>
</tr>
<tr>
<td><code>./run_tests.sh --e2e</code></td>
<td>E2E tests</td>
</tr>
<tr>
<td><code>./run_tests.sh --coverage</code></td>
<td>Coverage analysis</td>
</tr>
<tr>
<td><code>./run_tests.sh --security</code></td>
<td>Security tests</td>
</tr>
<tr>
<td><code>./run_all_tests.sh</code></td>
<td>Orchestrates ALL suites sequentially</td>
</tr>
<tr>
<td><code>./run_integration_tests.sh</code></td>
<td>DB integration tests with Docker</td>
</tr>
</tbody>
</table>
<h3 id="single-test-execution">Single Test Execution</h3>
<div class="sourceCode" id="cb2"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-run</span> TestName ./path/to/package</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="ex">go</span> test <span class="at">-v</span> <span class="at">-tags</span><span class="op">=</span>integration ./internal/database</span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> tests/e2e/challenges <span class="kw">&amp;&amp;</span> <span class="ex">go</span> run cmd/runner/main.go <span class="at">-challenge</span> ascii-art-generator-001 <span class="at">-providers</span> ollama</span></code></pre></div>
<hr />
<h2 id="architecture--code-organization">Architecture &amp; Code
Organization</h2>
<pre><code>helix_code/
├── cmd/                          # Application entry points
│   ├── server/main.go            # HTTP server entry point
│   ├── cli/main.go               # Legacy flag-based CLI client
│   ├── root.go                   # Cobra root command (`helix`)
│   ├── main_commands.go          # `helix start`, `helix auto`
│   ├── other_commands.go         # `helix server`, `helix version`, etc.
│   ├── local-llm.go              # `helix local-llm` command tree
│   ├── local-llm-advanced.go     # Advanced local-llm commands
│   ├── helix-config/main.go      # Dedicated config management CLI
│   ├── security-test/main.go     # Simulated security test runner
│   ├── security-fix/main.go      # Security fix wrapper
│   ├── security-fix-standalone/main.go  # Standalone security scanner
│   ├── performance-optimization/main.go # Performance optimizer
│   ├── performance-optimization-standalone/main.go # Standalone perf simulator
│   └── config-test/main.go       # Config hot-reload test utility
│
├── internal/                     # Internal packages (~40 packages)
│   ├── auth/                     # JWT authentication, bcrypt/argon2, sessions
│   ├── llm/                      # LLM provider implementations (15+ providers)
│   │   ├── providers/            # Per-provider HTTP clients
│   │   ├── compression/          # Context compression
│   │   └── vision/               # Vision/multimodal support
│   ├── provider/                 # Provider abstractions
│   ├── providers/                # Provider management
│   ├── worker/                   # SSH-based worker pool, health checks
│   ├── task/                     # Task queues, dependencies, checkpoints
│   ├── server/                   # Gin HTTP server, routes, middleware
│   ├── database/                 # PostgreSQL pgx pool, schema initialization
│   ├── redis/                    # go-redis wrapper with graceful degradation
│   ├── tools/                    # 40+ tool ecosystem registry
│   │   ├── filesystem/           # fs_read, fs_write, fs_edit, glob, grep
│   │   ├── shell/                # shell, shell_background with sandbox
│   │   ├── web/                  # web_fetch, web_search
│   │   ├── browser/              # browser_launch, browser_navigate, browser_screenshot
│   │   ├── multiedit/            # Transactional multi-file editing
│   │   └── git/                  # Git automation
│   ├── editor/                   # Multi-format code editing with backups
│   ├── memory/                   # Memory providers (in-mem, filesystem, Redis, etc.)
│   ├── cognee/                   # Cognee.ai memory integration
│   ├── context/                  # Hierarchical context management with TTL
│   ├── notification/             # Multi-channel notification engine
│   ├── mcp/                      # Model Context Protocol WebSocket server
│   ├── workflow/                 # Development workflow execution
│   ├── config/                   # Viper-based configuration management
│   ├── event/                    # Pub/sub event bus
│   ├── logging/                  # Structured logging wrapper
│   ├── monitoring/               # Metric collection framework
│   ├── security/                 # Security scanning (stubbed)
│   ├── session/                  # Development session management
│   ├── agent/                    # Agent orchestration
│   ├── project/                  # Project management
│   ├── rules/                    # Rules engine
│   ├── hooks/                    # Hook system
│   ├── focus/                    # Focus chain management
│   ├── template/                 # Template system
│   ├── persistence/              # State persistence
│   ├── deployment/               # Deployment management
│   ├── discovery/                # Service/model discovery
│   ├── hardware/                 # Hardware abstraction
│   ├── repomap/                  # Repository mapping
│   ├── version/                  # Version management
│   ├── fix/                      # Security fix engine
│   ├── performance/              # Performance optimization
│   ├── testutil/                 # Test utilities
│   └── mocks/                    # Shared mocks
│
├── applications/                 # Platform-specific applications
│   ├── desktop/                  # Fyne desktop app
│   ├── terminal-ui/              # tview terminal UI
│   ├── android/                  # Android app
│   ├── ios/                      # iOS app
│   ├── aurora-os/                # Aurora OS client
│   └── harmony-os/               # Harmony OS client
│
├── api/                          # OpenAPI specification
│   └── openapi.yaml              # Full REST API spec (OpenAPI 3.0.3)
│
├── config/                       # Configuration files
│   ├── config.yaml               # Primary application config
│   ├── production-config.yaml    # Enterprise production config
│   ├── minimal-config.yaml       # Minimal test config (DB/Redis disabled)
│   ├── test-config.yaml          # Test-specific config
│   ├── working-config.yaml       # Working variant
│   ├── azure_example.yaml        # Azure-specific example
│   └── model-aliases.example.yaml# Model alias examples
│
├── tests/                        # New test framework
│   ├── e2e/challenges/           # Challenge-based E2E tests
│   └── automation/               # Hardware automation tests
│
├── test/                         # Legacy/parallel test suites
│   ├── integration/              # Integration tests
│   ├── e2e/                      # Legacy E2E tests
│   ├── automation/               # Provider automation tests
│   └── load/                     # Load tests
│
├── benchmarks/                   # Performance benchmarks
├── security/                     # Security tests
├── standalone_tests/             # Standalone CLI tests
├── docker/                       # Docker assets and extended compose
├── scripts/                      # Build and deployment scripts
└── assets/                       # Logo and image assets</code></pre>
<hr />
<h2 id="verified-real-implementations">Verified Real
Implementations</h2>
<h3 id="auth-001-authentication-system-verified-real">AUTH-001:
Authentication System (VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/auth/auth.go</code> (~470
lines) <strong>Assessment</strong>: Production-ready</p>
<ul>
<li>User registration with validation</li>
<li>Password hashing with bcrypt + argon2 fallback</li>
<li>JWT token generation and verification (JWT v4)</li>
<li>Session management with crypto-random tokens</li>
<li>Constant-time comparison for timing attack prevention</li>
<li>Full test coverage in <code>internal/auth/auth_test.go</code> (~777
lines)</li>
</ul>
<h3 id="db-001-database-layer-verified-real">DB-001: Database Layer
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/database/database.go</code>
<strong>Assessment</strong>: Production-ready</p>
<ul>
<li>PostgreSQL connection pool via pgx/v5</li>
<li>Full schema initialization (users, workers, tasks, projects,
sessions, LLM providers, MCP servers, notifications, audit logs)</li>
<li><code>DatabaseInterface</code> for testability</li>
<li>Graceful degradation when host is empty</li>
</ul>
<h3 id="srv-001-http-server-verified-real">SRV-001: HTTP Server
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/server/server.go</code>
<strong>Assessment</strong>: Production-ready</p>
<ul>
<li>Gin-based server with 50+ routes across <code>/api/v1/</code></li>
<li>JWT auth middleware, CORS, security headers</li>
<li>WebSocket endpoint for MCP</li>
<li>Health check with DB + Redis validation</li>
<li>Graceful shutdown (30s timeout)</li>
</ul>
<h3 id="llm-001-llm-providers-verified-real">LLM-001: LLM Providers
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/llm/</code> (~5000+ lines
across providers) <strong>Assessment</strong>: Real HTTP clients</p>
<ul>
<li><code>AnthropicProvider</code> (~752 lines): Full SSE streaming,
prompt caching, extended thinking, tool calls</li>
<li><code>OpenAIProvider</code> (~431+ lines): Full HTTP API client</li>
<li><code>ModelManager</code>: Multi-provider orchestration, selection
strategy, fallback chain</li>
<li>16 provider subdirectories with real HTTP implementations</li>
<li><strong>Note</strong>: The <code>internal/llm/</code> package is
genuine. Bluff areas are at <code>cmd/cli/main.go</code> only.</li>
</ul>
<h3 id="wrk-001-worker-pool-verified-real">WRK-001: Worker Pool
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/worker/</code> (~800+ lines)
<strong>Assessment</strong>: Real distributed worker management</p>
<ul>
<li><code>WorkerManager</code>: Register, heartbeat, assign tasks,
complete tasks</li>
<li>SSH config parsing, capability matching, resource tracking</li>
<li>Health checks with TTL</li>
</ul>
<h3 id="tsk-001-task-management-verified-real">TSK-001: Task Management
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/task/</code> (~1000+ lines)
<strong>Assessment</strong>: Real task lifecycle</p>
<ul>
<li>Priority queues, dependency validation, checkpointing</li>
<li>Redis caching with graceful degradation</li>
<li>Retry logic and cleanup</li>
</ul>
<h3 id="wfl-001-workflow-engine-verified-real">WFL-001: Workflow Engine
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/workflow/</code> (~1100+ lines)
<strong>Assessment</strong>: Real shell execution</p>
<ul>
<li><code>Executor</code> dispatches to real
<code>exec.CommandContext()</code> calls</li>
<li>Security filtering via <code>isDangerousCommand()</code> (rm, dd,
mkfs, fork bombs, etc.)</li>
<li>LLM integration with real <code>LLMRequest</code></li>
<li>Supports Go, Node, Python, Rust project types</li>
</ul>
<h3 id="too-001-tools-ecosystem-verified-real">TOO-001: Tools Ecosystem
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/tools/</code> (~2000+ lines)
<strong>Assessment</strong>: Real tool registry</p>
<ul>
<li>8 categories: filesystem, shell, web, browser, mapping, multiedit,
confirmation, notebook</li>
<li>Real chromedp browser automation</li>
<li>Transactional multi-file editing</li>
</ul>
<h3 id="edt-001-code-editor-verified-real">EDT-001: Code Editor
(VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/editor/</code> (~600+ lines)
<strong>Assessment</strong>: Real file I/O</p>
<ul>
<li>Diff, whole-file, search/replace, line-based editors</li>
<li>Automatic file backup with <code>io.Copy</code></li>
<li><code>EditApplier</code> / <code>EditValidator</code>
interfaces</li>
</ul>
<h3 id="not-001-notification-engine-verified-real">NOT-001: Notification
Engine (VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/notification/</code> (~800+
lines) <strong>Assessment</strong>: Real HTTP/SMTP calls</p>
<ul>
<li>Slack (webhook HTTP POST), Email (SMTP via <code>net/smtp</code>),
Telegram (Bot API), Discord (webhook)</li>
<li>Yandex Messenger (OAuth API), Max (enterprise API)</li>
<li>Rate limiting, retry, queue, metrics</li>
</ul>
<h3 id="mcp-001-mcp-protocol-server-verified-real">MCP-001: MCP Protocol
Server (VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/mcp/</code> (~400+ lines)
<strong>Assessment</strong>: Real WebSocket server</p>
<ul>
<li>gorilla/websocket concurrent session handling</li>
<li>JSON-RPC-like message format</li>
<li>Tool execution dispatch</li>
</ul>
<h3 id="cfg-001-configuration-management-verified-real">CFG-001:
Configuration Management (VERIFIED REAL)</h3>
<p><strong>File</strong>: <code>internal/config/</code> (~1700+ lines)
<strong>Assessment</strong>: Full Viper integration</p>
<ul>
<li>Environment variable binding (<code>HELIX_*</code>)</li>
<li>Config file search (<code>.</code>, <code>$HOME/.helixcode</code>,
<code>/etc/helixcode</code>)</li>
<li>Validation rules, default config creation</li>
<li><code>ConfigManager</code> for load/save/merge</li>
</ul>
<h3 id="qa-001-helixqa-integration-verified-real">QA-001: HelixQA
Integration (VERIFIED REAL)</h3>
<p><strong>Files</strong>: <code>internal/helixqa/</code>,
<code>internal/server/qa_handlers.go</code>,
<code>applications/terminal-ui/main.go</code>
<strong>Assessment</strong>: Full embedded QA engine with real session
lifecycle</p>
<ul>
<li><code>Engine</code> struct manages QA sessions with map +
sync.RWMutex</li>
<li><code>StartSession()</code>, <code>CancelSession()</code>,
<code>GetSession()</code>, <code>ListSessions()</code> with real state
tracking</li>
<li>REST API: <code>POST /api/v1/qa/session</code>,
<code>GET /api/v1/qa/session/:id/status</code>,
<code>GET /api/v1/qa/session/:id/report</code>,
<code>GET /api/v1/qa/session/:id/screenshot/:name</code>,
<code>DELETE /api/v1/qa/session/:id</code></li>
<li>CLI flags: <code>--qa-run</code>, <code>--qa-list</code>,
<code>--qa-report</code>, <code>--qa-screenshot</code>,
<code>--qa-cancel</code></li>
<li>TUI dashboard with session table, stats panel, refresh/cancel
actions</li>
<li>Screenshot pipeline: 8 platform engines (Linux, Web, iOS, Android,
CLI, TUI, macOS, Windows)</li>
<li>Tests: <code>internal/helixqa/wrapper_test.go</code>,
<code>internal/server/qa_handlers_test.go</code>,
<code>pkg/screenshot/*_test.go</code></li>
</ul>
<hr />
<h2 id="verified-bluff--stub-areas-must-fix">Verified Bluff &amp; Stub
Areas (MUST FIX)</h2>
<h3
id="bluff-001-llm-generation-is-simulated-in-legacy-cli-critical--fixed">BLUFF-001:
LLM Generation is Simulated in Legacy CLI (CRITICAL) — FIXED</h3>
<p><strong>File</strong>: <code>cmd/cli/main.go</code> lines ~236-284
<strong>Evidence</strong>: Previously returned
<code>fmt.Sprintf("Generated response for: %s...", prompt)</code>
without calling any provider. <strong>Fix</strong>:
<code>handleGenerate()</code> now constructs a real
<code>llm.LLMRequest</code> with user messages and calls
<code>provider.Generate()</code> /
<code>provider.GenerateStream()</code>. Errors are propagated to the
user if the provider is unavailable. <strong>Verification</strong>:
<code>go build -tags nogui ./cmd/cli/</code> compiles; provider call is
real (returns error if Ollama/etc. is not running). <strong>Fix
Priority</strong>: P0 — RESOLVED</p>
<h3
id="bluff-002-model-listing-is-hardcoded-in-legacy-cli-critical--fixed">BLUFF-002:
Model Listing is Hardcoded in Legacy CLI (CRITICAL) — FIXED</h3>
<p><strong>File</strong>: <code>cmd/cli/main.go</code> lines ~101-128
<strong>Evidence</strong>: Previously only 3 hardcoded models. No
dynamic discovery. <strong>Fix</strong>: Replaced with verifier-aware
<code>handleListModels()</code> that queries LLMsVerifier adapter first,
falls back to provider discovery, then to constitutional
<code>FallbackModels</code> (7 models with scores and verification
status). <strong>Verification</strong>:
<code>go test -v ./internal/verifier/...</code> passes;
<code>go build ./cmd/cli/...</code> compiles. <strong>Fix
Priority</strong>: P0 — RESOLVED</p>
<h3
id="bluff-003-command-execution-is-simulated-in-legacy-cli-high--fixed">BLUFF-003:
Command Execution is Simulated in Legacy CLI (HIGH) — FIXED</h3>
<p><strong>File</strong>: <code>cmd/cli/main.go</code> lines ~310-324
<strong>Evidence</strong>: Previously printed the command and slept for
1 second without executing anything. <strong>Fix</strong>:
<code>handleCommand()</code> uses
<code>exec.CommandContext(ctx, "sh", "-c", command)</code> with real
<code>os.Stdout</code>/<code>os.Stderr</code> redirection. Exit codes
are reported. <strong>Verification</strong>:
<code>go build -tags nogui ./cmd/cli/</code> compiles. <strong>Fix
Priority</strong>: P0 — RESOLVED</p>
<h3 id="stub-001-security-scanning-is-simulated">STUB-001: Security
Scanning is Simulated</h3>
<p><strong>File</strong>: <code>internal/security/security.go</code>
(~132 lines) <strong>Evidence</strong>: <code>ScanFeature()</code>
contains explicit "Simulate security scanning logic" comment. Always
returns <code>Success=true, Score=95</code> with empty issues.
<strong>Fix Priority</strong>: P1</p>
<h3
id="stub-002-memory-redismemcached-providers-store-locally">STUB-002:
Memory Redis/Memcached Providers Store Locally</h3>
<p><strong>File</strong>: <code>internal/memory/</code> (~1800+ lines)
<strong>Evidence</strong>: <code>RedisMemoryProvider</code> and
<code>MemcachedMemoryProvider</code> store data in local maps with
comments like "Redis client would be used in production." Connection
config is parsed but not used. <strong>Fix Priority</strong>: P2</p>
<h3
id="stub-003-security-test-entry-point-is-entirely-simulated">STUB-003:
Security-Test Entry Point is Entirely Simulated</h3>
<p><strong>File</strong>: <code>cmd/security-test/main.go</code>
<strong>Evidence</strong>: Hardcoded list of 12 simulated security
tests. <code>simulateSecurityScan()</code> returns pre-canned issue
lists per category. <strong>Fix Priority</strong>: P2</p>
<h3 id="stub-004-several-helix-subcommands-are-print-only">STUB-004:
Several <code>helix</code> Subcommands are Print-Only</h3>
<p><strong>File</strong>: <code>cmd/other_commands.go</code>
<strong>Evidence</strong>: <code>server</code>, <code>generate</code>,
<code>test</code>, <code>worker</code>, <code>notify</code> commands are
stubbed (print placeholder messages). <strong>Fix Priority</strong>:
P2</p>
<h3
id="stub-005-several-helix-config-subcommands-are-placeholders">STUB-005:
Several <code>helix-config</code> Subcommands are Placeholders</h3>
<p><strong>File</strong>: <code>cmd/helix-config/main.go</code>
<strong>Evidence</strong>: Many template/history/schema subcommands
print placeholder messages. <strong>Fix Priority</strong>: P3</p>
<h3
id="bluff-004-llmsverifier-integration-is-stubbed-or-bypassed-critical">BLUFF-004:
LLMsVerifier Integration is Stubbed or Bypassed (CRITICAL)</h3>
<p><strong>File Pattern</strong>: <code>internal/verifier/*.go</code>
containing empty structs, <code>// TODO</code>, or methods that return
hardcoded data instead of calling the verifier.
