CONSTITUTION.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>CONSTITUTION</title>
  <style>
    /* Default styles provided by pandoc.
    ** See https://pandoc.org/MANUAL.html#variables-for-html for config info.
    */
    html {
      color: #1a1a1a;
      background-color: #fdfdfd;
    }
    body {
      margin: 0 auto;
      max-width: 36em;
      padding-left: 50px;
      padding-right: 50px;
      padding-top: 50px;
      padding-bottom: 50px;
      hyphens: auto;
      overflow-wrap: break-word;
      text-rendering: optimizeLegibility;
      font-kerning: normal;
    }
    @media (max-width: 600px) {
      body {
        font-size: 0.9em;
        padding: 12px;
      }
      h1 {
        font-size: 1.8em;
      }
    }
    @media print {
      html {
        background-color: white;
      }
      body {
        background-color: transparent;
        color: black;
        font-size: 12pt;
      }
      p, h2, h3 {
        orphans: 3;
        widows: 3;
      }
      h2, h3, h4 {
        page-break-after: avoid;
      }
    }
    p {
      margin: 1em 0;
    }
    a {
      color: #1a1a1a;
    }
    a:visited {
      color: #1a1a1a;
    }
    img {
      max-width: 100%;
    }
    svg {
      height: auto;
      max-width: 100%;
    }
    h1, h2, h3, h4, h5, h6 {
      margin-top: 1.4em;
    }
    h5, h6 {
      font-size: 1em;
      font-style: italic;
    }
    h6 {
      font-weight: normal;
    }
    ol, ul {
      padding-left: 1.7em;
      margin-top: 1em;
    }
    li > ol, li > ul {
      margin-top: 0;
    }
    blockquote {
      margin: 1em 0 1em 1.7em;
      padding-left: 1em;
      border-left: 2px solid #e6e6e6;
      color: #606060;
    }
    code {
      font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
      font-size: 85%;
      margin: 0;
      hyphens: manual;
    }
    pre {
      margin: 1em 0;
      overflow: auto;
    }
    pre code {
      padding: 0;
      overflow: visible;
      overflow-wrap: normal;
    }
    .sourceCode {
     background-color: transparent;
     overflow: visible;
    }
    hr {
      border: none;
      border-top: 1px solid #1a1a1a;
      height: 1px;
      margin: 1em 0;
    }
    table {
      margin: 1em 0;
      border-collapse: collapse;
      width: 100%;
      overflow-x: auto;
      display: block;
      font-variant-numeric: lining-nums tabular-nums;
    }
    table caption {
      margin-bottom: 0.75em;
    }
    tbody {
      margin-top: 0.5em;
      border-top: 1px solid #1a1a1a;
      border-bottom: 1px solid #1a1a1a;
    }
    th {
      border-top: 1px solid #1a1a1a;
      padding: 0.25em 0.5em 0.25em 0.5em;
    }
    td {
      padding: 0.125em 0.5em 0.25em 0.5em;
    }
    header {
      margin-bottom: 4em;
      text-align: center;
    }
    #TOC li {
      list-style: none;
    }
    #TOC ul {
      padding-left: 1.3em;
    }
    #TOC > ul {
      padding-left: 0;
    }
    #TOC a:not(:hover) {
      text-decoration: none;
    }
    code{white-space: pre-wrap;}
    span.smallcaps{font-variant: small-caps;}
    div.columns{display: flex; gap: min(4vw, 1.5em);}
    div.column{flex: auto; overflow-x: auto;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    /* The extra [class] is a hack that increases specificity enough to
       override a similar rule in reveal.js */
    ul.task-list[class]{list-style: none;}
    ul.task-list li input[type="checkbox"] {
      font-size: inherit;
      width: 0.8em;
      margin: 0 0.8em 0.2em -1.6em;
      vertical-align: middle;
    }
    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
    /* CSS for syntax highlighting */
    html { -webkit-text-size-adjust: 100%; }
    pre > code.sourceCode { white-space: pre; position: relative; }
    pre > code.sourceCode > span { display: inline-block; line-height: 1.25; }
    pre > code.sourceCode > span:empty { height: 1.2em; }
    .sourceCode { overflow: visible; }
    code.sourceCode > span { color: inherit; text-decoration: inherit; }
    div.sourceCode { margin: 1em 0; }
    pre.sourceCode { margin: 0; }
    @media screen {
    div.sourceCode { overflow: auto; }
    }
    @media print {
    pre > code.sourceCode { white-space: pre-wrap; }
    pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
    }
    pre.numberSource code
      { counter-reset: source-line 0; }
    pre.numberSource code > span
      { position: relative; left: -4em; counter-increment: source-line; }
    pre.numberSource code > span > a:first-child::before
      { content: counter(source-line);
        position: relative; left: -1em; text-align: right; vertical-align: baseline;
        border: none; display: inline-block;
        -webkit-touch-callout: none; -webkit-user-select: none;
        -khtml-user-select: none; -moz-user-select: none;
        -ms-user-select: none; user-select: none;
        padding: 0 4px; width: 4em;
        color: #aaaaaa;
      }
    pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa;  padding-left: 4px; }
    div.sourceCode
      {   }
    @media screen {
    pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
    }
    code span.al { color: #ff0000; font-weight: bold; } /* Alert */
    code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
    code span.at { color: #7d9029; } /* Attribute */
    code span.bn { color: #40a070; } /* BaseN */
    code span.bu { color: #008000; } /* BuiltIn */
    code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
    code span.ch { color: #4070a0; } /* Char */
    code span.cn { color: #880000; } /* Constant */
    code span.co { color: #60a0b0; font-style: italic; } /* Comment */
    code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
    code span.do { color: #ba2121; font-style: italic; } /* Documentation */
    code span.dt { color: #902000; } /* DataType */
    code span.dv { color: #40a070; } /* DecVal */
    code span.er { color: #ff0000; font-weight: bold; } /* Error */
    code span.ex { } /* Extension */
    code span.fl { color: #40a070; } /* Float */
    code span.fu { color: #06287e; } /* Function */
    code span.im { color: #008000; font-weight: bold; } /* Import */
    code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
    code span.kw { color: #007020; font-weight: bold; } /* Keyword */
    code span.op { color: #666666; } /* Operator */
    code span.ot { color: #007020; } /* Other */
    code span.pp { color: #bc7a00; } /* Preprocessor */
    code span.sc { color: #4070a0; } /* SpecialChar */
    code span.ss { color: #bb6688; } /* SpecialString */
    code span.st { color: #4070a0; } /* String */
    code span.va { color: #19177c; } /* Variable */
    code span.vs { color: #4070a0; } /* VerbatimString */
    code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
  </style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">CONSTITUTION</h1>
</header>
<h2 id="inherited-from-helix-constitution">INHERITED FROM Helix
Constitution</h2>
<p>This module is a submodule of a Helix-family project (e.g. HelixCode,
HelixAgent, ATMOSphere) that includes the Helix Constitution submodule
at the parent's <code>constitution/</code> path. All rules in
<code>constitution/CLAUDE.md</code> and the
<code>constitution/Constitution.md</code> it references (universal
anti-bluff covenant §11.4, no-guessing mandate §11.4.6,
credentials-handling mandate §11.4.10, host-session safety §12, data
safety §9, mutation- paired gates §1.1) apply unconditionally to every
change landed here. The module-specific rules below extend them — they
never weaken any universal clause.</p>
<p>When this file disagrees with the constitution submodule, the
constitution wins. Locate the constitution submodule from any arbitrary
nested depth using its <code>find_constitution.sh</code> helper.</p>
<p>Canonical reference: <a
href="https://github.com/HelixDevelopment/HelixConstitution">https://github.com/HelixDevelopment/HelixConstitution</a></p>
<hr />
<h1 id="helixcode-constitution">HelixCode Constitution</h1>
<h2 id="helixcode-project-constitution">HelixCode Project
Constitution</h2>
<p><strong>Version</strong>: 1.0.0 <strong>Effective Date</strong>:
2026-04-30 <strong>Scope</strong>: This Constitution applies to
HelixCode and ALL its submodules <strong>Authority</strong>: Cascaded
from HelixAgent root governance with HelixCode-specific addenda</p>
<hr />
<h2 id="preamble">Preamble</h2>
<p>HelixCode is an enterprise-grade distributed AI development platform.