<strong>Evidence</strong>:</p>
<ul>
<li><code>VerificationService</code> methods return hardcoded
<code>VerificationResult{OverallScore: 8.5}</code> instead of querying
the verifier database</li>
<li><code>ModelDiscoveryService</code> returns an empty slice instead of
calling provider APIs</li>
<li>The verifier client returns fallback models without attempting a
real HTTP call <strong>Fix Priority</strong>: P0 - Immediate
<strong>Verification Command</strong>:</li>
</ul>
<div class="sourceCode" id="cb4"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-verifier-integration</span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="co"># This MUST pass with real verifier data, not mocked scores</span></span></code></pre></div>
<h3
id="bluff-005-provider-discovery-uses-hardcoded-env-var-names-high">BLUFF-005:
Provider Discovery Uses Hardcoded Env Var Names (HIGH)</h3>
<p><strong>File Pattern</strong>:
<code>internal/verifier/startup.go</code> or provider adapter files
containing hardcoded strings like <code>"OPENAI_API_KEY"</code> without
checking <code>SupportedProviders[provider].EnvVars</code>. <strong>Fix
Priority</strong>: P1 - High</p>
<h3 id="bluff-006-model-capabilities-are-hardcoded-high">BLUFF-006:
Model Capabilities Are Hardcoded (HIGH)</h3>
<p><strong>File Pattern</strong>: <code>internal/llm/*.go</code>
containing <code>SupportsToolUse: true</code> as a struct literal for
specific models, or <code>Provider.GetCapabilities()</code> returning a
static slice. <strong>Fix Priority</strong>: P1 - High
<strong>Constitutional Impact</strong>: Violates CONST-041
(MCP/LSP/ACP/Embedding/RAG/Skills/Plugins Integration Mandate).</p>
<h3
id="bluff-007-test-claims-integration-but-uses-mocked-verifier-critical">BLUFF-007:
Test Claims Integration But Uses Mocked Verifier (CRITICAL)</h3>
<p><strong>File Pattern</strong>: <code>*_test.go</code> files with
<code>testify/mock</code> or <code>testMode: true</code> in non-unit
test files. <strong>Fix Priority</strong>: P0 - Immediate
<strong>Constitutional Impact</strong>: Violates CONST-038 (Model
Provider Anti-Bluff Guarantee) and CONST-035 (Zero-Bluff Testing).</p>
<h3 id="bluff-008-scoring-weights-do-not-sum-to-10-medium">BLUFF-008:
Scoring Weights Do Not Sum to 1.0 (MEDIUM)</h3>
<p><strong>File Pattern</strong>: <code>configs/verifier.yaml</code> or
<code>internal/verifier/config.go</code> where scoring weights are
misconfigured. <strong>Fix Priority</strong>: P2 - Medium</p>
<h3
id="bluff-009-metrics-endpoint-returns-hardcoded-zeros-critical--fixed">BLUFF-009:
<code>/metrics</code> Endpoint Returns Hardcoded Zeros (CRITICAL) —
FIXED</h3>
<p><strong>File</strong>: <code>internal/server/handlers.go</code> lines
~834-855 <strong>Evidence</strong>: All dynamic metrics (goroutines,
memory, database connections) were hardcoded to <code>0</code>.
<strong>Fix</strong>: <code>getMetrics()</code> now calls
<code>runtime.ReadMemStats()</code>,
<code>runtime.NumGoroutine()</code>, and <code>s.db.Pool.Stat()</code>
to return real values. <strong>Fix Priority</strong>: P0 — RESOLVED</p>
<h3
id="bluff-010-multi-edit-conflict-detection-is-a-no-op-high--fixed">BLUFF-010:
Multi-Edit Conflict Detection is a No-Op (HIGH) — FIXED</h3>
<p><strong>File</strong>:
<code>internal/tools/multiedit/transaction.go</code> lines ~352-369
<strong>Evidence</strong>: <code>detectFileConflict()</code> always
returned <code>nil, nil</code> with comment "For now, we'll assume no
conflicts." <strong>Fix</strong>: Implemented real conflict detection —
reads the file from disk, computes SHA-256, and compares against the
<code>Checksum</code> field. Returns <code>ConflictModified</code> or
<code>ConflictDeleted</code> when appropriate. <strong>Fix
Priority</strong>: P1 — RESOLVED</p>
<hr />
<h2 id="configuration-management">Configuration Management</h2>
<h3 id="primary-configuration">Primary Configuration</h3>
<p>Main config at <code>config/config.yaml</code>:</p>
<div class="sourceCode" id="cb5"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="fu">server</span><span class="kw">:</span></span>
<span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">address</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;0.0.0.0&quot;</span></span>
<span id="cb5-3"><a href="#cb5-3" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">8080</span></span>
<span id="cb5-4"><a href="#cb5-4" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">read_timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-5"><a href="#cb5-5" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">write_timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-6"><a href="#cb5-6" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">idle_timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">300</span></span>
<span id="cb5-7"><a href="#cb5-7" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">shutdown_timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-8"><a href="#cb5-8" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-9"><a href="#cb5-9" aria-hidden="true" tabindex="-1"></a><span class="fu">database</span><span class="kw">:</span></span>
<span id="cb5-10"><a href="#cb5-10" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">host</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;&quot;</span><span class="co">          # Empty string disables PostgreSQL</span></span>
<span id="cb5-11"><a href="#cb5-11" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">5432</span></span>
<span id="cb5-12"><a href="#cb5-12" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">user</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;helix&quot;</span></span>
<span id="cb5-13"><a href="#cb5-13" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">password</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;${HELIX_DATABASE_PASSWORD}&quot;</span></span>
<span id="cb5-14"><a href="#cb5-14" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">dbname</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;helixcode_prod&quot;</span></span>
<span id="cb5-15"><a href="#cb5-15" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">sslmode</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;disable&quot;</span></span>
<span id="cb5-16"><a href="#cb5-16" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-17"><a href="#cb5-17" aria-hidden="true" tabindex="-1"></a><span class="fu">redis</span><span class="kw">:</span></span>
<span id="cb5-18"><a href="#cb5-18" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">host</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;redis&quot;</span></span>
<span id="cb5-19"><a href="#cb5-19" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">6379</span></span>
<span id="cb5-20"><a href="#cb5-20" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">password</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;${HELIX_REDIS_PASSWORD}&quot;</span></span>
<span id="cb5-21"><a href="#cb5-21" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">db</span><span class="kw">:</span><span class="at"> </span><span class="dv">0</span></span>
<span id="cb5-22"><a href="#cb5-22" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-23"><a href="#cb5-23" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-24"><a href="#cb5-24" aria-hidden="true" tabindex="-1"></a><span class="fu">auth</span><span class="kw">:</span></span>
<span id="cb5-25"><a href="#cb5-25" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">jwt_secret</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;${HELIX_AUTH_JWT_SECRET}&quot;</span></span>
<span id="cb5-26"><a href="#cb5-26" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">token_expiry</span><span class="kw">:</span><span class="at"> </span><span class="dv">86400</span></span>
<span id="cb5-27"><a href="#cb5-27" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">session_expiry</span><span class="kw">:</span><span class="at"> </span><span class="dv">604800</span></span>
<span id="cb5-28"><a href="#cb5-28" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">bcrypt_cost</span><span class="kw">:</span><span class="at"> </span><span class="dv">12</span></span>
<span id="cb5-29"><a href="#cb5-29" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-30"><a href="#cb5-30" aria-hidden="true" tabindex="-1"></a><span class="fu">workers</span><span class="kw">:</span></span>
<span id="cb5-31"><a href="#cb5-31" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">health_check_interval</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-32"><a href="#cb5-32" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">health_ttl</span><span class="kw">:</span><span class="at"> </span><span class="dv">120</span></span>
<span id="cb5-33"><a href="#cb5-33" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">max_concurrent_tasks</span><span class="kw">:</span><span class="at"> </span><span class="dv">10</span></span>
<span id="cb5-34"><a href="#cb5-34" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-35"><a href="#cb5-35" aria-hidden="true" tabindex="-1"></a><span class="fu">tasks</span><span class="kw">:</span></span>
<span id="cb5-36"><a href="#cb5-36" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">max_retries</span><span class="kw">:</span><span class="at"> </span><span class="dv">3</span></span>
<span id="cb5-37"><a href="#cb5-37" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">checkpoint_interval</span><span class="kw">:</span><span class="at"> </span><span class="dv">300</span></span>
<span id="cb5-38"><a href="#cb5-38" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">cleanup_interval</span><span class="kw">:</span><span class="at"> </span><span class="dv">3600</span></span>
<span id="cb5-39"><a href="#cb5-39" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-40"><a href="#cb5-40" aria-hidden="true" tabindex="-1"></a><span class="fu">llm</span><span class="kw">:</span></span>
<span id="cb5-41"><a href="#cb5-41" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">default_provider</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;local&quot;</span></span>
<span id="cb5-42"><a href="#cb5-42" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">max_tokens</span><span class="kw">:</span><span class="at"> </span><span class="dv">4096</span></span>
<span id="cb5-43"><a href="#cb5-43" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">temperature</span><span class="kw">:</span><span class="at"> </span><span class="fl">0.7</span></span>
<span id="cb5-44"><a href="#cb5-44" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-45"><a href="#cb5-45" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">max_retries</span><span class="kw">:</span><span class="at"> </span><span class="dv">3</span></span>
<span id="cb5-46"><a href="#cb5-46" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">providers</span><span class="kw">:</span></span>
<span id="cb5-47"><a href="#cb5-47" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">&lt;name&gt;</span><span class="kw">:</span></span>
<span id="cb5-48"><a href="#cb5-48" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">type</span><span class="kw">:</span><span class="at"> &lt;provider-type&gt;</span></span>
<span id="cb5-49"><a href="#cb5-49" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">endpoint</span><span class="kw">:</span><span class="at"> &lt;url&gt;</span></span>
<span id="cb5-50"><a href="#cb5-50" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-51"><a href="#cb5-51" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">parameters</span><span class="kw">:</span></span>
<span id="cb5-52"><a href="#cb5-52" aria-hidden="true" tabindex="-1"></a><span class="at">        </span><span class="fu">timeout</span><span class="kw">:</span><span class="at"> </span><span class="fl">30.0</span></span>
<span id="cb5-53"><a href="#cb5-53" aria-hidden="true" tabindex="-1"></a><span class="at">        </span><span class="fu">max_retries</span><span class="kw">:</span><span class="at"> </span><span class="dv">3</span></span>
<span id="cb5-54"><a href="#cb5-54" aria-hidden="true" tabindex="-1"></a><span class="at">        </span><span class="fu">streaming_support</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-55"><a href="#cb5-55" aria-hidden="true" tabindex="-1"></a><span class="at">        </span><span class="fu">api_key</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;&quot;</span></span>
<span id="cb5-56"><a href="#cb5-56" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">selection</span><span class="kw">:</span></span>
<span id="cb5-57"><a href="#cb5-57" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">strategy</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;performance&quot;</span></span>
<span id="cb5-58"><a href="#cb5-58" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">fallback_enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-59"><a href="#cb5-59" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">health_check_interval</span><span class="kw">:</span><span class="at"> </span><span class="dv">30</span></span>
<span id="cb5-60"><a href="#cb5-60" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-61"><a href="#cb5-61" aria-hidden="true" tabindex="-1"></a><span class="fu">logging</span><span class="kw">:</span></span>
<span id="cb5-62"><a href="#cb5-62" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">level</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;info&quot;</span></span>
<span id="cb5-63"><a href="#cb5-63" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">format</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;text&quot;</span></span>
<span id="cb5-64"><a href="#cb5-64" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">output</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;stdout&quot;</span></span>
<span id="cb5-65"><a href="#cb5-65" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb5-66"><a href="#cb5-66" aria-hidden="true" tabindex="-1"></a><span class="fu">notifications</span><span class="kw">:</span></span>
<span id="cb5-67"><a href="#cb5-67" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-68"><a href="#cb5-68" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">rules</span><span class="kw">:</span></span>
<span id="cb5-69"><a href="#cb5-69" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;...&quot;</span></span>
<span id="cb5-70"><a href="#cb5-70" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">condition</span><span class="kw">:</span><span class="at"> </span><span class="st">&quot;type==error&quot;</span></span>
<span id="cb5-71"><a href="#cb5-71" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">channels</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">&quot;slack&quot;</span><span class="kw">,</span><span class="at"> </span><span class="st">&quot;email&quot;</span><span class="kw">]</span></span>
<span id="cb5-72"><a href="#cb5-72" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">priority</span><span class="kw">:</span><span class="at"> urgent</span></span>
<span id="cb5-73"><a href="#cb5-73" aria-hidden="true" tabindex="-1"></a><span class="at">      </span><span class="fu">enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb5-74"><a href="#cb5-74" aria-hidden="true" tabindex="-1"></a><span class="at">  </span><span class="fu">channels</span><span class="kw">:</span></span>
<span id="cb5-75"><a href="#cb5-75" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">slack</span><span class="kw">:</span><span class="at"> </span><span class="kw">{</span><span class="at"> enabled</span><span class="kw">,</span><span class="at"> webhook_url</span><span class="kw">,</span><span class="at"> channel</span><span class="kw">,</span><span class="at"> username</span><span class="kw">,</span><span class="at"> timeout </span><span class="kw">}</span></span>
<span id="cb5-76"><a href="#cb5-76" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">telegram</span><span class="kw">:</span><span class="at"> </span><span class="kw">{</span><span class="at"> enabled</span><span class="kw">,</span><span class="at"> bot_token</span><span class="kw">,</span><span class="at"> chat_id</span><span class="kw">,</span><span class="at"> timeout </span><span class="kw">}</span></span>
<span id="cb5-77"><a href="#cb5-77" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">email</span><span class="kw">:</span><span class="at"> </span><span class="kw">{</span><span class="at"> enabled</span><span class="kw">,</span><span class="at"> </span><span class="fu">smtp</span><span class="kw">:</span><span class="at"> </span><span class="kw">{</span><span class="at"> server</span><span class="kw">,</span><span class="at"> port</span><span class="kw">,</span><span class="at"> username</span><span class="kw">,</span><span class="at"> password</span><span class="kw">,</span><span class="at"> tls </span><span class="kw">},</span><span class="at"> recipients</span><span class="kw">,</span><span class="at"> timeout </span><span class="kw">}</span></span>
<span id="cb5-78"><a href="#cb5-78" aria-hidden="true" tabindex="-1"></a><span class="at">    </span><span class="fu">discord</span><span class="kw">:</span><span class="at"> </span><span class="kw">{</span><span class="at"> enabled</span><span class="kw">,</span><span class="at"> webhook_url</span><span class="kw">,</span><span class="at"> timeout </span><span class="kw">}</span></span></code></pre></div>
<h3 id="environment-variables">Environment Variables</h3>
<p><strong>Required for Production</strong>:</p>
<ul>
<li><code>HELIX_DATABASE_PASSWORD</code></li>
<li><code>HELIX_AUTH_JWT_SECRET</code></li>
<li><code>HELIX_REDIS_PASSWORD</code></li>
</ul>
<p><strong>LLM Provider Keys</strong> (as needed):</p>
<ul>
<li><code>OPENAI_API_KEY</code>, <code>ANTHROPIC_API_KEY</code>,
<code>GEMINI_API_KEY</code>, <code>XAI_API_KEY</code>,
<code>DEEPSEEK_API_KEY</code>, <code>GROQ_API_KEY</code>,
<code>MISTRAL_API_KEY</code>, <code>COHERE_API_KEY</code>,
<code>AZURE_OPENAI_API_KEY</code>, <code>AWS_ACCESS_KEY_ID</code> /
<code>AWS_SECRET_ACCESS_KEY</code></li>
</ul>
<p><strong>Notification Integrations</strong>:</p>
<ul>
<li><code>HELIX_SLACK_WEBHOOK_URL</code></li>
<li><code>HELIX_TELEGRAM_BOT_TOKEN</code>,
<code>HELIX_TELEGRAM_CHAT_ID</code></li>
<li><code>HELIX_EMAIL_SMTP_SERVER</code>,
<code>HELIX_EMAIL_USERNAME</code>,
<code>HELIX_EMAIL_PASSWORD</code></li>
<li><code>HELIX_DISCORD_WEBHOOK_URL</code></li>
</ul>
<hr />
<h2 id="testing-strategy">Testing Strategy</h2>
<h3 id="test-categories">Test Categories</h3>
<ol type="1">
<li><strong>Unit tests</strong>: Mocks allowed, <code>*_test.go</code>,
<code>-short</code> flag</li>
<li><strong>Contract tests</strong>: Real API schemas, no mocks</li>
<li><strong>Component tests</strong>: Real subsystems wired
together</li>
<li><strong>Integration tests</strong>: Full app with real dependencies
(<code>-tags=integration</code>)</li>
<li><strong>E2E challenges</strong>: Complete user workflows against
real LLM APIs</li>
<li><strong>Security tests</strong>: OWASP compliance</li>