This Constitution establishes the non-negotiable rules that govern all
development, testing, deployment, and maintenance activities within the
project. Every contributor, agent, and automated process MUST adhere to
these rules. No exceptions.</p>
<hr />
<h2 id="const-001-no-cicd-pipelines-permanent">CONST-001: No CI/CD
Pipelines (Permanent)</h2>
<p>No <code>.github/workflows/</code>, <code>.gitlab-ci.yml</code>,
<code>Jenkinsfile</code>, <code>.travis.yml</code>,
<code>.circleci/</code>, or any automated pipeline. No Git hooks. All
builds and tests run manually or via Makefile/script targets.</p>
<p><strong>Rationale</strong>: Manual execution ensures human oversight
and prevents automated propagation of bluffs.</p>
<hr />
<h2 id="const-002-no-mocks-in-production-permanent">CONST-002: No Mocks
in Production (Permanent)</h2>
<h3 id="const-002a-production-code">CONST-002a: Production Code</h3>
<p>Mocks, stubs, fakes, placeholder classes, TODO implementations are
STRICTLY FORBIDDEN in production code. All production code is fully
functional with real integrations.</p>
<h3 id="const-002b-test-code">CONST-002b: Test Code</h3>
<p>Mocks/stubs/fakes MAY be used ONLY in unit tests (files ending
<code>_test.go</code> run under <code>go test -short</code>).</p>
<p><strong>Rationale</strong>: Production bluffs have repeatedly been
discovered where features appeared implemented but were
non-functional.</p>
<hr />
<h2 id="const-003-no-https-for-git-permanent">CONST-003: No HTTPS for
Git (Permanent)</h2>
<p>SSH URLs only (<code>git@github.com:…</code>,
<code>git@gitlab.com:…</code>, etc.) for clones, fetches, pushes, and
submodule updates. SSH keys are configured on every service.</p>
<hr />
<h2 id="const-004-no-manual-container-commands-permanent">CONST-004: No
Manual Container Commands (Permanent)</h2>
<p>Container orchestration is owned by the project's binary/orchestrator
(e.g., <code>make build</code> → <code>./bin/&lt;app&gt;</code>). Direct
<code>docker</code>/<code>podman start|stop|rm</code> and
<code>docker-compose up|down</code> are prohibited as workflows.</p>
<hr />
<h2 id="const-005-100-real-data-for-non-unit-tests">CONST-005: 100% Real
Data for Non-Unit Tests</h2>
<p>Beyond unit tests, all components MUST use actual API calls, real
databases, live services. No simulated success. Fallback chains tested
with actual failures.</p>
<p><strong>Verification</strong>: Every integration/E2E test MUST
connect to real services or skip (not fail) if unavailable.</p>
<hr />
<h2 id="const-006-challenge-coverage-permanent">CONST-006: Challenge
Coverage (Permanent)</h2>
<p>Every component MUST have Challenge scripts
(<code>./challenges/scripts/</code>) validating real-life use cases. No
false success — validate actual behavior, not return codes.</p>
<hr />
<h2 id="const-007-health--observability">CONST-007: Health &amp;
Observability</h2>
<p>Every service MUST expose health endpoints. Circuit breakers for all
external dependencies. Prometheus / OpenTelemetry integration where
applicable.</p>
<hr />
<h2 id="const-008-documentation--quality">CONST-008: Documentation &amp;
Quality</h2>
<p>Update <code>CLAUDE.md</code>, <code>AGENTS.md</code>, and relevant
docs alongside code changes. Pass language-appropriate
format/lint/security gates. Conventional Commits:
<code>&lt;type&gt;(&lt;scope&gt;): &lt;description&gt;</code>.</p>
<hr />
<h2 id="const-009-validation-before-release">CONST-009: Validation
Before Release</h2>
<p>Pass the project's full validation suite
(<code>make ci-validate-all</code>-equivalent) plus all challenges
(<code>./challenges/scripts/run_all_challenges.sh</code>).</p>
<hr />
<h2 id="const-010-comprehensive-verification">CONST-010: Comprehensive
Verification</h2>
<p>Every fix MUST be verified from all angles: runtime testing (actual
HTTP requests / real CLI invocations), compile verification, code
structure checks, dependency existence checks, backward compatibility,
and no false positives. Grep-only validation is NEVER sufficient.</p>
<hr />
<h2 id="const-011-resource-limits-for-tests--challenges">CONST-011:
Resource Limits for Tests &amp; Challenges</h2>
<p>ALL test and challenge execution MUST be strictly limited to 30-40%
of host system resources. Use <code>GOMAXPROCS=2</code>,
<code>nice -n 19</code>, <code>ionice -c 3</code>, <code>-p 1</code> for
<code>go test</code>. Container limits required.</p>
<hr />
<h2 id="const-012-bugfix-documentation">CONST-012: Bugfix
Documentation</h2>
<p>All bug fixes MUST be documented in
<code>docs/issues/fixed/BUGFIXES.md</code> with root cause analysis,
affected files, fix description, and a link to the verification
test/challenge.</p>
<hr />
<h2 id="const-013-real-infrastructure-for-all-non-unit-tests">CONST-013:
Real Infrastructure for All Non-Unit Tests</h2>
<p>Mocks/fakes/stubs/placeholders MAY be used ONLY in unit tests. ALL
other test types — integration, E2E, functional, security, stress,
chaos, challenge, benchmark, runtime verification — MUST execute against
REAL running systems with REAL containers, REAL databases, REAL
services, and REAL HTTP calls.</p>
<hr />
<h2 id="const-014-reproduction-before-fix-mandatory">CONST-014:
Reproduction-Before-Fix (Mandatory)</h2>
<p>Every reported error, defect, or unexpected behavior MUST be
reproduced by a Challenge script BEFORE any fix is attempted.
Sequence:</p>
<ol type="1">
<li>Write the Challenge first</li>
<li>Run it; confirm fail (it reproduces the bug)</li>
<li>Then write the fix</li>
<li>Re-run; confirm pass</li>
<li>Commit Challenge + fix together</li>
</ol>
<p>The Challenge becomes the regression guard for that bug forever.</p>
<hr />
<h2 id="const-015-concurrent-safe-containers">CONST-015: Concurrent-Safe
Containers</h2>
<p>Any struct field that is a mutable collection (map, slice) accessed
concurrently MUST use thread-safe primitives. Bare
<code>sync.Mutex + map/slice</code> combinations are prohibited for new
code.</p>
<hr />
<h2 id="const-016-definition-of-done-universal">CONST-016: Definition of
Done (Universal)</h2>
<p>A change is NOT done because code compiles and tests pass. "Done"
requires pasted terminal output from a real run.</p>
<ul>
<li><strong>No self-certification</strong>: Words like <em>verified,
tested, working, complete, fixed, passing</em> are forbidden in
commits/PRs/replies unless accompanied by pasted output from a command
that ran in that session.</li>
<li><strong>Demo before code</strong>: Every task begins by writing the
runnable acceptance demo</li>
<li><strong>Real system, every time</strong>: Demos run against real
artifacts</li>
<li><strong>Skips are loud</strong>: <code>t.Skip</code> without a
trailing <code>SKIP-OK: #&lt;ticket&gt;</code> comment breaks
validation</li>
</ul>
<hr />
<h2
id="const-035--anti-bluff-tests--challenges-user-mandate-forensic-anchor">CONST-035
— Anti-Bluff Tests &amp; Challenges (User-Mandate Forensic Anchor)</h2>
<p><strong>§11.9 User-Mandate Forensic Anchor (2026-04-29)</strong></p>
<p>This Article exists because of an explicit, repeatedly-stated user
mandate. The verbatim text:</p>
<blockquote>
<p>"We had been in position that all tests do execute with success and
all Challenges as well, but in reality the most of the features does not
work and can't be used! This MUST NOT be the case and execution of tests
and Challenges MUST guarantee the quality, the completion and full
usability by end users of the product!"</p>
</blockquote>
<p>This anchor is the primary authority for the entire Article. The
operative rule is:</p>
<p><strong>The bar for shipping is not "tests pass" but "users can use
the feature."</strong></p>
<p>Every PASS in this codebase MUST carry positive evidence captured
during execution that the feature works for the end user. Metadata-only
PASS, configuration-only PASS, "absence-of-error" PASS, and grep-based
PASS without runtime evidence are all critical defects regardless of how
green the summary line looks.</p>
<p>Tests and Challenges (HelixQA) are bound equally — a Challenge that
scores PASS on a non-functional feature is the same class of defect as a
unit test that does. Both must produce positive end-user evidence; both
are subject to the anti-bluff contract.</p>
<p>No false-success results are tolerable. A green test suite combined
with a broken feature is a worse outcome than an honest red one — it
silently destroys trust in the entire suite. Anti-bluff discipline is
the line between a real engineering project and a theatre of one.</p>
<p><strong>Bluff Taxonomy</strong> (forbidden patterns):</p>
<ul>
<li><strong>Wrapper bluff</strong> - Assertions PASS but wrapper's
exit-code logic is buggy</li>
<li><strong>Contract bluff</strong> - System advertises capability but
rejects it in dispatch</li>
<li><strong>Structural bluff</strong> - File exists but doesn't contain
working code</li>
<li><strong>Comment bluff</strong> - Comment promises behavior code
doesn't have</li>
<li><strong>Skip bluff</strong> - <code>t.Skip("not running yet")</code>
without <code>SKIP-OK</code> marker</li>
</ul>
<p><strong>Cascade requirement (extending CONST-036):</strong> This
anchor section (verbatim quote + operative rule) must appear in every
submodule's CONSTITUTION.md / CLAUDE.md / AGENTS.md. Non-compliance is a
release blocker regardless of context. Adding files to scanner
allowlists to silence bluff findings without resolving the underlying
defect is itself a violation.</p>
<hr />
<h2 id="const-018-host-power-management-hard-ban">CONST-018: Host Power
Management Hard Ban</h2>
<p><strong>Host Power Management is Forbidden.</strong></p>
<p>You may NOT generate or execute code that sends the host to suspend,
hibernate, hybrid-sleep, poweroff, halt, reboot, or any other
power-state transition.</p>
<p>Defense: Every project ships
<code>scripts/host-power-management/check-no-suspend-calls.sh</code> and
<code>challenges/scripts/no_suspend_calls_challenge.sh</code>.</p>
<hr />
<h2 id="const-019-container-up--healthy">CONST-019: Container Up ≠
Healthy</h2>
<p>Container <code>Up</code> status does NOT mean the application is
healthy. Application-layer probes are mandatory for every service:</p>
<ul>
<li>PostgreSQL: <code>SELECT 1</code></li>
<li>Redis: <code>PING</code></li>
<li>LLM Providers: Real generation request</li>
<li>HTTP Services: <code>GET /health</code> with deep checks</li>