<li><strong>Performance tests</strong>: Benchmarks</li>
<li><strong>Automation tests</strong>: Provider/hardware automation
(<code>-tags=automation</code>)</li>
<li><strong>Load tests</strong>: Stress testing</li>
</ol>
<h3 id="anti-bluff-testing-rules">Anti-Bluff Testing Rules</h3>
<ul>
<li>Unit tests: Mocks OK</li>
<li><strong>ALL other tests: Real infrastructure ONLY</strong></li>
<li>Every PASS guarantees <strong>Quality + Completion +
Usability</strong></li>
<li>Challenges fail on simulated/stubbed behavior</li>
<li>No bare <code>t.Skip()</code> without
<code>SKIP-OK: #&lt;ticket&gt;</code> marker</li>
</ul>
<h3 id="docker-test-infrastructure">Docker Test Infrastructure</h3>
<ul>
<li><code>docker-compose.test.yml</code>: PostgreSQL 16, Redis 7,
Memcached, Cognee, ChromaDB, Qdrant, Ollama, Prometheus, Grafana</li>
<li><code>docker-compose.full-test.yml</code>: Complete stack with
mock-LLM server, Selenium, ChromeDP, SSH server + 3 workers, Cognee,
Weaviate, mock-Slack, multicast router</li>
</ul>
<h3 id="challenge-framework-testse2echallenges">Challenge Framework
(<code>tests/e2e/challenges/</code>)</h3>
<p>The most rigorous test system validates HelixCode by having it
<strong>generate real projects</strong> and testing them:</p>
<ul>
<li><strong>Challenge Definitions</strong>: JSON specs (ASCII art
generator, CLI task manager, JSON validator, notes API, tic-tac-toe TUI,
URL shortener)</li>
<li><strong>Execution Flow</strong>: Load spec → Call real LLM API →
Parse generated code → Compile → Test → Runtime validation</li>
<li><strong>Validation Layers</strong>: Directory structure, code
quality, compilation, testing, functionality, runtime validation with
diverse data</li>
<li><strong>Test Matrix</strong>: Supports CLI, TUI, REST, WebSocket
interfaces across 15+ providers and worker pool distributions</li>
</ul>
<h3 id="test-scripts-summary">Test Scripts Summary</h3>
<div class="sourceCode" id="cb6"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Basic</span></span>
<span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode <span class="kw">&amp;&amp;</span> <span class="fu">make</span> test</span>
<span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Full infrastructure (recommended for validation)</span></span>
<span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-infra-up</span>
<span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-complete</span>
<span id="cb6-7"><a href="#cb6-7" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-infra-down</span>
<span id="cb6-8"><a href="#cb6-8" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb6-9"><a href="#cb6-9" aria-hidden="true" tabindex="-1"></a><span class="co"># Individual categories</span></span>
<span id="cb6-10"><a href="#cb6-10" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-unit-full</span>
<span id="cb6-11"><a href="#cb6-11" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-integration-full</span>
<span id="cb6-12"><a href="#cb6-12" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-e2e-full</span>
<span id="cb6-13"><a href="#cb6-13" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-security-full</span>
<span id="cb6-14"><a href="#cb6-14" aria-hidden="true" tabindex="-1"></a><span class="fu">make</span> test-load-full</span>
<span id="cb6-15"><a href="#cb6-15" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb6-16"><a href="#cb6-16" aria-hidden="true" tabindex="-1"></a><span class="co"># Legacy scripts</span></span>
<span id="cb6-17"><a href="#cb6-17" aria-hidden="true" tabindex="-1"></a><span class="ex">./run_tests.sh</span> <span class="at">--all</span></span>
<span id="cb6-18"><a href="#cb6-18" aria-hidden="true" tabindex="-1"></a><span class="ex">./run_all_tests.sh</span></span>
<span id="cb6-19"><a href="#cb6-19" aria-hidden="true" tabindex="-1"></a><span class="ex">./run_integration_tests.sh</span></span></code></pre></div>
<hr />
<h2 id="docker-deployment">Docker Deployment</h2>
<h3 id="production-docker-composeyml">Production
(<code>docker-compose.yml</code>)</h3>
<p>Services: helixcode-server (8080, 2222), postgres:15, redis:7, nginx
(80, 443), prometheus (9090), grafana (3000)</p>
<h3 id="quick-start">Quick Start</h3>
<div class="sourceCode" id="cb7"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="bu">cd</span> HelixCode</span>
<span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a><span class="fu">cp</span> .env.example .env</span>
<span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a><span class="co"># Edit .env with secure passwords</span></span>
<span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a><span class="ex">docker</span> compose up <span class="at">-d</span></span>
<span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a><span class="ex">docker</span> compose ps</span>
<span id="cb7-6"><a href="#cb7-6" aria-hidden="true" tabindex="-1"></a><span class="ex">curl</span> http://localhost/health</span></code></pre></div>
<h3 id="other-compose-files">Other Compose Files</h3>
<table>
<thead>
<tr>
<th>File</th>
<th>Purpose</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>docker-compose-simple.yml</code></td>
<td>Minimal dev (postgres + redis only)</td>
</tr>
<tr>
<td><code>docker-compose.test.yml</code></td>
<td>Integration/E2E testing stack</td>
</tr>
<tr>
<td><code>docker-compose.full-test.yml</code></td>
<td>Zero-skip full test infrastructure</td>
</tr>
<tr>
<td><code>docker-compose.aurora-os.yml</code></td>
<td>Security-focused Aurora OS platform</td>
</tr>
<tr>
<td><code>docker-compose.harmony-os.yml</code></td>
<td>Distributed Harmony OS platform</td>
</tr>
<tr>
<td><code>docker-compose.specialized-platforms.yml</code></td>
<td>Combined Aurora + Harmony</td>
</tr>
<tr>
<td><code>docker/docker-compose.yml</code></td>
<td>Extended full-stack with Milvus, Elasticsearch, MLflow, Jaeger,
Jupyter, Portainer</td>
</tr>
</tbody>
</table>
<h3 id="deployment-patterns">Deployment Patterns</h3>
<ul>
<li>Healthchecks on every service</li>
<li>Docker profiles: <code>monitoring</code>, <code>distributed</code>,
<code>with-redis</code>, <code>production</code>, <code>dev</code>,
<code>server</code></li>
<li>Isolated bridge networks per deployment</li>
<li>Named persistent volumes for all stateful services</li>
<li><code>.env</code> file for secrets</li>
</ul>
<hr />
<h2 id="code-style--development-conventions">Code Style &amp;
Development Conventions</h2>
<h3 id="go-conventions">Go Conventions</h3>
<ul>
<li>Standard Go formatting: <code>go fmt ./...</code></li>
<li>Linting: <code>golangci-lint run ./...</code> (timeout 10m in
CI)</li>
<li>Vet: <code>go vet ./...</code></li>
<li>Table-driven tests with <code>t.Run()</code> subtests</li>
<li>Build tags for integration/automation tests:
<code>//go:build integration</code></li>
</ul>
<h3 id="project-conventions">Project Conventions</h3>
<ul>
<li><strong>Always work from <code>helix_code/</code>
subdirectory</strong></li>
<li><strong>Generate logo assets before first build</strong>:
<code>make logo-assets</code></li>
<li><strong>Database/Redis optional</strong>: Disable by setting
<code>database.host: ""</code></li>
<li><strong>Environment variables override config file</strong></li>
<li>Use <code>internal/</code> for all core packages; no
<code>pkg/</code> directory in active use</li>
<li>Error handling: explicit, no silent failures</li>
<li>Concurrent access: use <code>sync.RWMutex</code> or channel
patterns</li>
</ul>
<h3 id="api-conventions">API Conventions</h3>
<ul>
<li>REST API documented in <code>api/openapi.yaml</code> (OpenAPI
3.0.3)</li>
<li>Base path: <code>/api/v1</code></li>
<li>Authentication: Bearer JWT via <code>Authorization</code>
header</li>
<li>Health endpoint: <code>GET /health</code> (no auth required)</li>
</ul>
<hr />
<h2 id="security-considerations">Security Considerations</h2>
<h3 id="verified-security-features">Verified Security Features</h3>
<ul>
<li>Password hashing: bcrypt (cost 12) with argon2 fallback</li>
<li>JWT with constant-time comparison</li>
<li>CORS middleware, security headers (X-Frame-Options, CSP, HSTS)</li>
<li>Rate limiting support in production config</li>
<li>Session timeout, concurrent session limits, IP binding options</li>
<li>Workflow <code>isDangerousCommand()</code> filter blocks rm, dd,
mkfs, fork bombs, etc.</li>
<li>Input validation in auth and server packages</li>
</ul>
<h3 id="security-testing">Security Testing</h3>
<ul>
<li><code>security/security_test.go</code>: OWASP Top 10, SAST, DAST,
credential scanning, TLS enforcement, input validation (path traversal,
XSS, SQL injection, command injection, SSRF)</li>
<li>File permission checks (0600 for configs)</li>
</ul>
<h3 id="known-security-stubs">Known Security Stubs</h3>
<ul>
<li><code>internal/security/security.go</code>: Simulated scanning
(always returns clean)</li>
<li><code>cmd/security-test/main.go</code>: Entirely simulated security
tests</li>
</ul>
<h3 id="production-hardening">Production Hardening</h3>
<ul>
<li>Use <code>HELIX_AUTH_JWT_SECRET</code> with high entropy</li>
<li>Enable PostgreSQL SSL in production</li>
<li>Enable Redis authentication</li>
<li>Configure CORS <code>allowed_origins</code> explicitly</li>
<li>Enable audit logging</li>
<li>Set <code>bcrypt_cost: 14</code> in production</li>
</ul>
<hr />
<h2 id="universal-mandatory-constraints">Universal Mandatory
Constraints</h2>
<h3 id="hard-stops-permanent-non-negotiable">Hard Stops (permanent,
non-negotiable)</h3>
<ol type="1">
<li><strong>NO CI/CD pipelines</strong> (Note: existing workflow files
in <code>.github/workflows/</code> are legacy and must not be
expanded)</li>
<li><strong>NO HTTPS for Git</strong> (SSH only)</li>
<li><strong>NO manual container commands</strong>
(orchestrator-owned)</li>
</ol>
<h3 id="mandatory-development-standards">Mandatory Development
Standards</h3>
<ol type="1">
<li><strong>100% Test Coverage</strong> (unit, integration, E2E,
automation, security, benchmark)</li>
<li><strong>Challenge Coverage</strong> (every component)</li>
<li><strong>Real Data</strong> (actual API calls, real DB, live
services)</li>
<li><strong>Health &amp; Observability</strong> (health endpoints,
circuit breakers)</li>
<li><strong>Documentation &amp; Quality</strong> (update docs with code
changes)</li>
<li><strong>Validation Before Release</strong> (full suite + all
challenges)</li>
<li><strong>No Mocks in Production</strong></li>
<li><strong>Comprehensive Verification</strong> (runtime, compile,
structure, dependencies, compatibility)</li>
<li><strong>Resource Limits</strong> (30-40% of host resources max)</li>
<li><strong>Bugfix Documentation</strong> (root cause, affected files,
fix, verification link)</li>
<li><strong>Real Infrastructure for All Non-Unit Tests</strong></li>
<li><strong>Reproduction-Before-Fix</strong> (Challenge first, then
fix)</li>
<li><strong>Concurrent-Safe Collections</strong></li>
</ol>
<h3 id="definition-of-done">Definition of Done</h3>
<p>A change is NOT done because code compiles. "Done" requires:</p>
<ul>
<li>Pasted terminal output from a real run</li>
<li>No self-certification words without evidence</li>
<li>Demo commands that run against real artifacts</li>
<li>Loud skips with <code>SKIP-OK: #&lt;ticket&gt;</code> markers</li>
</ul>
<hr />
<h2 id="const-035--end-user-usability-mandate">CONST-035 — End-User
Usability Mandate</h2>
<p>A test or Challenge that PASSES is a CLAIM that the tested behavior
<strong>works for the end user of the product</strong>.</p>
<p>The HelixAgent project has repeatedly hit the failure mode where
every test ran green AND every Challenge reported PASS, yet most product
features did not actually work — buggy challenge wrappers masked failed
assertions, scripts checked file existence without executing the file,
"reachability" tests tolerated timeouts, contracts were honest in
advertising but broken in dispatch. <strong>This MUST NOT recur in
HelixCode.</strong></p>
<p>Every PASS result MUST guarantee: a. <strong>Quality</strong> —
correct behavior under real inputs, edge cases, concurrency b.
<strong>Completion</strong> — wired end-to-end with no stub/placeholder
gaps c. <strong>Full usability</strong> — a user following documentation
succeeds</p>
<p>A passing test that doesn't certify all three is a
<strong>bluff</strong> and MUST be tightened.</p>
<h3 id="bluff-taxonomy-each-pattern-observed-and-now-forbidden">Bluff
Taxonomy (each pattern observed and now forbidden)</h3>
<ul>
<li><strong>Wrapper bluff</strong> — assertions PASS but wrapper's
exit-code logic is buggy</li>
<li><strong>Contract bluff</strong> — system advertises capability but
rejects it in dispatch</li>
<li><strong>Structural bluff</strong> — file exists but doesn't contain
working code</li>
<li><strong>Comment bluff</strong> — comment promises behavior code
doesn't have</li>
<li><strong>Skip bluff</strong> — <code>t.Skip("not running yet")</code>
without <code>SKIP-OK: #&lt;ticket&gt;</code> marker</li>
</ul>
<p>The taxonomy is illustrative, not exhaustive. Every Challenge or test
added going forward MUST pass an honest self-review against this
taxonomy before being committed.</p>
<h2
id="constitutional-anchors-cascaded-from-constitutionmd">Constitutional
anchors (cascaded from <code>CONSTITUTION.md</code>)</h2>
<h3 id="article-xi-119--anti-bluff-forensic-anchor">Article XI §11.9 —
Anti-Bluff Forensic Anchor</h3>
<blockquote>
<p>Verbatim user mandate: <em>"We had been in position that all tests do
execute with success and all Challenges as well, but in reality the most
of the features does not work and can't be used! This MUST NOT be the
case and execution of tests and Challenges MUST guarantee the quality,
the completion and full usability by end users of the product!"</em></p>
<p>Operative rule: <strong>The bar for shipping is not "tests pass" but
"users can use the feature."</strong> Every PASS in this codebase MUST
carry positive runtime evidence captured during execution. Metadata-only
/ configuration-only / absence-of-error / grep-based PASS without
runtime evidence are critical defects regardless of how green the
summary line looks. No false-success results are tolerable.</p>
</blockquote>
<h3 id="article-xii-121-const-042--no-secret-leak">Article XII §12.1
(CONST-042) — No-Secret-Leak</h3>
<p>No API key, token, password, certificate, or other credential may be
committed to any repository owned by HelixDevelopment or vasic-digital.
All secrets live in <code>.env</code> files (mode 0600) listed in
<code>.gitignore</code>. Any leak is a release blocker until rotated and
post-mortemed.</p>
<h3 id="article-xii-122-const-043--no-force-push">Article XII §12.2
(CONST-043) — No-Force-Push</h3>
<p>No force push, force-with-lease push, history rewrite, branch
deletion of <code>main</code>/<code>master</code>, or
upstream-overwriting operation may be performed without explicit,
in-conversation user approval per operation. Authorization for one push
does not extend further. Bypassing hooks / signing / protected-branch
rules also requires explicit approval.</p>
<hr />
<h2
id="const-036-llmsverifier-single-source-of-truth-mandate">CONST-036:
LLMsVerifier Single Source of Truth Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier SHALL BE the sole authoritative
source for:</p>
<ol type="1">
<li>All model metadata (names, IDs, context windows, capabilities)</li>
<li>All provider metadata (endpoints, auth types, supported models)</li>
<li>All verification status (verified, partial, failed, pending)</li>
<li>All scoring data (overall scores, capability scores, tier
rankings)</li>
</ol>
<p><strong>Prohibition</strong>: NO hardcoded model lists, NO hardcoded
provider lists, NO simulated model discovery. Any code path that
presents a model or provider listing to a user MUST fetch that listing
from the LLMsVerifier subsystem or its cached replica.</p>
<p><strong>Anti-Bluff Verification</strong>:</p>
<ul>
<li>Challenge script
<code>challenges/scripts/verifier_hardcode_check.sh</code> scans all Go
source files for hardcoded model arrays.</li>
<li>The only permitted hardcoded data is the 7-entry fallback list in
<code>internal/verifier/fallback_models.go</code>.</li>
</ul>
<hr />
<h2 id="const-037-model-provider-anti-bluff-guarantee">CONST-037: Model
Provider Anti-Bluff Guarantee</h2>
<p><strong>Rule</strong>: Every model displayed to an end user MUST have
been verified by LLMsVerifier within the last 24h. Models older than
this MUST display a "stale" indicator and be deprioritized.</p>
<p><strong>Anti-Bluff Testing</strong>:</p>
<ul>
<li>Unit tests MAY mock the verifier client.</li>
<li>Integration tests MUST start the verifier server and perform real
provider discovery.</li>
<li>The Makefile target <code>make test-verifier-integration</code> MUST
exist and run without mocks.</li>
</ul>
<hr />
<h2 id="const-038-real-time-model-status-accuracy">CONST-038: Real-Time
Model Status Accuracy</h2>
<p><strong>Rule</strong>: Model status (available, rate-limited,
cooldown, offline, deprecated) displayed to users MUST reflect the
actual state as known by LLMsVerifier within 60 seconds.</p>
<p><strong>Polling vs. Push</strong>:</p>
<ul>
<li>If WebSocket/SSE push is unavailable, the system MUST poll
LLMsVerifier at most every 60s.</li>
<li>The TUI MUST display a "last updated" timestamp with every model
listing.</li>
<li>Models in "cooldown" or "rate-limited" state MUST show the estimated
recovery time if known.</li>
</ul>
<hr />
<h2
id="const-039-all-providers-and-models-integration-mandate">CONST-039:
All Providers and Models Integration Mandate</h2>
<p><strong>Rule</strong>: HelixCode MUST integrate with ALL providers
that LLMsVerifier supports, subject only to:</p>
<ol type="1">
<li>The provider being explicitly disabled in configuration
(<code>enabled: false</code>)</li>
<li>The API key being absent and the provider requiring one</li>
<li>The provider being marked <code>deprecated</code> in the verifier
database</li>
</ol>
<p><strong>Minimum Provider Set</strong> (SHALL NOT be reduced without
constitutional amendment): OpenAI, Anthropic, Gemini, DeepSeek, Groq,
Mistral, xAI, OpenRouter, Ollama, Llama.cpp.</p>
<hr />
<h2
id="const-040-mcp--lsp--acp--embedding--rag--skills--plugins-integration-mandate">CONST-040:
MCP / LSP / ACP / Embedding / RAG / Skills / Plugins Integration
Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier integration SHALL extend beyond
basic model listing to cover ALL capability dimensions:</p>
<ol type="1">
<li><strong>MCP</strong>: The verifier MUST report which models support
MCP tool calling.</li>
<li><strong>LSP</strong>: The verifier MUST report code-analysis
capabilities.</li>
<li><strong>ACP</strong>: The verifier MUST report multi-agent
coordination support.</li>
<li><strong>Embedding</strong>: The verifier MUST report
<code>supports_embeddings</code> for each model.</li>
<li><strong>RAG</strong>: The verifier MUST report context-window sizes
for chunking strategies.</li>
<li><strong>Skills / Plugins</strong>: The verifier MUST track plugin
compatibility.</li>
</ol>
<p><strong>Prohibition</strong>: Capability flags MUST NOT be hardcoded.