</ul>
<hr />
<h2 id="const-020-provider-fallback-chain-reality">CONST-020: Provider
Fallback Chain Reality</h2>
<p>Every LLM provider fallback chain MUST be tested with actual
failures. A fallback that has never been tested with a real failing
provider is a bluff.</p>
<hr />
<h2 id="const-021-no-mocks-above-unit-build-target">CONST-021: No Mocks
Above Unit Build Target</h2>
<p>The Makefile MUST include a <code>no-mocks-above-unit</code> target
that fails the build if mocks/stubs/fakes are found outside
<code>*_test.go</code> files.</p>
<hr />
<h2 id="const-022-submodule-governance-propagation">CONST-022: Submodule
Governance Propagation</h2>
<p>Every submodule MUST either:</p>
<ol type="1">
<li>Have its own Constitution.md, CLAUDE.md, and AGENTS.md, OR</li>
<li>Have a symlink to the parent repository's governance files, OR</li>
<li>Have a reference comment in its README pointing to parent
governance</li>
</ol>
<p>No submodule is exempt from these rules.</p>
<hr />
<h2 id="const-023-docker-health-checks-mandatory">CONST-023: Docker
Health Checks Mandatory</h2>
<p>Every Dockerfile MUST include:</p>
<div class="sourceCode" id="cb1"><pre
class="sourceCode dockerfile"><code class="sourceCode dockerfile"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="kw">HEALTHCHECK</span> <span class="op">--interval=30s</span> <span class="op">--timeout=10s</span> <span class="op">--start-period=5s</span> <span class="op">--retries=3</span> \</span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">CMD</span> <span class="ex">curl</span> <span class="at">-f</span> http://localhost:8080/health <span class="kw">||</span> <span class="bu">exit</span> 1</span></code></pre></div>
<p>The health endpoint MUST perform deep checks (database connection,
provider availability), not just return HTTP 200.</p>
<hr />
<h2 id="const-024-version-pinning">CONST-024: Version Pinning</h2>
<p>All dependencies MUST be pinned to specific versions in
<code>go.mod</code>. No <code>latest</code>, no floating tags. Renovate
or Dependabot (manual review only — see CONST-001) may propose
updates.</p>
<hr />
<h2 id="const-025-secret-management">CONST-025: Secret Management</h2>
<p>NO secrets in code. EVER. Secrets via:</p>
<ul>
<li>Environment variables (production)</li>
<li><code>.env</code> files (development, in
<code>.gitignore</code>)</li>
<li>Vault/Secret Manager (enterprise)</li>
<li>Docker secrets (containerized)</li>
</ul>
<p><code>go mod tidy</code> MUST NOT add secret-scanning bypasses.</p>
<hr />
<h2 id="const-026-minimal-privilege-containers">CONST-026: Minimal
Privilege Containers</h2>
<p>Containers run as non-root. Every Dockerfile:</p>
<div class="sourceCode" id="cb2"><pre
class="sourceCode dockerfile"><code class="sourceCode dockerfile"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="kw">RUN</span> <span class="ex">adduser</span> <span class="at">-D</span> <span class="at">-u</span> 1001 helixcode</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="kw">USER</span> helixcode</span></code></pre></div>
<hr />
<h2 id="const-027-network-isolation">CONST-027: Network Isolation</h2>
<p>Container orchestration MUST use internal networks. Services
communicate via named hosts, not exposed ports where possible.</p>
<hr />
<h2 id="const-028-backup-before-destructive-operations">CONST-028:
Backup Before Destructive Operations</h2>
<p>Every file editing tool MUST create backups before modification. The
backup MUST be restorable.</p>
<hr />
<h2 id="const-029-input-validation-at-all-boundaries">CONST-029: Input
Validation at All Boundaries</h2>
<p>Every public function MUST validate inputs. No trust of
caller-provided data. SQL injection, path traversal, command injection
MUST be impossible by design.</p>
<hr />
<h2 id="const-030-graceful-degradation">CONST-030: Graceful
Degradation</h2>
<p>When external services are unavailable, the system MUST degrade
gracefully:</p>
<ul>
<li>Return partial results where possible</li>
<li>Queue operations for retry</li>
<li>Inform user of degraded state</li>
<li>NEVER crash or hang indefinitely</li>
</ul>
<hr />
<h2 id="const-031-audit-trail">CONST-031: Audit Trail</h2>
<p>Every significant operation MUST be logged with:</p>
<ul>
<li>Timestamp</li>
<li>User identity</li>
<li>Operation type</li>
<li>Success/failure status</li>
<li>Resource affected</li>
</ul>
<p>Log retention: 90 days minimum.</p>
<hr />
<h2 id="const-032-emergency-stop">CONST-032: Emergency Stop</h2>
<p>Every long-running or distributed operation MUST support cancellation
via <code>context.Context</code>. Users MUST be able to interrupt any
operation.</p>
<hr />
<h2 id="const-033-data-integrity">CONST-033: Data Integrity</h2>
<p>Database writes MUST be transactional. Partial writes MUST be rolled
back. Consistency checks MUST run periodically.</p>
<hr />
<h2 id="const-034-api-stability">CONST-034: API Stability</h2>
<p>Public APIs maintain backward compatibility within major versions.