The <code>Provider.GetCapabilities()</code> method MUST return data
sourced from the verifier's <code>VerificationResult</code> fields.</p>
<hr />
<h2 id="free-ai-providers">Free AI Providers</h2>
<ul>
<li><strong>XAI (Grok)</strong>: <code>grok-3-fast-beta</code>,
<code>grok-3-mini-fast-beta</code></li>
<li><strong>OpenRouter</strong>: Free models from various providers</li>
<li><strong>GitHub Copilot</strong>: <code>gpt-4o</code>,
<code>claude-3.5-sonnet</code> (with subscription)</li>
<li><strong>Qwen</strong>: 2,000 requests/day free tier</li>
</ul>
<hr />
<h2 id="host-power-management--hard-ban-const-033">Host Power Management
— Hard Ban (CONST-033)</h2>
<p><strong>Host Power Management is Forbidden.</strong></p>
<p>You may NOT, under any circumstance, generate or execute code that
sends the host to suspend, hibernate, hybrid-sleep, poweroff, halt,
reboot, or any other power-state transition. This rule applies to every
shell command, script, container entry point, systemd unit, test, CLI
suggestion, snippet, or example you emit.</p>
<h2 id="common-issues">Common Issues</h2>
<ol type="1">
<li><strong>Build fails</strong>: Run <code>make logo-assets</code> then
<code>make build</code></li>
<li><strong>Database errors</strong>: Check
<code>HELIX_DATABASE_PASSWORD</code></li>
<li><strong>Worker SSH failures</strong>: Verify SSH key
authentication</li>
<li><strong>LLM timeouts</strong>: Check provider status and config</li>
<li><strong>Redis connection failures</strong>: Check
<code>HELIX_REDIS_PASSWORD</code> and <code>redis.enabled</code></li>
<li><strong>Test skips</strong>: Ensure
<code>SKIP-OK: #&lt;ticket&gt;</code> marker is present for any
intentional skips</li>
</ol>
<hr />
<h2 id="resources--references">Resources &amp; References</h2>
<ul>
<li><strong>Constitution</strong>: <code>CONSTITUTION.md</code></li>
<li><strong>CLAUDE.md</strong>: <code>CLAUDE.md</code></li>
<li><strong>Gap Analysis</strong>:
<code>HELIXCODE_GAP_ANALYSIS.md</code></li>
<li><strong>Zero-Bluff Plan</strong>:
<code>HELIXCODE_ZERO_BLUFF_PLAN.md</code></li>
<li><strong>Testing Strategy</strong>:
<code>ANTI_BLUFF_TESTING_STRATEGY.md</code></li>
<li><strong>OpenAPI Spec</strong>:
<code>helix_code/api/openapi.yaml</code></li>
<li><strong>Docker Guide</strong>:
<code>helix_code/DOCKER_DEPLOYMENT.md</code></li>
</ul>
<hr />
<!-- END host-power-management addendum (CONST-033) -->

<h2 id="mandatory-host-session-safety-constitution-12">MANDATORY
HOST-SESSION SAFETY (Constitution §12)</h2>
<p><strong>Forensic incident, 2026-04-27 22:22:14 (MSK):</strong> the
developer's <code>user@1000.service</code> was SIGKILLed under an OOM
cascade triggered by <code>pip3 install --user openai-whisper</code>
running on top of chronic podman-pod memory pressure. The cascade
SIGKILLed gnome-shell, every ssh session, claude-code, tmux, btop, npm,
node, java, pip3 — full session loss. Evidence:
<code>journalctl --since "2026-04-27 22:00" --until "2026-04-27 22:23"</code>.</p>
<p>This invariant applies to <strong>every script, test, helper, and AI
agent</strong> in this submodule. Non-compliance is a release
blocker.</p>
<h3 id="forbidden--directly-or-indirectly">Forbidden — directly OR
indirectly</h3>
<ol type="1">
<li><strong>Suspending the host</strong>:
<code>systemctl suspend</code>, <code>pm-suspend</code>,
<code>loginctl suspend</code>, DBus
<code>org.freedesktop.login1.Suspend</code>, GNOME idle-suspend,
lid-close handler.</li>
<li><strong>Hibernating / hybrid-sleeping</strong>: any
<code>Hibernate</code> / <code>HybridSleep</code> /
<code>SuspendThenHibernate</code> method.</li>
<li><strong>Logging out the user</strong>:
<code>loginctl terminate-session</code>,
<code>pkill -u &lt;user&gt;</code>,
<code>systemctl --user --kill</code>, anything that signals
<code>user@&lt;uid&gt;.service</code>.</li>
<li><strong>Unbounded-memory operations</strong> inside
<code>user@&lt;uid&gt;.service</code> cgroup. Any single command
expected to exceed 4 GB RSS MUST be wrapped in <code>bounded_run</code>
(defined in <code>scripts/lib/host_session_safety.sh</code>, parent
repo).</li>
<li><strong>Programmatic rfkill toggles, lid-switch handlers, or
power-button handlers</strong> — these cascade into idle-actions.</li>
<li><strong>Disabling systemd-logind, GDM, or session managers</strong>
"to make things faster" — even temporary stops leave the system unable
to recover the user session.</li>
</ol>
<h3 id="required-safeguards">Required safeguards</h3>
<p>Every script in this submodule that performs heavy work (build,
transcription, model inference, large compression, multi-GB git op)
MUST:</p>
<ol type="1">
<li>Source <code>scripts/lib/host_session_safety.sh</code> from the
parent repo.</li>
<li>Call <code>host_check_safety</code> at the top and <strong>abort if
it fails</strong>.</li>
<li>Wrap any subprocess expected to exceed ~4 GB RSS in
<code>bounded_run "&lt;name&gt;" &lt;max-mem&gt; &lt;max-time&gt; -- &lt;cmd...&gt;</code>
so the kernel OOM killer is contained to that scope and cannot escalate
to user.slice.</li>
<li>Cap parallelism (<code>-j</code>) to fit available RAM (each AOSP
job ≈ 5 GB peak RSS).</li>
</ol>
<h3 id="container-hygiene">Container hygiene</h3>
<p>Containers (Docker / Podman) we own or rely on MUST:</p>
<ol type="1">
<li>Declare an explicit memory limit (<code>mem_limit</code> /
<code>--memory</code> / <code>MemoryMax</code>).</li>
<li>Set <code>OOMPolicy=stop</code> in their systemd unit to avoid retry
loops.</li>
<li>Use exponential-backoff restart policies, never immediate
retry.</li>
<li>Be clean-slate destroyed
(<code>podman pod stop &amp;&amp; rm</code>,
<code>podman volume prune</code>) and rebuilt after any host crash or
session loss so stale lock files don't keep producing failures.</li>
</ol>
<h3 id="when-in-doubt">When in doubt</h3>
<p>Don't run heavy work blind. Check
<code>journalctl -k --since "1 hour ago" | grep -c oom-kill</code>. If
it's non-zero, <strong>fix the offending workload first</strong>. Do not
stack new work on a host already in distress.</p>
<p><strong>Cross-reference:</strong> parent
<code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code> §12 (full forensic,
library API, operator directives) + parent
<code>scripts/lib/host_session_safety.sh</code>.</p>
<h2 id="mandatory-anti-bluff-validation-constitution-81--11">MANDATORY
ANTI-BLUFF VALIDATION (Constitution §8.1 + §11)</h2>
<p><strong>This submodule inherits the parent ATMOSphere project's
anti-bluff covenant. A test that PASSes while the feature it claims to
validate is unusable to an end user is the single most damaging failure
mode in this codebase. It has shipped working-on-paper /
broken-on-device builds before, and that MUST NOT happen
again.</strong></p>
<p>The canonical authority is
<code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code> §8.1 ("NO BLUFF —
positive-evidence-only validation") and §11 ("Bleeding-edge
ultra-perfection") in the parent repo. Every contribution to THIS
submodule is bound by it. Summarised non-negotiables:</p>
<ol type="1">
<li><strong>Tests MUST validate user-visible behaviour, not just
metadata.</strong> A gate that greps for a string in a config XML, an
XML attribute, a manifest entry, or a build-time symbol is METADATA —
not evidence the feature works for the end user. Such a gate is allowed
ONLY when paired with a runtime / on-device test that exercises the
user-visible path and reads POSITIVE EVIDENCE that the behaviour
actually occurred (kernel <code>/proc/*</code> runtime state, captured
audio/video, dumpsys output produced <em>during</em> playback, real
input-event delivery, real surface composition, etc).</li>
<li><strong>PASS / FAIL / SKIP must be mechanically
distinguishable.</strong> SKIP is for environment limitations (no HDMI
sink, no USB mic, geo-restricted endpoint unreachable) and MUST always
carry an explicit reason. PASS is reserved for cases where positive
evidence was observed. A test that completes without observing evidence
MUST NOT report PASS.</li>
<li><strong>Every gate MUST have a paired mutation test in
<code>scripts/testing/meta_test_false_positive_proof.sh</code> (parent
repo).</strong> The mutation deliberately breaks the feature and the
gate MUST then FAIL. A gate without a paired mutation is a BLUFF gate
and is a Constitution violation regardless of how many checks it appears
to make.</li>
<li><strong>Challenges (HelixQA) and tests are in the same
boat.</strong> A Challenge that reports "completed" by checking the test
runner exited 0, without observing the system behaviour the Challenge is
supposed to verify, is a bluff. Challenge runners MUST cross-reference
real device telemetry (logcat, captured frames, network probes, kernel
state) to confirm the user-visible promise was kept.</li>
<li><strong>The bar for shipping is not "tests pass" but "users can use
the feature."</strong> If the on-device experience does not match what
the test claims, the test is the bug. Fix the test (positive-evidence
harder), do not silence it.</li>
<li><strong>No false-success results are tolerable.</strong> A green
test suite combined with a broken feature is a worse outcome than an
honest red one — it silently destroys trust in the entire suite.
Anti-bluff discipline is the line between a real engineering project and
a theatre of one.</li>
</ol>
<p>When in doubt: capture runtime evidence, attach it to the test
result, and let a hostile reviewer (i.e. yourself, in six months) try to
disprove that the feature really worked. If they can, the test is bluff
and must be hardened.</p>
<p><strong>Cross-references:</strong> parent CLAUDE.md "MANDATORY
DEVELOPMENT PRINCIPLES", parent AGENTS.md "NO BLUFF" section, parent
<code>scripts/testing/meta_test_false_positive_proof.sh</code>.</p>
<h2
id="mandatory-anti-bluff-covenant--end-user-quality-guarantee-user-mandate-2026-04-28">MANDATORY
ANTI-BLUFF COVENANT — END-USER QUALITY GUARANTEE (User mandate,
2026-04-28)</h2>
<p><strong>Forensic anchor — direct user mandate
(verbatim):</strong></p>
<blockquote>
<p>"We had been in position that all tests do execute with success and
all Challenges as well, but in reality the most of the features does not
work and can't be used! This MUST NOT be the case and execution of tests
and Challenges MUST guarantee the quality, the completion and full
usability by end users of the product!"</p>
</blockquote>
<p>This is the historical origin of the project's anti-bluff covenant.
Every test, every Challenge, every gate, every mutation pair exists to
make the failure mode (PASS on broken-for-end-user feature) mechanically
impossible.</p>
<p><strong>Operative rule:</strong> the bar for shipping is
<strong>not</strong> "tests pass" but <strong>"users can use the
feature."</strong> Every PASS in this codebase MUST carry positive
evidence captured during execution that the feature works for the end
user. Metadata-only PASS, configuration- only PASS, "absence-of-error"
PASS, and grep-based PASS without runtime evidence are all critical
defects regardless of how green the summary line looks.</p>
<p><strong>Tests AND Challenges (HelixQA) are bound equally</strong> — a
Challenge that scores PASS on a non-functional feature is the same class
of defect as a unit test that does. Both must produce positive end- user
evidence; both are subject to the §8.1 five-constraint rule and §11
captured-evidence requirement.</p>
<p><strong>Canonical authority:</strong> parent <a
href="../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§8.1 (positive-evidence-only validation) + §11 (bleeding-edge
ultra-perfection quality bar) + §11.3 (the "no bluff" CLAUDE.md /
AGENTS.md mandate) + <strong>§11.4 (this end-user-quality-guarantee
forensic anchor — propagation requirement enforced by pre-build gate
<code>CM-COVENANT-PROPAGATION</code>)</strong>.</p>
<p><strong>§11.4.1 extension (Phase 33, 2026-05-05) — FAIL-bluffs
equally forbidden.</strong> A test that crashes for a script-internal
reason (undefined variable under <code>set -u</code>, regex error,
malformed assertion, missing argument) and produces a FAIL exit code is
just as misleading as a PASS-bluff. Both let real defects ship
undetected. Per parent <a
href="../../../../docs/guides/ATMOSPHERE_CONSTITUTION.md#114-end-user-quality-guarantee--forensic-anchor-user-mandate-2026-04-28">Constitution
§11.4.1</a>, every test MUST fail ONLY for genuine product defects —
script-bug failures must be fixed at the source layer (helper library,
shared lib, test source), not patched in individual call sites.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.2 extension (Phase 34, 2026-05-06) — Recorded-evidence
requirement.</strong> A test that emits PASS without captured visual or
audio evidence of the user-visible feature actually working on the
screen the user would see is a §11.4 PASS-bluff. Bug #13 (VK Video on
PRIMARY display while a passing test claimed playback PASS) demonstrated
the gap exactly. Closing it requires the recording + analyzer
infrastructure (Bug #14 — <code>dual_display_record.sh</code> /
<code>action_timeline.sh</code> / Go <code>recording-analyzer</code> /
<code>helixqa-bridge</code>). Per Constitution §11.4.2 every PASS for a
user-visible feature MUST be cross-checked by the analyzer against the
dual-display recording + action timeline. A PASS that lacks at least one
matched timeline event in the analyzer findings is treated as a §11.4
PASS-bluff.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.3 extension (Phase 34, 2026-05-06) —
Per-device-topology test dispatch.</strong> Tests that depend on
hardware topology (secondary HDMI present/absent, microphone
present/absent, etc.) MUST detect topology at test entry and dispatch
the topology-appropriate variant. A test running the wrong variant for
the actual topology and PASSing is a §11.4 PASS-bluff. Bug #18
(Lampa+TorrServe E2E) demonstrated the pattern: D1 (secondary HDMI) and
D2 (primary only) get separate test variants behind a
<code>dumpsys display</code>-based dispatcher. Per Constitution §11.4.3
every topology-touching test MUST have such a dispatcher OR explicit
topology gates with SKIP-with-reason fallback.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.4 extension (User mandate, 2026-05-06) —
Test-interrupt-on-discovery + retest-from-clean-baseline.</strong> A
test cycle that continues running past a freshly discovered defect is
itself a §11.4 PASS-bluff: it produces "all green" summaries while the
codebase under test is known-broken at the moment those greens were
recorded. Phase 34.S' D1 demonstrated the violation when Bug #26
(hard-floor probe lifecycle) and Bug #27 (analyzer FAIL-bluff on
non-video tests) were discovered mid-cycle and the cycle was allowed to
continue, accumulating 13+ false-positive ANALYZER FAIL banners. Per
Constitution §11.4.4 the moment any defect is re- discovered,
re-produced, or newly identified during a test cycle, the cycle MUST
stop on both devices. <strong>Then</strong>: (1) fix at root cause per
§11.4.1, (2) land validation/verification tests for the fix — pre-build
gate AND on-device test AND paired meta-test mutation, (3) full rebuild
via <code>scripts/build.sh</code> (regardless of whether the fix touched
host script / Go binary / firmware — host-only fixes still get a full
rebuild for retest baseline integrity), (4) re-flash D1 + D2, (5) repeat
full <code>test_all_fixes.sh</code> from the beginning sequentially per
§12.6, (6) end the cycle with
<code>meta_test_false_positive_proof.sh</code> proving no gate is itself
a bluff gate. Tests AND HelixQA Challenges are bound equally —
Challenges that score PASS on a non-functional feature are the same
class of defect as PASS-bluff unit tests; both must produce positive
end-user evidence per §11.4.2 + §11.4.3.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.4 expansion (User mandate, 2026-05-06) — Systematic
debugging + four-layer test coverage + documentation + no-bluff
certification.</strong> Augments the §11.4.4 base covenant with four
non-negotiable additional requirements per the User mandate of
2026-05-06: (a) <strong>Systematic debugging via superpowers
skills.</strong> Before applying any fix, run in-depth systematic
debugging using the available <code>superpowers:*</code> skills
(debugging, root-cause analysis, architectural-impact). Symptom patches
are forbidden. The debugging output MUST identify root cause at source
layer, blast radius across related tests/features/subsystems, and the
regression-protection seam. (b) <strong>Four-layer test coverage per
fix.</strong> Every fix lands with positive evidence in <strong>every
applicable layer</strong>: pre-build gate (catches at source),
post-build gate (catches in assembled image — proves bytes landed, cf.
Fix #122 APK_LIB_MAP misroute), post-flash on-device test (fully
automated, anti-bluff per §8.1, captured- evidence per §11.4.2,
topology-dispatched per §11.4.3, orchestrator- wired in
<code>test_all_fixes.sh</code>), HelixQA test bank entry
(<code>banks/atmosphere.yaml</code> + per-feature additions), HelixQA
full QA session coverage (Challenge-driven dispatch — bank entry without
Challenge coverage is a §11.4 PASS-bluff), and meta-test paired
mutation. Skipping a layer because "this fix only touches X" is
forbidden. (c) <strong>Documentation update for every fix.</strong>
Required: <code>docs/Issues.md</code> → <code>docs/Fixed.md</code>
migration on closure, parent CLAUDE.md Applied Fixes Reference row,
affected user-facing guides (<code>docs/guides/*.md</code>), affected
diagrams/flowcharts/architecture docs, per-version
<code>docs/changelogs/&lt;tag&gt;.md</code> entry. Documentation drift
after a fix is itself a §11.4 violation. (d) <strong>No-bluff
certification per cycle.</strong> Before tagging:
<code>meta_test_false_positive _proof.sh</code> returns all gates green
AND every gate's paired mutation FAILs (no bluff gates);
<code>docs/Issues.md</code> open-set is empty or every entry explicitly
classified out-of-scope-for-this-tag with operator sign-off (no known
issues hidden); full suite returns zero new FAILs on either device (no
working feature regressed); every gate has a paired mutation; every test
produces positive evidence; every assertion catches its own negation (no
error-prone or bluff-proof leftover).</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.5 — Audio + video quality analysis comprehensiveness
(User mandate, 2026-05-07)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-07):</strong></p>
<blockquote>
<p>"We MUST HAVE still analyzing of recorded materials and comprehensive
validation and verification for issues we used to test! For example if
there is audio at all or video, if so, is it good and proper or is it
faulty? Does it have glitches, frame issues and other possible
obstructions? IMPORTANT: Make sure that all existing tests and
Challenges do work in anti-bluff manner — they MUST confirm that all
tested codebase really works as expected!"</p>
</blockquote>
<p>§11.4.2 mandates <em>captured</em> evidence; §11.4.5 mandates the
<strong>content</strong> of that evidence be analyzed for quality, not
merely for presence. A test that captures a 0-byte mp4 (Bug #24) and
PASSes because "the recording file exists" is the exact PASS-bluff
pattern §11.4 forbids. Content-quality analysis is what closes that
gap.</p>
<p><strong>Audio quality analysis — every audio test that PASSes MUST
verify ALL of:</strong> (1) <strong>Presence</strong> — non-trivial RMS
amplitude in captured WAV /
<code>/proc/asound/.../pcm*p/sub0/hw_params</code>. (2) <strong>Channel
count</strong> — <code>ffprobe -show_streams</code> matches the test's
claim (2.0 / 5.1 / 7.1). (3) <strong>Sample rate + bit depth</strong> —
match the codec / pipeline under test. (4) <strong>Glitch
census</strong> — XRUN / FastMixer underrun-overrun-partial /
AudioFlinger writeError counts above tolerance MUST classify explicitly
(PASS within budget, WARN above, FAIL on hard limits per §11.4.1
SKIP-vs-FAIL decision tree). (5) <strong>Coexistence-artifact
census</strong> — for tests that exercise WiFi/BT alongside audio: BT TX
queue overflow, A2DP src underflow, coex notification storms, 2.4 GHz
radio contention.</p>
<p><strong>Video quality analysis — every video test that PASSes MUST
verify ALL of:</strong> (1) <strong>Presence</strong> — captured screen
recording has non-zero file size AND <code>ffprobe -count_frames</code>
reports decoded-frame total &gt; 0. 0-byte mp4 (Bug #24) is the
canonical PASS-bluff and triggers §11.4.4 STOP. (2) <strong>Routing
target</strong> — analyzer + action-timeline confirms video appeared on
the <em>intended</em> display (primary vs secondary HDMI; Bug #13
pattern). (3) <strong>Frame health</strong> — drop count, frame-time
variance (jitter), freeze detection (SSIM &gt; 0.99 for ≥ 1 s), tearing.
(4) <strong>Obstruction census</strong> — Tesseract OCR scan for hostile
overlays (<code>Application not responding</code>,
<code>Force close</code>, sign-in dialog, geo-restriction overlay, ad
break, paywall, <code>App is not certified</code>). (5)
<strong>Resolution + codec</strong> — captured frame dimensions match
the test's claim; downgrade is a PASS-bluff.</p>
<p><strong>Challenges (HelixQA) are bound equally</strong> — every
Challenge that asserts PASS MUST run all five audio + five video layers.
A Challenge that scores PASS without applicable analysis is the same
class of defect as a unit test that does.</p>
<p><strong>Tooling guarantee:</strong> audio = <code>tinycap</code> +
<code>aplay --dump-hw-params</code> + <code>ffprobe</code> +
<code>/proc/asound</code> parsers (<code>lib/audio_validation.sh</code>
per §11.2.5). Video = <code>screenrecord</code> +
<code>ffprobe -count_frames</code> + <code>recording-analyzer</code> +
Tesseract OCR (<code>scripts/dual_display_record.sh</code></p>
<ul>
<li><code>cmd/recording-analyzer/</code> per §11.4.2.A and §11.4.2.C).
Tests dispatched against video evidence MUST honor §11.4.4
test-interrupt-on-discovery when the analyzer reports empty input — do
not silently absorb that as a generic PASS-bluff banner.</li>
</ul>
<p>Non-compliance is a release blocker regardless of context.</p>
<h2
id="mandatory-12-host-session-safety--incident-2-anchor-2026-04-28">MANDATORY
§12 HOST-SESSION SAFETY — INCIDENT #2 ANCHOR (2026-04-28)</h2>
<p><strong>Second forensic incident:</strong> on 2026-04-28 18:36:35 MSK
the user's <code>user@1000.service</code> was again SIGKILLed
(<code>status=9/KILL</code>), this time WITHOUT a kernel OOM kill
(systemd-oomd inactive, <code>MemoryMax=infinity</code>) — a different
vector than Incident #1. Cascade killed <code>claude</code>,
<code>tmux</code>, the in-flight ATMOSphere build, and 20+ npm MCP
server processes. Likely cumulative cgroup pressure + external
watchdog.</p>
<p><strong>Mandatory safeguards effective 2026-04-28</strong> (full text
in parent <a
href="../../../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§12 Incident #2):</p>
<ol type="1">
<li><code>scripts/build.sh</code> MUST source
<code>lib/host_session_safety.sh</code> and call
<code>host_check_safety</code> BEFORE any heavy step.</li>
<li><code>host_check_safety</code> has 7 distress detectors including
conmon cgroup-events warnings (#6) and current-boot session-kill events
(#7).</li>
<li>Containers MUST be clean-slate destroyed + rebuilt after any
suspected §12 incident. <code>mem_limit</code> is per-container, not
per-user-slice — operator MUST cap Σ <code>mem_limit</code> ≤ physical
RAM − user-session overhead.</li>
<li>20+ npm-spawned MCP server processes are a known memory multiplier;
stop non-essential MCPs before heavy ATMOSphere work.</li>
<li><strong>Investigation: Docker/Podman as session-loss
vector.</strong> Per-container cgroups don't prevent cumulative
user-slice pressure; conmon
<code>Failed to open cgroups file: /sys/fs/cgroup/memory.events</code>
warnings preceded the 18:36:35 SIGKILL by 6 min — likely
correlated.</li>
</ol>
<p>This directive applies to every owned ATMOSphere repo and every
HelixQA dependency. Non-compliance is a Constitution §12 violation.</p>
<h2
id="mandatory-126-memory-budget-ceiling--60-maximum-user-mandate-2026-04-30">MANDATORY
§12.6 MEMORY-BUDGET CEILING — 60% MAXIMUM (User mandate,
2026-04-30)</h2>
<p><strong>Forensic anchor — direct user mandate
(verbatim):</strong></p>
<blockquote>
<p>"We had to restart this session 3rd time in a row! The system of the
host stays with no RAM memory for some reason! First make sure that
whatever we do through our procedures related to this project MUST NOT
use more than 60% of total system memory! All processes MUST be able to
function normally!"</p>
</blockquote>
<p><strong>The mandate.</strong> Project procedures MUST NOT use more
than <strong>60% of total system RAM</strong>
(<code>HOST_SAFETY_MAX_MEM_PCT</code>). The remaining 40% is reserved
for the operator's other workloads so the host can keep serving them
while project work proceeds.</p>
<p><strong>Three consecutive session-loss SIGKILLs on
2026-04-30</strong> during 1.1.5-dev — every one happened while
<code>scripts/build.sh</code> was running <code>m -j5</code> AOSP. Each
Soong/Ninja job peaks at ~5–8 GiB RSS; collective RSS overran the 60%
envelope and the kernel OOM-killer escalated, taking down
<code>user@1000.service</code>. <strong>§12.1's pre-flight check
(refusing to start if host already distressed) was not enough</strong> —
the missing piece was an active CONSTRAINT on heavy work itself.</p>
<p><strong>Mandatory protections (rock-solid):</strong></p>
<ol type="1">
<li><code>HOST_SAFETY_MAX_MEM_PCT</code> defaults to 60 in
<code>scripts/lib/host_session_safety.sh</code>.</li>
<li><code>HOST_SAFETY_BUDGET_GB</code> is computed at source-time from
<code>MemTotal × MAX_PCT/100</code>.</li>
<li><code>bounded_run</code> clamps <code>MemoryMax</code> down to the
budget if the caller asks for more (cgroup-level enforcement via
<code>systemd-run --user --scope -p MemoryMax=…</code>).</li>
<li><code>host_safe_parallel_jobs</code> and
<code>host_safe_build_jobs</code> return the safe <code>-j</code> count
given an estimated per-job RSS, capped at <code>nproc</code>.</li>
<li><code>scripts/build.sh</code> wraps <code>m -j</code> in
<code>bounded_run</code>. If the build's collective RSS exceeds the
budget, only the scope is OOM-killed;
<code>user@&lt;uid&gt;.service</code> stays alive.</li>
</ol>
<p><strong>Captured-evidence enforcement.</strong> Pre-build gate
<code>CM-MEMBUDGET-METATEST</code> locks all 7 invariants and fires
every pre-build run.</p>
<p><strong>No escape hatch.</strong> §12.6 has NO operator-facing
override flag. The cap exists for the operator's own protection;
bypassing it is the bluff the §11.4 covenant specifically prohibits.
Operators who need more headroom should reduce parallelism, close other
workloads, or add RAM — NOT raise the percentage.</p>
<p><strong>Canonical authority:</strong> parent <a
href="../../docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§12.6.</p>
<p>Non-compliance is a release blocker regardless of context. <em>Built
with zero-bluff commitment. Every feature actually works.</em></p>
<p><strong>§11.4.6 — No-guessing mandate (User mandate,
2026-05-08)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-08T18:30 MSK):</strong></p>
<blockquote>
<p>"'LIKELY' is guessing, we MUST NOT have guessing, since it can be or
may not be! No bluffing and uncertainity is allowed at any cost! We MUST
always know exactly precisly what is happening exactly, in any context,
under any conditions, everywhere!"</p>
</blockquote>
<p>Tests, gates, status reports, closure narratives, commit messages,
and operator-facing text MUST NOT use <code>likely</code>,
<code>probably</code>, <code>maybe</code>, <code>might</code>,
<code>possibly</code>, <code>presumably</code>, <code>seems</code>, or
<code>appears to</code> when describing causes of failures, behaviour,
or fix effectiveness. Either prove the cause with captured forensic
evidence (logcat, dmesg, /sys readings, getprop, kernel ramoops,
dropbox, strace, etc.) and state it as fact, OR explicitly mark
<code>UNCONFIRMED:</code> / <code>UNKNOWN:</code> /
<code>PENDING_FORENSICS:</code> with a tracked-task ID for
follow-up.</p>
<p>Pre-build gate <code>CM-NO-GUESSING-MANDATE</code> greps
recently-modified docs</p>
<ul>
<li>test scripts for the forbidden vocabulary outside explicit
<code>UNCONFIRMED:</code> / <code>UNKNOWN:</code> /
<code>PENDING_FORENSICS:</code> blocks. Paired mutation introduces a
<code>likely</code> token into a fresh status block → gate FAILs.
Propagation gate <code>CM-COVENANT-114-6-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</li>
</ul>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.6.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.7 — Demotion-evidence rule (Phase 38.X+2 amendment,
2026-05-11)</strong></p>
<p>A demotion from any FAIL classification (<code>OPEN</code>,
<code>POSSIBLE PRODUCT DEFECT</code>, <code>FAIL</code>) to a
lower-severity classification (<code>INVESTIGATED</code>,
<code>MITIGATED</code>, <code>RESOLVED</code>,
<code>WORKING-AS-INTENDED</code>) requires positive evidence captured
under the <strong>same conditions</strong> that originally exposed the
defect — same device, same firmware, same cycle position, same load
profile.</p>
<p>"I cannot reproduce in isolation" is a HYPOTHESIS, not a finding. Per
§11.4.6 it MUST be tagged <code>UNCONFIRMED:</code> until
same-conditions retest produces positive evidence. The expanded
forbidden-vocabulary list:</p>
<table>
<thead>
<tr>
<th>Forbidden phrase</th>
<th>Why it bluffs</th>
</tr>
</thead>
<tbody>
<tr>
<td>"isolated re-run PASSes therefore X was a flake"</td>
<td>Strips the very environment that exposed the defect.</td>
</tr>
<tr>
<td>"runtime drift"</td>
<td>Label for "we don't know what changed".</td>
</tr>
<tr>
<td>"intermittent" / "transient"</td>
<td>Label for "we don't know how to reproduce".</td>
</tr>
<tr>
<td>"pending stress retest"</td>
<td>Defers the actual investigation indefinitely.</td>
</tr>
<tr>
<td>"correlates with X"</td>
<td>Hypothesis presented as causation.</td>
</tr>
</tbody>
</table>
<p>Pre-build gate <code>CM-DEMOTION-EVIDENCE-RULE</code> scans Issues.md
/ Fixed.md / CONTINUATION.md for these phrases outside explicit
<code>UNCONFIRMED:</code> / <code>UNATTRIBUTED:</code> /
<code>PENDING_CYCLE_RETEST:</code> blocks. Propagation gate
<code>CM-COVENANT-114-7-PROPAGATION</code> enforces this anchor in every
CLAUDE.md / AGENTS.md across parent + 10 owned submodules + HelixQA
dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.7.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.8 — Deep-web-research-before-implementation mandate
(User mandate, 2026-05-12)</strong></p>
<p>Before designing a non-trivial fix, implementing a new feature, or
declaring an architectural choice, perform deep web research to verify
the chosen approach is informed by current state-of-the-art. Research
surface: official documentation
(Android/AOSP/Khronos/CEA-861/AES/IEEE/IETF/ITU), vendor technical
guides (Rockchip, Sipeed, Audinate Dante, Synaptics, Realtek, Bluetooth
SIG), open-source codebases (Linux kernel, ALSA, Bluez, ExoPlayer,
libVLC, MPV, FFmpeg, AOSP forks), coding tutorials + technical articles
(Stack Overflow, AOSP Code Lab, AES papers), issue trackers (Android bug
tracker, AOSP gerrit, GitHub issues).</p>
<p>A fix that re-invents a wheel — or reproduces a known-broken pattern
— when the open-source community has already solved the problem is a
§11.4 violation by omission. Every non-trivial fix's commit / Issues.md
/ Fixed.md entry MUST cite at least one external source URL OR the
literal "NO external solution found — original work".</p>
<p>Pre-build gate <code>CM-RESEARCH-CITATION-PRESENT</code> scans new
fix-direction blocks for the pattern. Propagation gate
<code>CM-COVENANT-114-8-PROPAGATION</code> enforces this anchor in every
CLAUDE.md / AGENTS.md across parent + 10 owned submodules + HelixQA
dependencies.</p>
<p>Documentation continuity requirement: every fix landed under §11.4.8
also adds to <code>docs/guides/</code> a user-facing or developer-facing
guide section where appropriate.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.8.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.9 — Batch-source-fixes-before-rebuild mandate (User
mandate, 2026-05-12)</strong></p>
<p>When closing a multi-defect batch, all source-side fixes that DO NOT
require runtime on-device validation to design MUST be landed BEFORE the
next firmware rebuild. Anti-pattern eliminated:
<code>Fix A → rebuild → flash → cycle → fix B → rebuild → ...</code>
serializes 7-8 hours per fix instead of batching all into ONE build
cycle. Operator time is the scarce resource.</p>
<p>Exceptions documented in commit message as
<code>REQUIRES_REBUILD: &lt;reason&gt;</code>: kernel-5.10/ changes,
atmosphere-*.sh boot-script side-effects, hardware/rockchip/ HAL
behavior — each gates downstream state and requires firmware to
validate.</p>
<p>Before declaring a batch "ready for rebuild": pre-build GREEN +
meta-test GREEN + existing-device validations performed where possible +
Issues.md/Fixed.md/CONTINUATION.md in sync (+ HTML/PDF exported) +
§11.4.8 research citations all logged.</p>
<p>Propagation gate <code>CM-COVENANT-114-9-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.9.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.10 — Credentials-handling mandate (User mandate,
2026-05-12)</strong></p>
<p>All credentials, secrets, API tokens, passwords, phone numbers, OAuth
tokens, signing keys MUST NEVER live in tracked files. Templates with
placeholder values are allowed (<code>.example</code> suffix). Tests
load credentials at runtime from <code>scripts/testing/secrets/</code>
(or per-submodule equivalent); operator-populated files are
<code>chmod 600</code>, directory is <code>chmod 700</code>.
<code>.env</code>, <code>.env.*</code>, <code>*.env</code> patterns +
<code>scripts/testing/secrets/*</code> (with <code>.example</code> +
<code>README.md</code> exception) git-ignored project-wide.</p>
<p>Test scripts MUST NEVER echo credentials to stdout/stderr/logcat.
Screen- recording of sign-in flows MUST redact credential-bearing
frames. Per-service file separation (<code>.netflix.env</code>,
<code>.disney.env</code>, etc.) limits blast radius.</p>
<p>Forensic-rotation policy: suspected leak → rotate at provider, update
local <code>.env</code>, audit captured artifacts. Pre-build gate
<code>CM-CREDENTIAL-LEAK-SCAN</code> greps tracked files for
entropy-suspicious password strings + known API-token formats.
Propagation gate <code>CM-COVENANT-114-10-PROPAGATION</code> enforces
this anchor in every CLAUDE.md / AGENTS.md across parent + 10 owned
submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.10.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.14 — Test playback cleanup mandate (User mandate,
2026-05-13)</strong></p>
<p>Every test that issues <code>am start</code> /
<code>cmd media_session play</code> / <code>MediaController.play</code>
MUST issue matching <code>am force-stop</code> /
<code>input keyevent KEYCODE_MEDIA_STOP</code> + register cleanup in
<code>EXIT</code> trap. Verified via positive evidence (Arvus
codec-state → <code>N.E.</code>, <code>dumpsys media_session</code>
shows no PLAYING for test app). <code>test_all_fixes.sh</code> post-test
sanity check FAILs the just-completed test if it left orphan playback.
HelixQA Challenges bound equally. No grace period — "next test will
clean it up" is §11.4 PASS-bluff.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.14. Pre-build gates <code>CM-TEST-PLAYBACK-CLEANUP</code> +
<code>CM-COVENANT-114-14-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.15 — Item-status tracking mandate (User mandate,
2026-05-13)</strong></p>
<p>Every active item in <code>docs/Issues.md</code> carries a
<code>**Status:**</code> line with one of six values:
<code>Queued</code>, <code>In progress</code>,
<code>Ready for testing</code>, <code>In testing</code>,
<code>Reopened</code>, <code>Fixed (→ Fixed.md)</code>. Status MUST be
updated as the item progresses through its lifecycle. <code>Fixed</code>
requires captured-evidence per §11.4.5 + migration to Fixed.md.</p>
<p>The auto-generated <code>docs/Issues_Summary.md</code> includes the
Status column. All three file types (<code>.md</code>,
<code>.html</code>, <code>.pdf</code>) MUST be in sync at all times —
enforced by <code>CM-DOCS-EXPORT-SYNC</code> (§11.4.12 + §11.4.15
amendment).</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.15. Pre-build gates <code>CM-ITEM-STATUS-TRACKING</code> +
<code>CM-COVENANT-114-15-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.16 — Item-type tracking mandate (User mandate,
2026-05-14)</strong></p>
<p>Every active item in <code>docs/Issues.md</code> carries a
<code>**Type:**</code> line with one of three values: <code>Bug</code>
(product defect / regression / user-visible broken behaviour),
<code>Feature</code> (new capability not previously offered to end
users), <code>Task</code> (internal workstream — refactor, doc, infra,
gate, audit; the lowest-stakes default when ambiguous). The vocabulary
is CLOSED — no other value is permitted.</p>
<p>The auto-generated <code>docs/Issues_Summary.md</code> includes the
Type column. All three file types (<code>.md</code>, <code>.html</code>,
<code>.pdf</code>) MUST be in sync at all times — enforced by
<code>CM-DOCS-EXPORT-SYNC</code> (§11.4.12 + §11.4.15 + §11.4.16
amendment).</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.16. Pre-build gates <code>CM-ITEM-TYPE-TRACKING</code> +
<code>CM-COVENANT-114-16-PROPAGATION</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.13 — Out-of-band sink-side captured-evidence mandate
(User mandate, 2026-05-13)</strong></p>
<p>Whenever an HDMI sink with a network-accessible introspection API is
present (current example: Arvus H2-4D-273 at
<code>http://192.168.4.172/</code>), the test suite MUST consume the
sink's report as captured-evidence for every audio test asserting a
codec / channel-count / passthrough mode. On-SoC HAL telemetry ALONE is
insufficient — that is the exact "tests pass but the feature doesn't
work" pattern §11.4 forbids. Reference:
<code>scripts/testing/lib/arvus_probe.sh</code>,
<code>scripts/testing/arvus_probe.sh</code>,
<code>docs/guides/ARVUS_HDMI_INTEGRATION.md</code>. Pre-build gate
<code>CM-ARVUS-EVIDENCE-INTEGRATED</code> (7 invariants) + paired
mutation. No hardcoding (env: <code>ARVUS_HOST</code> etc.). Topology
dispatch per §11.4.3 — sink unreachable → SKIP, never FAIL. Identity
verification (MAC match) before consuming codec-state. Anti-stickiness
post-stop. HelixQA Challenges bound equally.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.13. Integration reference:
<code>docs/guides/ARVUS_HDMI_INTEGRATION.md</code>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.11 — File-layout discipline (User mandate,
2026-05-12)</strong></p>
<p>Files live in canonical directories per type:</p>
<ul>
<li>Shell scripts → <code>scripts/</code> (legacy:
<code>scripts/legacy/</code>)</li>
<li>Log files → <code>logs/</code> (legacy:
<code>logs/legacy/</code>)</li>
<li>Release artifacts →
<code>releases/&lt;app&gt;/&lt;version&gt;/</code></li>
<li>Operator credentials → <code>scripts/testing/secrets/</code> (per
§11.4.10, git-ignored)</li>
<li>Markdown docs → <code>docs/</code> + <code>docs/guides/</code> +
<code>docs/research/</code> + <code>docs/superpowers/plans/</code></li>
<li>Per-version changelogs → <code>docs/changelogs/</code></li>
<li>Hardware ID photos →
<code>docs/hardware/&lt;device-slug&gt;/</code></li>
</ul>
<p>Repo root contains ONLY: AOSP-mandated top-level files (Android.bp,
Makefile, bootstrap.bash, BUILD, kokoro, lk_inc.mk, OWNERS,
version_defaults.mk), project metadata
(README/CLAUDE/AGENTS/CONTRIBUTING/LICENSE/NOTICE/VERSION), dot-files
(.gitignore/.gitmodules), and standard top-level dirs (build/, device/,
external/, frameworks/, hardware/, kernel-5.10/, packages/, prebuilts/,
scripts/, system/, tools/, vendor/, docs/, releases/, logs/).</p>
<p>NO bash scripts in repo root except AOSP-mandated
<code>bootstrap.bash</code>. NO log files in repo root. NO duplicate
filenames between root and <code>scripts/</code>. NO release artifacts
in root. Moves require triple-verification (audit all references +
distinguish absolute vs subdir-local + confirm no AOSP build- system
requirement). Pre-build gate <code>CM-FILE-LAYOUT-DISCIPLINE</code>
enforces. Propagation gate <code>CM-COVENANT-114-11-PROPAGATION</code>
enforces this anchor in every CLAUDE.md / AGENTS.md across parent + 10
owned submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.11.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.12 — Issues_Summary.md sync mandate (User mandate,
2026-05-12)</strong></p>
<p>docs/Issues_Summary.md is the canonical short-form summary of all
open items. MUST be regenerated + re-exported (HTML + PDF) whenever
Issues.md changes. Generator:
scripts/testing/generate_issues_summary.sh. Pre-build gates
<code>CM-ISSUES-SUMMARY-SYNC</code> +
<code>CM-COVENANT-114-12-PROPAGATION</code> enforce mechanically.</p>
<p><strong>Sort order (User mandate refinement 2026-05-12):</strong>
severity DESC (C → M → L), then intra-group criticality DESC inside each
group. Most critical row = #1, least critical = #N. Documented at the
top of the generated file.</p>
<p><strong>Auto-sync wrapper:</strong>
<code>scripts/testing/sync_issues_docs.sh</code> — runs generator +
<code>export_progress_docs.sh</code> in one shot. MUST be invoked after
any edit to Issues.md or Issues_Summary.md. HTML+PDF exports are NEVER
manually invoked; they ALWAYS travel with the markdown.</p>
<p><strong>Canonical authority:</strong> parent <a
href="docs/guides/ATMOSPHERE_CONSTITUTION.md"><code>docs/guides/ATMOSPHERE_CONSTITUTION.md</code></a>