Deprecation requires:</p>
<ul>
<li>6-month notice</li>
<li>Migration guide</li>
<li>Compatibility shim</li>
</ul>
<hr />
<h2
id="const-035-end-user-usability-mandate-2026-04-29-strengthening">CONST-035:
End-User Usability Mandate (2026-04-29 Strengthening)</h2>
<p>A test or Challenge that PASSES is a CLAIM that the tested behavior
<strong>works for the end user of the product</strong>.</p>
<p>The HelixAgent project has repeatedly hit the failure mode where
every test ran green AND every Challenge reported PASS, yet most product
features did not actually work. This MUST NOT recur in HelixCode.</p>
<p>Every PASS result MUST guarantee: a. <strong>Quality</strong> -
correct behavior under real inputs, edge cases, concurrency b.
<strong>Completion</strong> - wired end-to-end with no stub/placeholder
gaps c. <strong>Full usability</strong> - a user following documented
request shapes SUCCEEDS</p>
<p>A passing test that doesn't certify all three is a
<strong>bluff</strong> and MUST be tightened.</p>
<p><strong>Bluff taxonomy</strong> (each pattern observed and now
forbidden):</p>
<ul>
<li><strong>Wrapper bluff</strong> - assertions PASS but wrapper's
exit-code logic is buggy</li>
<li><strong>Contract bluff</strong> - system advertises capability but
rejects it in dispatch</li>
<li><strong>Structural bluff</strong> - <code>check_file_exists</code>
passes but doesn't run the test</li>
<li><strong>Comment bluff</strong> - comment promises behavior code
doesn't actually have</li>
<li><strong>Skip bluff</strong> - <code>t.Skip("not running yet")</code>
without <code>SKIP-OK: #&lt;ticket&gt;</code> marker</li>
</ul>
<p><strong>Full background</strong>:
<code>docs/HOST_POWER_MANAGEMENT.md</code> and this Constitution
(CONST-035).</p>
<hr />
<h2 id="const-036-propagation-to-submodules">CONST-036: Propagation to
Submodules</h2>
<p>This Constitution, along with CLAUDE.md and AGENTS.md, MUST be
propagated to ALL submodules. Each submodule's governance MUST reference
this parent Constitution. Changes to this Constitution MUST trigger
review of all submodule governance files.</p>
<hr />
<h2
id="const-037-llmsverifier-single-source-of-truth-mandate">CONST-037:
LLMsVerifier Single Source of Truth Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier SHALL BE the sole authoritative
source for:</p>
<ol type="1">
<li>All model metadata (names, IDs, context windows, capabilities)</li>
<li>All provider metadata (endpoints, auth types, supported models)</li>
<li>All verification status (verified, partial, failed, pending)</li>
<li>All scoring data (overall scores, capability scores, tier
rankings)</li>
<li>All rate-limit and cooldown state</li>
</ol>
<p><strong>Prohibition</strong>: NO hardcoded model lists, NO hardcoded
provider lists, NO simulated model discovery. Any code path that
presents a model or provider listing to a user MUST fetch that listing
from the LLMsVerifier subsystem or its cached replica.</p>
<p><strong>Anti-Bluff Verification</strong>:</p>
<ul>
<li>The challenge script
<code>challenges/scripts/verifier_hardcode_check.sh</code> MUST scan all
Go source files for hardcoded model arrays.</li>
<li>Any <code>[]string{"gpt-4", "claude-3"}</code> or equivalent literal
in production code is a constitutional violation.</li>
<li>The only permitted hardcoded data is the LLMsVerifier service
endpoint URL and the list of verification test types.</li>
</ul>
<p><strong>Enforcement</strong>: <code>make test-complete</code> MUST
include a test that asserts
<code>ModelManager.GetAvailableModels()</code> returns at least as many
models as the verifier's database contains for configured providers. A
test that passes while the CLI shows a hardcoded list is a TEST BLUFF
and violates CONST-035.</p>
<hr />
<h2 id="const-038-model-provider-anti-bluff-guarantee">CONST-038: Model
Provider Anti-Bluff Guarantee</h2>
<p><strong>Rule</strong>: Every model displayed to an end user MUST have
been verified by LLMsVerifier within the last
<code>verification_timeout</code> period (default: 24h). Models older
than this MUST display a "stale" indicator and be deprioritized.</p>
<p><strong>Prohibition Against Test Bluffing</strong>:</p>
<ul>
<li>A unit test that mocks the verifier client and asserts
<code>GetAvailableModels()</code> returns 3 models DOES NOT satisfy this