§11.4.12.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<hr />
<h2
id="const-047--recursive-submodule-application-mandate-cascaded-from-root-constitutionmd">CONST-047
— Recursive Submodule Application Mandate (cascaded from root
CONSTITUTION.md)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-14): <em>"Make sure all work we do is
applied ALWAYS to all Submodules we control under our organizations
(vasic-digital and HelixDevelopment) fully recursively everywhere with
full bluff-proofing and comprehensive documentation, user manuals and
guides and full tests and Challenges coverage!"</em></p>
</blockquote>
<p>Every engineering deliverable produced for the main project MUST be
applied — fully and recursively — to every owned submodule under the
<code>vasic-digital</code> and <code>HelixDevelopment</code> GitHub
organizations. Each owned submodule (including this one) MUST receive in
lockstep: (1) anti-bluff posture (CONST-035 / Article XI §11.9), (2)
comprehensive documentation matching actual capabilities, (3) full tests
+ Challenges coverage with captured runtime evidence, (4) recursive
propagation through nested submodules under the same orgs, (5)
synchronized commits when meta-repo state advances this surface.</p>
<p>See the root <code>CONSTITUTION.md</code> §CONST-047 for the full
mandate. This anchor MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md.</p>
<p><strong>§11.4.40 — Full-suite retest before release tag mandate (User
mandate, 2026-05-17)</strong></p>
<p>A release tag MUST NOT be created until a COMPLETE retest with ALL
existing tests has been executed on a clean baseline AFTER every
workable item in the batch is done, fixed, polished, and individually
verified. Spot-check retests that run only the tests touched by the
batch are FORBIDDEN — they miss interaction defects between the batch's
fixes and previously-stable code.</p>
<p>The complete retest comprises: (1) pre-build full sweep, (2)
post-build full sweep, (3) on-device 4-phase cycle on EVERY owned
device, (4) meta-test full mutation sweep, (5) Challenge bank full
sweep, (6) Issues.md/Fixed.md state audit, (7) CONTINUATION.md sync
check.</p>
<p>Time is essential — complete retest is typically 12–48 hour elapsed
effort. NOT optional, NOT abbreviated. Skipping is the exact "tests
passed but feature broken" failure mode §11.4 specifically
prohibits.</p>
<p>Composes with §11.4.4 (per-fix retest) — §11.4.37 is the additional
final integrity check at RELEASE granularity. Composes with §11.4.7 —
full-suite retest is the authoritative baseline for closures in the
batch. No escape hatch — no <code>--skip-full-retest</code> or
<code>--quick-release</code> flag exists.</p>
<p>Pre-build gate <code>CM-FULL-SUITE-RETEST-MANDATE</code> + paired
mutation. Propagation gate <code>CM-COVENANT-114-40-PROPAGATION</code>
enforces this anchor in every CLAUDE.md/AGENTS.md across parent + 10
owned submodules + HelixQA dependencies.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a
href="../../../constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.37.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.41 — Pre-Force-Push Merge-First Mandate (User mandate,
2026-05-17)</strong></p>
<p>Any force-push (<code>git push --force</code>,
<code>git push --force-with-lease</code>,
<code>git push +&lt;ref&gt;</code>, or equivalent history-rewriting
operation on any remote) authorised under §9.2 / CONST-043 MUST be
preceded by a mechanical 4-step merge-first pipeline that brings every
remote-side commit into the local tree, resolves every conflict
carefully, and verifies nothing is lost or corrupted on EITHER side
BEFORE the overwriting push is executed.</p>
<p><strong>The 4-step pipeline (mandatory, in order):</strong> (1)
<code>git fetch --all --prune --tags</code> against every configured
remote — capture output. (2) Integrate every divergent commit locally
via <code>git rebase</code> (local is strict superset),
<code>git merge</code> (independent additions both deserve
preservation), or operator-confirmed cherry-pick (remote subset already
present locally). (3) Audit: no conflict markers
(<code>grep -rn '^&lt;&lt;&lt;&lt;&lt;&lt;&lt; \|^=======$\|^&gt;&gt;&gt;&gt;&gt;&gt;&gt; '</code>
returns empty), no silent file drops
(<code>git diff --stat HEAD@{1} HEAD</code>), every previously-passing
test still passes per §11.4.4 / §11.4.40 baseline, every
captured-evidence artifact still validates. (4)
<code>git push --force-with-lease &lt;remote&gt; &lt;ref&gt;</code>
(NEVER <code>--force</code> without <code>--with-lease</code> unless
§9.2 sub-clause 6 explicitly authorises it for a remote where lease
semantics are unavailable). One force-push event per CONST-043
authorisation — no batch authorisation.</p>
<p><strong>Two-gate composition with CONST-043</strong> — §11.4.41 does
NOT relax CONST-043's operator-approval requirement. Gate A (CONST-043):
operator types explicit per-operation force-push authorisation. Gate B
(§11.4.41): agent executes the 4-step merge-first pipeline, captures
evidence of clean integration, presents evidence to operator BEFORE the
force-push. Both gates required.</p>
<p><strong>Verification artefact</strong> — every §11.4.41-governed
force-push emits a <code>docs/changelogs/&lt;tag&gt;.md</code>
"Force-push merge-first audit" section containing 7 elements: (i)
<code>git fetch</code> output, (ii) per-remote
<code>HEAD..&lt;remote&gt;/&lt;branch&gt;</code> log before integration,
(iii) integration strategy chosen per remote with rationale, (iv)
post-integration conflict-marker scan output (must be empty), (v)
post-integration test suite delta (must show only expected changes),
(vi) <code>--force-with-lease</code> push output with lease SHA
evidence, (vii) CONST-043 authorisation quote from the conversation.</p>
<p>Composes with §9.2 (data-safety hardlinked backup), §11.4.4
(test-interrupt-on-discovery — broken integration triggers rollback),
§11.4.6 (no-guessing — every step's outcome captured, not assumed),
§11.4.26 (constitution-submodule update pipeline — per-submodule
specialisation), §11.4.32 (post-pull validation — audit step's
mechanical companion), §11.4.37 (fetch-before-edit — step 1 enforces it
for force-push specifically), §11.4.40 (full-suite retest — step 3's
test-evidence requirement).</p>
<p>No escape hatch — the operator-pressure escape ("just force-push,
we'll fix it later") is the exact failure mode this anchor closes.
Pre-build gate <code>CM-COVENANT-114-41-PROPAGATION</code> enforces this
anchor in every CLAUDE.md/AGENTS.md across parent + 10 owned submodules
+ nested submodules + HelixQA dependencies. Paired mutation strips the
anchor literal → gate FAILs. Gate <code>CM-FORCE-PUSH-MERGE-FIRST</code>
walks <code>docs/changelogs/&lt;tag&gt;.md</code> "Force-push" entries
for the 7 audit elements; paired mutation strips any element and asserts
gate FAILs.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.41.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<hr />
<h2
id="const-048-full-automation-coverage-mandate-cascaded-from-constitution-submodule-11425">CONST-048:
Full-Automation-Coverage Mandate (cascaded from constitution submodule
§11.4.25)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Make sure that every
feature, every functionality, every flow, every use case, every edge
case, every service or application, on every platform we support is
covered with full automation tests which will confirm anti-bluff policy
and provide the proof of fully working capabilities, working
implementation as expected, no issues, no bugs, fully documented, tests
covered! Nothing less than this does not give us a chance to deliver
stable product! This is mandatory constraint which MUST BE respected
without ignoring, skipping, slacking or forgetting it!"</em></p>
</blockquote>
<p>No feature / functionality / flow / use case / edge case / service /
application on any supported platform of this submodule is deliverable
until covered by automation tests proving six invariants: (1) anti-bluff
posture with captured runtime evidence (CONST-035); (2) proof of working
capability end-to-end on target topology; (3) implementation matching
documented promise; (4) no open issues/bugs surfaced; (5) full
documentation in sync; (6) four-layer test floor (pre-build + post-build
+ runtime + paired mutation).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-048 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-048 and constitution submodule <code>Constitution.md</code>
§11.4.25 for the full mandate.</p>
<h2
id="const-049-constitution-submodule-update-workflow-mandate-cascaded-from-constitution-submodule-11426">CONST-049:
Constitution-Submodule Update Workflow Mandate (cascaded from
constitution submodule §11.4.26)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every time we add something
into our root (constitution Submodule) Constitution, CLAUDE.MD and
AGENTS.MD we MUST FIRST fetch and pull all new changes / work from
constitution Submodule first! All changes we apply MUST BE commited and
pushed to all constitution Submodule upstreams! In case of conflict, IT
MUST BE carefully resolved! Nothing can be broken, made faulty,
corrupted or unusable! After merging full validation and verification
MUST BE done!"</em></p>
</blockquote>
<p>Before ANY modification to
<code>constitution/{Constitution,CLAUDE,AGENTS}.md</code> in the parent
project, the agent or operator MUST execute the 7-step pipeline: (1)
fetch + pull first inside the constitution submodule worktree; (2) apply
the change with §11.4.17 classification + verbatim mandate quote; (3)
validate (meta-test + no merge-conflict markers + cross-file
consistency); (4) commit + push to EVERY configured upstream of the
constitution submodule (governance files only — never
<code>git add -A</code>); (5) careful conflict resolution preserving
union of governance content (force-push forbidden per CONST-043 / §9.2);
(6) post-merge <code>git submodule update --remote --init</code> +
re-run cascade verifier (CONST-047); (7) bump consuming project's
<code>.gitmodules</code> pointer to the new constitution HEAD in the
SAME commit as cascade work.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-049 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-049 and constitution submodule <code>Constitution.md</code>
§11.4.26 for the full mandate.</p>
<h2
id="const-050-no-fakes-beyond-unit-tests--100-test-type-coverage-mandate-cascaded-from-constitution-submodule-11427">CONST-050:
No-Fakes-Beyond-Unit-Tests + 100%-Test-Type-Coverage Mandate (cascaded
from constitution submodule §11.4.27)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Mocks, stubs, placeholders,
TODOs or FIXMEs are allowed to exist ONLY in Unit tests! All other test
types MUST interract with real fully implemented System! No fakes, empty
implementations or bluffing is allowed of any kind! All codebase of the
project MUST BE 100% covered with every supported test type: unit tests,
integration tests, e2e tests, full automation tests, security tests,
ddos tests, scaling tests, chaos tests, stress tests, performance tests,
benchmarking tests, ui tests, ux tests, Challenges (fully incorporating
our Challenges Submodule — <a
href="https://github.com/vasic-digital/Challenges">https://github.com/vasic-digital/Challenges</a>).
EVERYTHING MUST BE tested using HelixQA (fully incorporating HelixQA
Submodule — <a
href="https://github.com/HelixDevelopment/HelixQA">https://github.com/HelixDevelopment/HelixQA</a>).
HelixQA MUST BE used with all possible written tests suites (test banks)
for every applications, service, platform, etc and execution of the full
HelixQA QA autonomous sessions! All required dependency Submodules MUST
BE added into the project as well (fully recursive!!!)."</em></p>
</blockquote>
<p>Two cooperating invariants:</p>
<p><strong>(A) No-fakes-beyond-unit-tests.</strong> Mocks, stubs, fakes,
placeholders, <code>TODO</code>, <code>FIXME</code>, "for now", "in
production this would", or empty-implementation patterns are PERMITTED
only in unit-test sources. Every other test type — integration, E2E,
full automation, security, DDoS, scaling, chaos, stress, performance,
benchmarking, UI, UX, Challenges, HelixQA — MUST exercise this
submodule's real, fully implemented system against real infrastructure.
Production code MUST NOT import mock paths.</p>
<p><strong>(B) 100% test-type coverage.</strong> Codebase MUST be
covered by every supported test type the domain warrants: unit,
integration, E2E, full-automation, security, DDoS, scaling, chaos,
stress, performance, benchmarking, UI, UX, Challenges
(vasic-digital/Challenges submodule fully incorporated), HelixQA
(HelixDevelopment/HelixQA submodule fully incorporated, with full
autonomous QA sessions executing every registered test bank with
captured wire evidence).</p>
<p><strong>Required dependency submodules</strong> (recursive per
CONST-047): Challenges + HelixQA + any other functionality submodules
under vasic-digital/HelixDevelopment orgs this submodule depends on.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-050 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-050 and constitution submodule <code>Constitution.md</code>
§11.4.27 for the full mandate.</p>
<h2
id="const-051-submodules-as-equal-codebase--decoupling--dependency-layout-mandate-cascaded-from-constitution-submodule-11428">CONST-051:
Submodules-As-Equal-Codebase + Decoupling + Dependency-Layout Mandate
(cascaded from constitution submodule §11.4.28)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"All existing Submodules in
the project that we are controlling and belong to some our organizations
(vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory - we
can ALWAYS check dynamically using GitHub and GitLab CLIs) are equal
parts of the project's codebase! We MUST work on that code as much as we
do with main project's codebase! All on equal basis! Equally important!
... We MUST NEVER modify Submodules to bring into them any project
specific context since they all MUST BE ALWAYS fully decoupled, project
not-aware, fully reusable and modular (by any other project(s)),
completely testable! All Submodule dependencies that are used by
Submodule MUST BE acessed from the root of the project! We MUST NOT have
nested Submodule dependencies but accessing each from proper location
from the root of the project - directly from project's root
project_name/submodule_name or some more proper structure
project_name/submodules/submodule_name!"</em></p>
</blockquote>
<p>Three cooperating invariants apply to every owned-by-us submodule
(orgs: vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory, plus
any subsequently authorised org — discoverable via
<code>gh org list</code> / <code>glab</code>):</p>
<p><strong>(A) Equal-codebase.</strong> This submodule is an EQUAL part
of every consuming project's codebase. The consuming project's
engineering practice — analysis, extension, test creation, gap-filling,
bug-fix, documentation (user manuals, guides, diagrams, graphs, SQL
definitions, website pages, all materials) — applies to this submodule
on equal basis. Coverage ledgers (CONST-048) list this submodule as an
in-scope target.</p>
<p><strong>(B) Decoupling / reusability.</strong> This submodule MUST
remain fully decoupled from any specific consuming project. NEVER inject
project-specific context (hardcoded paths, hostnames, asset names,
naming schemes). Stay project-not-aware, reusable, modular, completely
testable as a standalone repository. When parent-project info is needed,
use configuration injection (env var, config file, constructor
parameter) — never a hardcoded reach.</p>
<p><strong>(C) Dependency-layout.</strong> Any dependency this submodule
consumes MUST be accessible from the consuming project's root at
<code>&lt;root&gt;/&lt;name&gt;/</code> or
<code>&lt;root&gt;/submodules/&lt;name&gt;/</code>. <strong>Nested
own-org submodule chains are FORBIDDEN</strong> — this submodule MUST
NOT have its own <code>.gitmodules</code> entries pulling in further
owned-by-us repos. Third-party submodules are exempt.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-051 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-051 and constitution submodule <code>Constitution.md</code>
§11.4.28 for the full mandate.</p>
<h2
id="const-052-lowercase-snake_case-naming-mandate-cascaded-from-constitution-submodule-11429">CONST-052:
Lowercase-Snake_Case-Naming Mandate (cascaded from constitution
submodule §11.4.29)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"naming convention for
Submodules and directories (applied deep into hierarchy recursively) -
all directories and Submodules MSUT HAVE lowercase names with space
separator between the words of '_' character (snake-case)! All existing
Submodules and directories which are not following this rule MUST BE
renamed! However, since this will most likely break some of the
functionalities renaming we do MUST BE applied to all references to
particular Submodule or directory! ... There MUST BE reasonable
exceptions for this rules - source code for programming languages or
Submodules which apply different naming convention - Android, Java,
Kotlin and others. ... Upstreams directory which all of our projects and
Submodules have MUST BE renamed to the lowercase letters too, however
root project containing the install_upstreams system command (it is
exported in out paths in our .bashrc or .zshrc) MUST BE updated to fully
work with both Upstreams and upstreams directory. ... NOTE: Rules
lowercase / snake-case do apply to all project files as well and
references to it and from them!"</em></p>
</blockquote>
<p>Every directory, submodule, and file in this submodule MUST use
lowercase snake_case names. Existing non-compliant names MUST be renamed
atomically with updates to every reference (configs, docs, source-code
imports, governance files). Reference drift after rename = CONST-052
violation of equal severity to the rename itself.</p>
<p><strong>Common-sense exceptions (technology-preserving):</strong>
language-mandated case for Java/Kotlin/Android/Apple/C#/Swift INSIDE
language-roots; vendor/upstream third-party submodules keep upstream
names; build artefacts (<code>node_modules</code>,
<code>__pycache__</code>, <code>.git</code>, <code>target</code>,
<code>build</code>, <code>bin</code>) keep tool-mandated names. The test
"does renaming break the technology?" trumps the rule.</p>
<p><strong><code>Upstreams/</code> → <code>upstreams/</code>
transition:</strong> the constitution submodule's
<code>install_upstreams.sh</code> (exported via
<code>.bashrc</code>/<code>.zshrc</code>) supports BOTH directory
layouts; lowercase wins when both present.</p>
<p><strong>Test coverage of renames</strong> (per CONST-050(B)):
regression test for reference resolution + full test-type matrix run +
anti-bluff wire-evidence captured.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-052 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-052 and constitution submodule <code>Constitution.md</code>
§11.4.29 for the full mandate.</p>
<h2
id="const-053-gitignore--no-versioned-build-artifacts-mandate-cascaded-from-constitution-submodule-11430">CONST-053:
.gitignore + No-Versioned-Build-Artifacts Mandate (cascaded from
constitution submodule §11.4.30)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"every project module, every
Submodule, every servcie and apolication MUST HAVE proper .gitignore
file! We MUST NOT git version build artifacts, cache files, tmp files,
main .env file(s) or any files containing sensitive data, API keys or
token! Any build derivate which we can recreate by executing proper
mechanism for generating MUST NOT be versioned! We MUST pay attention
what is going to be commited every time we are preparing to execute
commit! If any violetion is detected it MUST be fixed before commit is
executed!"</em></p>
</blockquote>
<p>Every project module, owned-by-us submodule, service, and application
MUST ship a proper <code>.gitignore</code>.
Forbidden-from-version-control classes:</p>
<ol type="1">
<li><strong>Build artefacts</strong>: <code>/bin/</code>,
<code>/build/</code>, <code>/dist/</code>, <code>/out/</code>,
<code>target/</code>, <code>*.exe</code>, <code>*.dll</code>,
<code>*.so</code>, <code>*.dylib</code>, <code>*.a</code>,
<code>*.o</code>, <code>*.class</code>, <code>*.pyc</code>,
generator-produced files when the generator is committed.</li>
<li><strong>Cache files</strong>: <code>__pycache__/</code>,
<code>.pytest_cache/</code>, <code>.mypy_cache/</code>,
<code>.ruff_cache/</code>, <code>node_modules/</code>,
<code>.next/</code>, <code>.cache/</code>, <code>.gradle/</code>,
<code>.terraform/</code>, language-server caches.</li>
<li><strong>Temp files</strong>: <code>*.tmp</code>, <code>*.swp</code>,
<code>*~</code>, <code>.DS_Store</code>, <code>Thumbs.db</code>,
<code>*.orig</code>, <code>*.rej</code>.</li>
<li><strong>Sensitive-data files</strong>: <code>.env</code>,
<code>.env.*</code> (allow <code>.env.example</code> placeholder only —
no real secrets even as examples), <code>*.pem</code>,
<code>*.key</code>, <code>*.crt</code>, <code>id_rsa*</code>,
<code>id_ed25519*</code>, <code>.netrc</code>, <code>secrets/</code>,
<code>api_keys.sh</code>.</li>
<li><strong>Generated reports/logs</strong>: <code>*.log</code>,
<code>coverage.out</code>, <code>htmlcov/</code>, runtime captures
unless reference assets.</li>
<li><strong>OS/IDE personal state</strong>: <code>.idea/</code>,
<code>.history/</code>, <code>.vscode/</code> (except shared
settings).</li>
</ol>
<p><strong>Anti-bluff invariant</strong>: <code>.gitignore</code> line
alone is not sufficient — no file matching the forbidden patterns may be
CURRENTLY TRACKED. A tracked <code>*.log</code> despite the ignore-line
is a violation of equal severity to no ignore-line at all.</p>
<p><strong>Pre-commit attention</strong>: every commit author (human OR
agent) MUST inspect <code>git diff --staged</code> +
<code>git status</code> BEFORE executing the commit. Forbidden-class
hits abort the commit until fixed (un-stage, add to
<code>.gitignore</code>, scrub if already-tracked). Gate
<code>CM-GITIGNORE-PRECOMMIT-AUDIT</code> + paired mutation.</p>
<p><strong>Secret-leak intersection (CONST-042 / §11.4.10):</strong> a
<code>.env</code> leak is BOTH a CONST-053 and a CONST-042 violation;
rotation + post-mortem required.</p>
<p><strong>Recreatable-content test</strong>: if a documented mechanism
regenerates the file from sources, it is a build derivative and MUST be
ignored. The committed sources MUST include the generator.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-053</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. See constitution submodule
<code>Constitution.md</code> §11.4.30 for the full mandate.</p>
<h2
id="const-054-submodule-dependency-manifest-mandate-cascaded-from-constitution-submodule-11431">CONST-054:
Submodule-Dependency-Manifest Mandate (cascaded from constitution
submodule §11.4.31)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"We MUST HAVE mechanism for
each Submodule to determine / know what are its Submodule dependencies
so new projects or palces we are incorporate them can add these
Submodules to the project root and make them available! Suggested idea
is configuration file with expected Submodules Git ssh urls perhaps? New
project can read it, and recursively add each Submodule to the root of
the project and install / expose it to veryone."</em></p>
</blockquote>
<p>Every owned-by-us submodule MUST ship <code>helix-deps.yaml</code> at
its root declaring its own-org dependencies. Schema:
<code>schema_version</code>,
<code>deps: [{name, ssh_url, ref, why, layout: flat|grouped}]</code>,
<code>transitive_handling.{recursive,conflict_resolution}</code>,
<code>language_specific_subtree</code>. Tooling:
<code>incorporate-submodule &lt;ssh-url&gt;</code> adds the submodule at
the parent project's canonical path (CONST-051(C)), reads
<code>helix-deps.yaml</code>, recurses for each declared dep, aborts on
conflicting refs, emits <code>&lt;root&gt;/.helix-manifest.yaml</code>
audit record.</p>
<p>Anti-bluff guarantee: every manifest paired with a Challenge that
bootstraps a throwaway consuming project, runs
<code>incorporate-submodule</code>, asserts produced layout matches the
manifest, runs the submodule's own tests against the bootstrapped
layout, captures wire evidence per §11.4.2. A manifest without this
proof is a CONST-054 violation.</p>
<p>§11.4.31 / CONST-054 is the <strong>operational complement</strong>
of CONST-051(C): nested own-org submodule chains are FORBIDDEN —
manifests are the bridge that lets consumers reconstruct the dependency
graph at the parent root.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-054</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
dependency-graph layer. See constitution submodule
<code>Constitution.md</code> §11.4.31 for the full mandate.</p>
<h2
id="const-055-post-constitution-pull-validation-mandate-cascaded-from-constitution-submodule-11432">CONST-055:
Post-Constitution-Pull Validation Mandate (cascaded from constitution
submodule §11.4.32)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every time we fetch and pull
new changes on constitution Submodule we MUST process the whole project
and all Submodule (deep recursively) for validation and verification
taht every single rule or mandatory constraint is followed and
respected! If it is not, IT MUST BE!"</em></p>
</blockquote>
<p>Whenever a project's constitution submodule is fetched + pulled with
any content change, the project MUST run
<code>scripts/verify-all-constitution-rules.sh</code> BEFORE the new
constitution HEAD is treated as canonical for any other work. The sweep
re-runs the governance-cascade verifier AND every implementable rule
gate (CONST-053 <code>.gitignore</code> audit, CONST-051(C)
nested-own-org-chain audit, CONST-052 case audit, CONST-050(A)
mock-from-production audit, CONST-035 anti-bluff smoke, etc.) against
the post-pull tree. Failures populate the project's Issues tracker per
§11.4.15 (Status: <code>Reopened</code>, Type: <code>Bug</code>);
closure requires positive-evidence per §11.4.</p>
<p>Pull-time invocation:
<code>git submodule update --remote constitution</code> triggers the
sweep automatically (post-update hook OR commit-wrapper invocation).
Operator-explicit manual invocation also available.</p>
<p>Anti-bluff: the sweep's own meta-test (paired mutation per §1.1)
plants a known violation of each enforced gate and asserts the sweep
reports FAIL for the planted gate. A sweep that exits PASS without
running every implementable gate is a CONST-055 violation.</p>
<p>CONST-055 is the <strong>enforcement engine</strong> for every other
§11.4.x and CONST-NNN rule — without it, new rules cascade as anchors
but never get enforced.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-055</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
constitutional-enforcement layer. See constitution submodule
<code>Constitution.md</code> §11.4.32 for the full mandate.</p>
<h2
id="const-056-mandatory-install_upstreams-on-cloneadd-mandate-cascaded-from-constitution-submodule-11436">CONST-056:
Mandatory install_upstreams on clone/add Mandate (cascaded from
constitution submodule §11.4.36)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every Submodule or Git
repository we add or clone MUST BE upstreams installed using
Upstreamable utility which MUST BE available through exported paths of
the host system (in .bashrc or .zhrc) using install_upstreams command
executed from the root of the cloned (added) repository - only if in it
is Upstreams or upstreams directory present with bash script files
(recipes) for all repository's upstreams!"</em></p>
</blockquote>
<p>Every clone / add of a Git repository under HelixCode MUST be
followed by <code>install_upstreams</code> invocation from the
repository's root IF its tree contains <code>upstreams/</code> (or
legacy <code>Upstreams/</code> per CONST-052 transition) populated with
<code>*.sh</code> recipe files. The utility (installed on operator's
<code>PATH</code> via <code>.bashrc</code>/<code>.zshrc</code>;
implementation in the constitution submodule's
<code>install_upstreams.sh</code> — already supports BOTH directory
names since constitution commit <code>45d3678</code>) reads the recipe
files, configures every declared upstream as a named git remote, and
fans out <code>origin</code> push URLs.</p>
<p>Skipping the invocation when <code>upstreams/</code> is present
silently breaks §2.1 (multi-upstream push is the norm) — the next push
lands on only one upstream. Gate
<code>CM-INSTALL-UPSTREAMS-ON-CLONE</code> + paired mutation.
Automation: the future <code>incorporate-submodule</code> per CONST-054
auto-invokes; manual invocation supported. Pre-commit check:
<code>git remote -v | grep -c push</code> reports expected count.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-056</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.36 for the full mandate.</p>
<h2
id="const-057-type-aware-closure-status-vocabulary-cascaded-from-constitution-submodule-11433">CONST-057:
Type-aware Closure-Status Vocabulary (cascaded from constitution
submodule §11.4.33)</h2>
<p>Every project tracking work items by Type per §11.4.16 MUST close
them with the Type-appropriate terminal <code>**Status:**</code> value,
drawn from this 3-element closed map:</p>
<table>
<thead>
<tr>
<th>Item <code>**Type:**</code></th>
<th>Closure <code>**Status:**</code> value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>Bug</code></td>
<td><code>Fixed (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Feature</code></td>
<td><code>Implemented (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Task</code></td>
<td><code>Completed (→ Fixed.md)</code></td>
</tr>
</tbody>
</table>
<p>The <code>(→ Fixed.md)</code> suffix is preserved across all three so
the existing migration-discipline tooling (atomic Issues.md → Fixed.md
move per §11.4.19) keeps working without per-Type branching. Generators
(<code>generate_issues_summary.sh</code>,
<code>generate_fixed_summary.sh</code>, the §11.4.23 colorizer) MUST
treat the three terminal values as semantically equivalent (all "closed,
positive evidence captured") while preserving the literal in the emitted
document.</p>
<p>Closing a <code>Feature</code> with <code>Fixed (→ Fixed.md)</code>
or a <code>Task</code> with <code>Implemented (→ Fixed.md)</code> is a
CONST-057 violation. Gate <code>CM-CLOSURE-VOCAB-TYPE-AWARE</code> walks
every Fixed.md heading + every Issues.md heading whose
<code>**Status:**</code> is one of the three terminal values and asserts
the Status-Type match. Composes with §11.4.15 / §11.4.16 / §11.4.19 /
§11.4.23.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-057</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.33 for the full mandate.</p>
<h2
id="const-058-reopened-source-attribution-mandate-cascaded-from-constitution-submodule-11434">CONST-058:
Reopened-Source Attribution Mandate (cascaded from constitution
submodule §11.4.34)</h2>
<p>Every Issues.md (or equivalent project tracker) heading whose
<code>**Status:**</code> is <code>Reopened</code> MUST carry, within 8
non-blank lines of the heading, a <code>**Reopened-Details:**</code>
line capturing four sub-facts:</p>
<ul>
<li><strong>By:</strong> <code>AI</code> or <code>User</code>
(source-of-truth observer who flipped the status). <code>AI</code>
covers in-loop reopens (test failure, gate regression, captured-evidence
retrospect). <code>User</code> covers operator-side observations (manual
testing, end-user report, design reconsideration).</li>
<li><strong>On:</strong> ISO date (<code>YYYY-MM-DD</code>).</li>
<li><strong>Reason:</strong> one-line cause classification — chosen from
the closed vocabulary
<code>{ test-failed | manual-testing-detected | captured-evidence-contradicts | end-user-report | cycle-re-discovered | design-reconsidered }</code>.
Other values permitted with explicit
<code>Reason: &lt;free text&gt;</code> annotation but the closed list
MUST be tried first.</li>
<li><strong>Evidence:</strong> path to or short description of the
captured artefact justifying the reopen — log file, recording, gate
failure ID, operator quote, etc. Reopens without evidence are §11.4.6 /
§11.4.7 violations (demotion from Fixed requires captured evidence under
the conditions that re-exposed the defect).</li>
</ul>
<p>The Issues_Summary.md Status column MUST distinguish the four
<code>Reopened</code> sub-states by source so a sweep query for "reopens
by AI in the last 30 days" is mechanically possible. Suggested column
rendering: <code>Reopened (AI: test-failed)</code> vs
<code>Reopened (User: manual-testing)</code>. Gate
<code>CM-ITEM-REOPENED-DETAILS</code> mirrors
<code>CM-ITEM-OPERATOR-BLOCKED-DETAILS</code> (§11.4.21 walk pattern).
Composes with §11.4.6 / §11.4.7 / §11.4.15 / §11.4.21.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-058</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.34 for the full mandate.</p>
<h2
id="const-059-canonical-root-inheritance-clarity-cascaded-from-constitution-submodule-11435">CONST-059:
Canonical-Root Inheritance Clarity (cascaded from constitution submodule
§11.4.35)</h2>
<p>The <strong>constitution submodule's</strong> three files
(<code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>,
<code>constitution/AGENTS.md</code>) ARE the <strong>canonical
root</strong> (also called the <strong>parent</strong> files). They
contain only universal rules per §11.4.17.</p>
<p>The consuming project's <strong>repository-root files</strong>
(<code>&lt;project-root&gt;/CLAUDE.md</code>,
<code>&lt;project-root&gt;/AGENTS.md</code>, optionally
<code>&lt;project-root&gt;/Constitution.md</code>) are <strong>consumer
extensions</strong>. They MUST start with the inheritance pointer
(either the Claude-Code native <code>@constitution/CLAUDE.md</code>
import or the portable
<code>## INHERITED FROM constitution/CLAUDE.md</code> heading). They
contain only project-specific rules per §11.4.17.</p>
<p><strong>When in doubt about which file to edit:</strong> universal
rule → constitution submodule's file; project-specific rule → consumer's
file. Default consumer-side when uncertain (§11.4.17 — narrower scope is
cheap to widen).</p>
<p><strong>Terminology:</strong> "the parent CLAUDE.md" / "the root
Constitution" → constitution-submodule file at
<code>constitution/&lt;filename&gt;</code>; "the project CLAUDE.md" /
"this project's AGENTS.md" → consumer-side file at
<code>&lt;project-root&gt;/&lt;filename&gt;</code>.</p>
<p><strong>No silent demotion or silent promotion.</strong> Moving a
rule between layers MUST be a visible commit — <code>git mv</code> of a
section if it's a clean clone, or explicit
<code>Lifted from &lt;project&gt; to constitution per §11.4.35</code> /
<code>Demoted from constitution to &lt;project&gt; per §11.4.35</code>
commit-message annotation.</p>
<p>Gate <code>CM-CANONICAL-ROOT-CLARITY</code> verifies (a) consumer's
<code>CLAUDE.md</code> opens with the inheritance pointer, (b)
constitution submodule's three files are present at the expected path,
(c) no <code>## INHERITED FROM</code> block in the constitution
submodule's own files (those ARE the source-of-truth, not consumers).
Composes with §11.4.17.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-059</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.35 for the full mandate.</p>
<h2
id="const-060-fetch-before-edit-mandate-cascaded-from-constitution-submodule-11437">CONST-060:
Fetch-before-edit Mandate (cascaded from constitution submodule
§11.4.37)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Make sure that
feedback_fetch_before_edit memory rule is part of our constitution
Submodule - the root Consitution, AGENTS.MD and CLAUDE.MD. Validate and
verify that Proejct-Toolkit and all Submodules do inherit all of them!
Follow the constitution Submodule documentation for details."</em></p>
</blockquote>
<p>The FIRST git-touching action of every session, on every consuming
project (owned or third-party), MUST be:</p>
<div class="sourceCode" id="cb8"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> fetch <span class="at">--all</span> <span class="at">--prune</span></span>
<span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> log <span class="at">--oneline</span> HEAD..@{u}</span>
<span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> submodule foreach <span class="at">--recursive</span> <span class="st">&#39;git fetch --all --prune --quiet&#39;</span></span></code></pre></div>
<p>If <code>HEAD..@{u}</code> is non-empty, integrate the upstream
changes BEFORE any local edit. Acting on stale local state produces
three failure modes documented in the originating §11.4.37 incident
(multi-agent / parallel-session work): (1) <strong>redundant
work</strong> — the agent re-does what a parallel session already
finished, (2) <strong>false confidence</strong> — completion reports for
already-done work, (3) <strong>divergent history</strong> — duplicate
sibling commits that double the conflict surface on next push.</p>
<p><strong>Anti-bluff invariant</strong>: the fetch+log check MUST
produce captured evidence — the actual <code>HEAD..@{u}</code> output,
even if empty. Skipping the check on the basis of "I just fetched" or
"nothing could have changed in the last N minutes" is a §11.4.6
(no-guessing) violation: the remote state is not knowable without a
fetch.</p>
<p><strong>Cascade requirement</strong>: This anchor (verbatim or by
<code>CONST-060</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
parallel-session-coordination layer. See constitution submodule
<code>Constitution.md</code> §11.4.37 for the full mandate.</p>
<p><strong>§11.4.52 — Autonomous-Validation Mandate (User mandate,
2026-05-18)</strong></p>
<p><strong>Forensic anchor — verbatim user mandate
(2026-05-18):</strong> "Make sure we have full automation tests which
will do all this work in full automation! IMPORTANT: Make sure that all
existing tests and Challenges do work in anti-bluff manner — they MUST
confirm that all tested codebase really works as expected! execution of
tests and Challenges MUST guarantee the quality, the completition and
full usability by end users of the product! This MUST BE part of
Constitution of our project, its CLAUDE.MD and AGENTS.MD if it is not
there already, and to be applied to all Submodules's Constitution,
CLAUDE.MD and AGENTS.MD as well."</p>
<p>Every user-facing feature MUST have at least one autonomous
validation path: end-to-end via <code>adb shell</code> + scripted
automation, captured runtime evidence per §11.4.5, PASS/FAIL verdict
WITHOUT human presence to drive UI, observe screen, or make decisions.
Operator-attended tests are SUPPLEMENTARY, never PRIMARY. A feature
whose ONLY validation path is operator-attended is a §11.4.52 violation
— the path does not scale to CI, does not run on every commit, does not
survive operator unavailability, and produces the exact "tests pass but
feature doesn't work for users" failure mode §11.4 forbids.</p>
<p>Acceptable autonomous paths: (a) programmatic instrumentation APK
(SDK-API exercises like <code>MediaCodec.createDecoderByName</code> +
structured JSON result file); (b) headless intent dispatch + state poll
(<code>am start --es</code> / <code>am broadcast</code> +
<code>dumpsys</code> / <code>/proc/&lt;pid&gt;/maps</code> /
<code>media.metrics</code> polling); (c) ADB-driven uiautomator (ONLY if
hierarchy has ≥1 clickable node — empty hierarchy demands fallback to
APK/intent); (d) network-side sink probe per §11.4.13; (e) HelixQA
autonomous QA session per §11.4.27.</p>
<p>Coverage ledger (§11.4.25) classifies each feature as
<code>AUTONOMOUS_VERIFIED</code> / <code>AUTONOMOUS_DESIGNED</code> /
<code>OPERATOR_ATTENDED_ONLY</code> / <code>NOT_APPLICABLE</code>.