rule.</li>
<li>An integration test that starts the verifier server, performs real
provider discovery, and confirms the model count matches the actual
provider API response DOES satisfy this rule.</li>
<li>The Makefile target <code>make test-verifier-integration</code> MUST
exist and MUST run without mocks.</li>
</ul>
<p><strong>The "Tests Pass But Features Don't Work"
Guarantee</strong>:</p>
<pre><code>NO TEST MAY PASS UNLESS THE FEATURE IT TESTS IS DEMONSTRABLY USABLE
BY AN END USER IN THE SAME BUILD.</code></pre>
<ul>
<li>If <code>TestModelList</code> passes but
<code>helixcode --list-models</code> shows hardcoded data, the test is a
BLUFF.</li>
<li>If <code>TestProviderHealth</code> passes but the health endpoint
returns <code>200 OK</code> for a provider that is actually down, the
test is a BLUFF.</li>
<li>If <code>TestLLMGeneration</code> passes but
<code>--prompt "hello"</code> returns a simulated string, the test is a
BLUFF.</li>
<li>Bluff tests MUST be rewritten or deleted. There is no "grandfather"
exception.</li>
</ul>
<p><strong>Evidence Standard</strong>: Every test that claims to verify
model/provider functionality MUST:</p>
<ol type="1">
<li>Call a real API endpoint or a real verifier database</li>
<li>Assert on response content that could only come from that real
source</li>
<li>Include a test that runs the CLI binary with
<code>--list-models</code> and checks output against verifier data</li>
</ol>
<hr />
<h2 id="const-039-real-time-model-status-accuracy">CONST-039: Real-Time
Model Status Accuracy</h2>
<p><strong>Rule</strong>: Model status (available, rate-limited,
cooldown, offline, deprecated) displayed to users MUST reflect the
actual state as known by LLMsVerifier within <code>max_staleness</code>
seconds (default: 60s).</p>
<p><strong>Polling vs. Push</strong>:</p>
<ul>
<li>If WebSocket/SSE push is unavailable, the system MUST poll
LLMsVerifier at most every <code>status_poll_interval</code> (default:
30s).</li>
<li>The TUI MUST display a "last updated" timestamp with every model
listing.</li>
<li>Models in "cooldown" or "rate-limited" state MUST show the estimated
recovery time if known.</li>
</ul>
<p><strong>Accuracy Verification</strong>:</p>
<ul>
<li>Challenge script
<code>challenges/scripts/model_status_accuracy_challenge.sh</code> MUST:
<ol type="1">
<li>Artificially rate-limit a provider by exhausting its quota</li>
<li>Wait for the status to propagate to the verifier</li>
<li>Check that <code>helixcode --list-models</code> shows the
rate-limited status within 60s</li>
<li>Check that <code>SelectOptimalModel()</code> no longer selects the
rate-limited model</li>
</ol></li>
</ul>
<p><strong>Prohibition</strong>: Status indicators that are "always
green" or that lag &gt;60s behind reality violate this rule.</p>
<hr />
<h2
id="const-040-all-providers-and-models-integration-mandate">CONST-040:
All Providers and Models Integration Mandate</h2>
<p><strong>Rule</strong>: HelixCode MUST integrate with ALL providers
and models that LLMsVerifier supports, subject only to:</p>
<ol type="1">
<li>The provider being explicitly disabled in configuration
(<code>enabled: false</code>)</li>
<li>The API key being absent and the provider requiring one</li>
<li>The provider being marked <code>deprecated</code> in the verifier
database</li>
</ol>
<p><strong>Minimum Provider Set</strong> (SHALL NOT be reduced without
constitutional amendment): | Provider | Auth Type | Required Env Var |
|----------|-----------|-----------------| | OpenAI | API Key |
<code>OPENAI_API_KEY</code> | | Anthropic | API Key / OAuth |
<code>ANTHROPIC_API_KEY</code> | | Gemini | API Key |
<code>GEMINI_API_KEY</code> | | DeepSeek | API Key |
<code>DEEPSEEK_API_KEY</code> | | Groq | API Key |
<code>GROQ_API_KEY</code> | | Mistral | API Key |
<code>MISTRAL_API_KEY</code> | | xAI | API Key |
<code>XAI_API_KEY</code> | | OpenRouter | API Key |
<code>OPENROUTER_API_KEY</code> | | Ollama | Local | None (auto-detect)
| | Llama.cpp | Local | None (auto-detect) |</p>
<p><strong>Integration Requirement</strong>: For every provider in the
minimum set:</p>
<ul>
<li>There MUST be a provider adapter file in <code>internal/llm/</code>
or <code>internal/verifier/adapters/</code></li>