<code>OPERATOR_ATTENDED_ONLY</code> blocks release until migrated; cite
tracked work item per §11.4.15 + §11.4.16. Autonomous paths themselves
MUST be anti-bluff: positive captured evidence + paired meta-test
mutation per §1.1.</p>
<p>Composes with §11.4.25 (full-automation coverage), §11.4.27 (no-fakes
+ 100% type coverage), §11.4.39 (per-feature on-device end-user
validation), §11.4.43 (TDD RED-first), §11.4.48 (UI-driven — fallback to
APK/intent when uiautomator hierarchy empty), §11.4.49 (dual-approach),
§11.4.50 (deterministic consistency), §11.4.51 (live-ADB-first).</p>
<p>Pre-build gates: <code>CM-COVENANT-114-52-PROPAGATION</code> +
<code>CM-AF-AUTONOMOUS-PATH-PER-FEATURE</code>. Paired mutations. No
escape hatch — no <code>--allow-operator-attended-only</code>,
<code>--skip-autonomous-path</code>,
<code>--manual-validation-suffices</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule
Constitution.md §11.4.52.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<h2
id="const-061-pre-force-push-merge-first-mandate-cascaded-from-constitution-submodule-11441">CONST-061:
Pre-Force-Push Merge-First Mandate (cascaded from constitution submodule
§11.4.41)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-17): <em>"make sure we bring
everything from branches to our side before forc push is done! Afer
everything is safely and fully merged and all potential conflicts (if
any) resolved, then do force push! make sure nothing isnlost, broken or
corrupted on bith sides! add these rules in our root Constitution,
CLAUDE.MD, AGENTS.MD (constitution Submodule) if itnis not added
already! Extremely important rules and mandatory constraints we MUST
HAVE and fully respect!"</em></p>
</blockquote>
<p>Any force-push (<code>--force</code>,
<code>--force-with-lease</code>, <code>+&lt;ref&gt;</code>, equivalent
history-rewrite) authorised under CONST-043 MUST be preceded by a
mechanical 4-step merge-first pipeline:</p>
<ol type="1">
<li><strong>Fetch every remote</strong> —
<code>git fetch --all --prune --tags</code> against origin + every
upstream; capture output.</li>
<li><strong>Integrate every divergent commit locally</strong> — rebase /
merge / operator-confirmed cherry-pick per appropriate strategy for
every non-empty <code>HEAD..&lt;remote&gt;/&lt;branch&gt;</code>
range.</li>
<li><strong>Audit the integrated tree</strong> — no conflict markers
anywhere
(<code>grep -rn '^&lt;&lt;&lt;&lt;&lt;&lt;&lt; \|^=======$\|^&gt;&gt;&gt;&gt;&gt;&gt;&gt; '</code>
returns empty in governance + source + test files); no file silently
dropped; previously-passing tests still pass; captured-evidence
artefacts still validate.</li>
<li><strong>Force-push</strong> — only after steps 1-3 produce clean
integration evidence: <code>git push --force-with-lease</code> (NEVER
<code>--force</code> alone unless authorised per §9.2 sub-clause
6).</li>
</ol>
<p><strong>Two-gate composition with CONST-043.</strong> §11.4.41 does
NOT relax CONST-043's operator-approval requirement — it adds a SECOND
mechanical gate. CONST-043 alone authorises a push that loses remote
work; §11.4.41 alone risks pushing without operator awareness. Both
required.</p>
<p><strong>Three failure modes prevented:</strong> (a) remote-side
content loss when parallel sessions land work between fetches; (b)
stale-state acts when <code>--force-with-lease</code> reads stale local
refs without prior fetch; (c) conflict-driven corruption when markers
get committed verbatim (observed 2026-05-17 in helix_qa + containers
governance files).</p>
<p><strong>Verification artefact</strong>: every governed force-push
emits a <code>docs/changelogs/&lt;tag&gt;.md</code> "Force-push
merge-first audit" section capturing fetch output, per-remote divergence
log, integration strategy, conflict-marker scan, test delta, push output
with lease SHA, + CONST-043 authorisation quote. Gate
<code>CM-FORCE-PUSH-MERGE-FIRST</code> + paired mutation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-061</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
remote-data-integrity layer. See constitution submodule
<code>Constitution.md</code> §11.4.41 for the full mandate.</p>
<p><strong>§11.4.53 — Fixed_Summary parity mandate (User mandate,
2026-05-18)</strong></p>
<p><strong>Forensic anchor — verbatim user mandate
(2026-05-18T17:55Z):</strong> "Note: Just like for Issues we have
Issues_Summary, for Fixed we MUST HAVE Fixed_Summary - like all other
docs: ALWAYS in sync and up to date and ALWAYS exported into the PDF and
HTML! Add this mandatory rule / constraint into the root (constitution
Submodule) Constitution, AGENTS.MD and CLAUDE.MD."</p>
<p><code>docs/Fixed_Summary.md</code> is the symmetric short-form
summary of <code>docs/Fixed.md</code>. MUST be regenerated whenever
<code>Fixed.md</code> changes. HTML + PDF exports MUST travel with the
markdown (identical mtimes within <code>sync_issues_docs.sh</code>
granularity). Stale exports are §11.4.53 violations regardless of
whether the underlying <code>.md</code> is correct. Same discipline as
§11.4.12 Issues_Summary applied to Fixed.md.</p>
<p>Generator: <code>scripts/testing/generate_fixed_summary.sh</code>
(canonical, executable, emits markdown table with <code>Status</code> +
<code>Type</code> columns per §11.4.19 column-alignment). Auto-sync
wrapper: <code>scripts/testing/sync_issues_docs.sh</code> regenerates
BOTH summaries in one shot, exports HTML + PDF, colorizes per §11.4.23,
re-renders PDFs. MUST be invoked after any edit to
<code>Fixed.md</code>. No <code>--issues-only</code> flag exists, and
§11.4.53 prohibits adding one.</p>
<p>Sort order: closure date DESC (most-recent-Fixed first), §-letter /
Fix-# secondary. Documented at the top of the generated file.</p>
<p>Composes with §11.4.12 (Issues_Summary sibling — canonical pair),
§11.4.19 (atomic Issues→Fixed migration trigger + column-alignment),
§11.4.23 (colorizer post-processes both summaries), §11.4.33 (type-aware
closure vocabulary — Fixed_Summary respects
<code>Fixed (→ Fixed.md)</code> / <code>Implemented (→ Fixed.md)</code>
/ <code>Completed (→ Fixed.md)</code> terminal values), §11.4.44
(revision header applies to <code>Fixed_Summary.md</code>), §12.10
(CONTINUATION.md resumption guarantee).</p>
<p>Pre-build gates: <code>CM-FIXED-SUMMARY-SYNC</code> (6 invariants —
Fixed_Summary exists + HTML/PDF mtime ≥ md mtime + Fixed_Summary mtime ≥
Fixed mtime + generator + sync wrapper invokes generator) +
<code>CM-COVENANT-114-53-PROPAGATION</code> (anchor literal across
canonical files). Paired mutations strip the anchor literal AND move the
generator aside AND backdate Fixed_Summary mtime. No escape hatch — no
<code>--skip-fixed-summary-sync</code>, <code>--issues-only</code>,
<code>--summary-not-applicable</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule
Constitution.md §11.4.53.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.58 — Parallel-development methodology (User mandate,
2026-05-19)</strong></p>
<p>Project work proceeds through the <strong>Parallel Work Unit (PWU)
pipeline</strong> rather than sequential Phase-chain. Each PWU has:
ATM-NNN identifier (§11.4.54), Issues.md entry (§11.4.15+§11.4.16),
file-scope manifest, §11.4.43 RED test, source patch, pre-build gate,
post-flash test, paired §1.1 meta-test mutation, HelixQA Challenge bank
entry, captured-evidence directory (§11.4.5+§11.4.52).</p>
<p><strong>5-stage pipeline:</strong> Stage 1 DEVELOP (parallel PWU
agents in worktrees) → Stage 2 MERGE (serial conductor + §11.4.41 4-step
merge-first) → Stage 3 REBUILD+FLASH (parallel where hardware allows) →
Stage 4 VALIDATE (parallel D3+D4+meta-test+coverage) → Stage 5 SWEEP
(parallel HelixQA + Fixed.md migration + README refresh). Stage 1 of
round N+1 overlaps with Stages 4-5 of round N.</p>
<p><strong>Synchronization:</strong> 4-layer lock hierarchy (parent
flock / per- submodule git / contention-path advisory locks for 10
forbidden cross- PWU paths / per-PWU worktree). Disjoint-scope PWUs
fully parallel.</p>
<p><strong>Anti-bluff merge-time enforcement (mandatory, all
four):</strong> C1 §11.4.43 RED-test captured. C2 §1.1 paired meta-test
mutation FAILs the gate. C3 §11.4.50 3-iter (or 10-iter)
deterministic-consistency. C4 §11.4.5 captured-evidence per feature
type. Metadata-only / configuration-only / absence-of-error /
grep-without-runtime PASS REJECTED. HelixQA Challenge bank coverage
MANDATORY for every user- visible PWU.</p>
<p><strong>Phase 39.EX infrastructure gates (5 gates land the parallel
infrastructure itself):</strong>
<code>CM-PWU-PARALLEL-VALIDATION-ORCHESTRATOR</code>,
<code>CM-PWU-HELIXQA-PER-DOMAIN-RUNNER</code>,
<code>CM-PWU-WORKER-POOL-LOCKING</code>,
<code>CM-PWU-FILE-SCOPE-PARTITION</code>,
<code>CM-PWU-AUTO-MERGE-GATE-6CONDITIONS</code>. Each ships a paired
meta-test mutation per §1.1.</p>
<p>Pre-build gates <code>CM-PWU-LOCK-HIERARCHY</code> +
<code>CM-PWU-ANTI-BLUFF-COVERAGE</code></p>
<ul>
<li><code>CM-PWU-MERGE-QUEUE-DISCIPLINE</code> +
<code>CM-PWU-PARALLEL-AGENT-LIMIT</code> +
<code>CM-COVENANT-114-58-PROPAGATION</code>. Paired mutations cover each
gate. No escape hatch.</li>
</ul>
<p>Canonical authority: constitution submodule <a
href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.58. Project-specific implementation reference: <a
href="docs/guides/PARALLEL_DEVELOPMENT_METHODOLOGY.md"><code>docs/guides/PARALLEL_DEVELOPMENT_METHODOLOGY.md</code></a>.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.65 — Universal Markdown export mandate (User mandate,
2026-05-19)</strong></p>
<p>Every Markdown document inside the project that is NOT part of an
application or service's source-code tree MUST have synchronized
<code>.html</code> and <code>.pdf</code> siblings. Includes:
project-root <code>*.md</code>, <code>docs/**/*.md</code>,
<code>scripts/**/*.md</code> (doc-format companion docs),
owned-submodule top-level README.md / CLAUDE.md / AGENTS.md /
CHANGELOG.md and their <code>docs/**/*.md</code>,
<code>constitution/**/*.md</code>, owned HelixQA submodules'
equivalents. Excludes: <code>external/**</code>,
<code>prebuilts/**</code>, <code>packages/modules/**</code>,
<code>kernel-5.10/**</code>, <code>out/**</code>, <code>build/**</code>,
application/service source-code trees, and third-party submodules NOT in
the owned set. Every edit triggers regeneration via
<code>scripts/testing/sync_all_markdown_exports.sh</code> (pandoc HTML +
weasyprint PDF, <code>timeout 60</code> per file, capped at 500
candidates). HTML + PDF mtime MUST be ≥ source <code>.md</code> mtime at
all times.</p>
<p>Pre-build gates <code>CM-UNIVERSAL-MARKDOWN-EXPORT-SYNC</code> +
<code>CM-COVENANT-114-65-PROPAGATION</code>. Paired meta-test mutations.
Composes with §11.4.12 / §11.4.18 / §11.4.23 / §11.4.44 / §11.4.45 /
§11.4.53 / §11.4.59 / §11.4.60 / §11.4.63 / §11.4.64. No escape hatch —
no <code>--skip-md-exports</code>, <code>--no-pdf-only</code>,
<code>--md-export-not-applicable</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a
href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.65.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.66 — Blocker-resolution interactive-clarification
mandate (User mandate, 2026-05-19)</strong></p>
<p>When any task is blocked (operator decision, hardware access,
external authorization, ambiguous scope), the agent MUST: (1) research
what's doable from the agent side without operator input; (2) calculate
minimum-viable operator input; (3) construct 2–4 mutually-exclusive
options with one marked "Recommended" and each stating what the agent
does after that answer; (4) present via the platform's interactive
question mechanism (<code>AskUserQuestion</code> on Claude Code) — NEVER
free-text "what would you like?" for closed- set decisions; (5) after
the answer, resume work without follow-up round-trips. Composes with
§11.4.6 / §11.4.7 / §11.4.40 / §11.4.41 / §11.4.42 / §11.4.52. No silent
waiting; no bulk-text questions when interactive options would do.</p>
<p>Pre-build gate <code>CM-COVENANT-114-66-PROPAGATION</code> enforces
the anchor literal across the 42-file consumer fleet. Paired meta- test
mutation strips the literal → gate FAILs. No escape hatch — no
<code>--skip-ask</code>, <code>--silent-wait</code>,
<code>--free-form-only</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a
href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.66.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.67 — Shell-script target-shell-parseability mandate
(User mandate, 2026-05-19)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-19):</strong> "any issue we spot must be fixed, bash scripts as
well if they are broken!"</p>
<ul>
<li>"Make sure that this is mandatory rule!"</li>
</ul>
<p>Every shell script that may be invoked under a target shell other
than the one in its shebang MUST parse cleanly under that target shell.
Forensic incident:
<code>device/rockchip/rk3588/tests/test_all_fixes.sh:114</code> used
bash-only <code>exec &gt; &gt;(tee -a "$f") 2&gt;&amp;1</code> on a
<code>sh script.sh</code> callsite — Android mksh parses the whole
script BEFORE executing, so the runtime
<code>[ -n "${BASH_VERSION:-}" ]</code> guard could not save it. Fixed
by wrapping in <code>eval 'exec &gt; &gt;(tee …) 2&gt;&amp;1'</code> so
the parser sees only a string.</p>
<p>Closed-set scope: every tracked <code>.sh</code> under
<code>device/rockchip/rk3588/tests/</code>, <code>scripts/</code>,
<code>scripts/testing/</code> (and equivalent paths in owned
submodules). OUT of scope: <code>external/</code>,
<code>prebuilts/</code>, <code>packages/modules/</code>,
<code>kernel-5.10/</code>, <code>out/</code>, <code>build/</code>,
<code>scripts/legacy/</code>. Mandatory invariants: (1) every in-scope
script parses under <code>sh -n</code>; (2) bash-only constructs
(<code>&gt;(...)</code>, <code>&lt;(...)</code>, <code>[[ ]]</code>,
<code>&lt;&lt;&lt;</code>, arrays, <code>${var^^}</code>, etc.) MUST be
wrapped in <code>eval</code> OR guarded by bash-only loading; (3)
shebangs honest — <code>#!/bin/bash</code> only if bash actually
expected; (4) fix at source per §11.4.1, never at callsites. Composes
with §11.4.1 / §11.4.4 / §11.4.6 / §11.4.50 / §11.4.51.</p>
<p>Pre-build gate <code>CM-SCRIPT-TARGET-SHELL-PARSEABLE</code> runs
<code>sh -n</code> on every in-scope script. Propagation gate
<code>CM-COVENANT-114-67-PROPAGATION</code> enforces the anchor literal
across the 44-file consumer fleet. Paired mutations: inject bash-only
outside <code>eval</code> → parse gate FAILs; strip <code>11.4.67</code>
literal → propagation gate FAILs. No escape hatch — no
<code>--skip-parseability-check</code>, <code>--bash-only-script</code>,
<code>--runtime-guard-suffices</code> flag.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a
href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.67.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
<p><strong>§11.4.69 — Universal sink-side positive-evidence taxonomy +
mechanical enforcement (User mandate, 2026-05-20)</strong></p>
<p><strong>Forensic anchor — direct user mandate (verbatim,
2026-05-20):</strong></p>
<blockquote>
<p>"THIS MUST HAPPEN NEVER AGAIN!!! We MUST HAVE this all working! Not
just for audio but for every single piece of the System!!! Proper full
automation when executed with success MUST MEAN that manual testing will
be as much positive at least regarding the success results! ... Solution
MUST BE universal, generic that solves working flows for all System
components and for all future and all existing projects! ... Everything
we do MUST BE validated and verified with rock-solid proofs and
anti-bluff policy enforcement and fulfillment!"</p>
</blockquote>
<p>Universal generalisation of §11.4.68 (audio-specific) across every
user-visible feature class. Closes the PASS-bluff pattern where tests
reported green while end users hit broken features (2026-05-19→20 D3
audio "82/84 PASS" + empty Arvus Codec-In-Use).</p>
<p><strong>The mandate.</strong> Every user-visible feature MUST map to
one entry in the closed-set §11.4.69 sink-side evidence taxonomy
(audio_output, audio_input, video_display, network_throughput,
network_connectivity, bluetooth_a2dp, bluetooth_pair, touch_input,
sensor, gpu_render, storage_read, storage_write, mediacodec_decode,
mediacodec_encode, miracast, cast, boot_service, package_install,
permission_grant, wifi_link, wifi_throughput, ethernet_link,
display_topology, drm_playback, subtitle_render — open to additions).
Every PASS for a feature in the taxonomy MUST cite a captured-evidence
artefact path matching the required evidence shape.</p>
<p><strong>Helper contracts (additive during grace; mandatory after
2026-06-19):</strong></p>
<ul>
<li><code>ab_pass_with_evidence &lt;description&gt; &lt;evidence_path&gt;</code>
— the new canonical PASS helper. Verifies path exists AND non-empty;
emits
<code>PASS: &lt;description&gt; [evidence: &lt;path&gt;]</code>.</li>
<li><code>ab_skip_with_reason &lt;description&gt; &lt;closed-set-reason&gt;</code>
— reasons: <code>geo_restricted</code>, <code>operator_attended</code>,
<code>hardware_not_present</code>, <code>topology_unsupported</code>,
<code>network_unreachable_external</code>,
<code>feature_disabled_by_config</code>. Forbids
<code>network_unreachable_external</code> for any taxonomy feature with
a sink-side probe.</li>
<li>Bare <code>ab_pass</code> deprecated — WARN pre-grace, FAIL
post-grace (2026-06-19).</li>
</ul>
<p><strong>Mechanical enforcement.</strong> Three pre-build gates +
three paired §1.1 meta-test mutations:</p>
<ul>
<li><code>CM-SINK-EVIDENCE-PER-FEATURE</code> — walks tests for
<code># §11.4.69 FEATURE: &lt;class&gt;</code> annotation + verifies
taxonomy probe + <code>ab_pass_with_evidence</code> use.</li>
<li><code>CM-NO-FAIL-OPEN-SKIP</code> — audits sink-side probe helpers;
FAILs if any code path converts empty/unreachable response to
PASS-counting SKIP for a feature class with a sink-side probe.</li>
<li><code>CM-AB-PASS-WITH-EVIDENCE-EVERYWHERE</code> — pre-grace WARN,
post- grace FAIL on bare <code>ab_pass</code> calls.</li>
</ul>
<p><strong>Composes with</strong> §11.4.1 (FAIL-bluffs forbidden),
§11.4.2 (recorded-evidence), §11.4.5 (audio + video 5-layer quality),
§11.4.6 (no-guessing), §11.4.13 (sink-side captured-evidence), §11.4.27
(no-fakes-beyond-unit), §11.4.50 (deterministic consistency), §11.4.52
(autonomous-validation), §11.4.68 (audio-specific sink-side — §11.4.69
is the universal generalisation).</p>
<p><strong>No escape hatch</strong> — no <code>--skip-evidence</code>,
<code>--config-only-pass</code>, <code>--allow-fail-open-skip</code>,
<code>--legacy-ab-pass-permitted</code> flag. The discipline exists
because the 2026-05-20 forensic incident demonstrated the failure: tests
reported audio-routing PASS while the user heard nothing and the Arvus
Codec-In-Use field was empty.</p>
<p>Propagation gate <code>CM-COVENANT-114-69-PROPAGATION</code> enforces
this anchor literal across the ~44-file consumer fleet. Paired mutation
strips the literal → gate FAILs.</p>
<p><strong>Canonical authority:</strong> constitution submodule <a
href="constitution/Constitution.md"><code>Constitution.md</code></a>
§11.4.69.</p>
<p>Non-compliance is a release blocker regardless of context.</p>
</body>
</html>