<li>There MUST be a <code>*_test.go</code> file with real API tests
(skipped only if <code>HELIX_SKIP_LIVE_PROVIDER_TESTS</code> is
set)</li>
<li>There MUST be a challenge script in
<code>challenges/scripts/</code></li>
<li>The model listing MUST include models from this provider when the
provider is enabled</li>
</ul>
<hr />
<h2
id="const-041-mcp--lsp--acp--embedding--rag--skills--plugins-integration-mandate">CONST-041:
MCP / LSP / ACP / Embedding / RAG / Skills / Plugins Integration
Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier integration SHALL extend beyond
basic model listing to cover ALL capability dimensions:</p>
<ol type="1">
<li><p><strong>MCP (Model Context Protocol)</strong>: The verifier MUST
report which models support MCP tool calling. HelixCode's MCP subsystem
MUST consult verifier capability flags before selecting a model for
tool-use tasks.</p></li>
<li><p><strong>LSP (Language Server Protocol)</strong>: The verifier
MUST report code-analysis capabilities. Models without
<code>code_analysis</code> capability MUST NOT be selected for
refactoring or debugging tasks.</p></li>
<li><p><strong>ACP (Agent Capability Protocol)</strong>: The verifier
MUST report multi-agent coordination support. Models with
<code>supports_parallel_tool_use</code> MUST be preferred for ACP
workflows.</p></li>
<li><p><strong>Embedding</strong>: The verifier MUST report
<code>supports_embeddings</code> for each model. The
<code>CogneeConfig</code> embedding model selection MUST be
verifier-aware.</p></li>
<li><p><strong>RAG (Retrieval-Augmented Generation)</strong>: The
verifier MUST report context-window sizes. RAG chunking strategies MUST
adapt to the selected model's <code>context_window_tokens</code> as
reported by the verifier.</p></li>
<li><p><strong>Skills / Plugins</strong>: The verifier MUST track plugin
compatibility. Models flagged <code>plugin_compatible</code> MUST be
used when skill/plugin execution is required.</p></li>
</ol>
<p><strong>Capability Checklist</strong> (MUST be verified by
challenge):</p>
<ul class="task-list">
<li><label><input type="checkbox" />MCP tool calling verified for at
least 3 providers</label></li>
<li><label><input type="checkbox" />LSP code-analysis verified for at
least 3 providers</label></li>
<li><label><input type="checkbox" />ACP parallel tool use verified for
at least 2 providers</label></li>
<li><label><input type="checkbox" />Embedding generation verified for at
least 2 providers</label></li>
<li><label><input type="checkbox" />RAG context-window adaptation
verified</label></li>
<li><label><input type="checkbox" />Skills/plugin execution verified for
at least 2 providers</label></li>
</ul>
<p><strong>Prohibition</strong>: Capability flags MUST NOT be hardcoded.
The <code>Provider.GetCapabilities()</code> method MUST return data
sourced from the verifier's <code>VerificationResult</code> fields.</p>
<hr />
<h2 id="article-xii--repository-safety">Article XII — Repository
Safety</h2>
<h3 id="121-const-042--no-secret-leak">§12.1 (CONST-042) —
No-Secret-Leak</h3>
<p>No API key, token, password, certificate, or other credential may be
committed to any repository owned by HelixDevelopment or vasic-digital,
transitively or otherwise. All secrets live in <code>.env</code> files
(mode 0600) listed in <code>.gitignore</code>. Any leak — to git, logs,
build artefacts, screenshots, or external services — is a release
blocker until rotated and post-mortemed.</p>
<p><strong>Operational requirements:</strong></p>
<ul>
<li>Every repo must have <code>.env</code>, <code>.env.local</code>,
<code>.env.*</code> (with <code>!.env.example</code> exception),
<code>*.pem</code>, <code>*.key</code>, <code>*.crt</code>,
<code>id_rsa*</code> in <code>.gitignore</code>.</li>
<li><code>scripts/scan-secrets.sh</code> (or equivalent) must run before
every push; failing it blocks the push.</li>
<li>API keys for development are sourced from the canonical
<code>../helix_agent/.env</code> (mode 0600, never under git) and copied
— never symlinked, never committed — into per-repo <code>.env</code>
files.</li>
</ul>
<p><strong>Cascade requirement:</strong> This article must appear
verbatim in every owned-by-us repository's <code>CONSTITUTION.md</code>,
<code>CLAUDE.md</code>, and <code>AGENTS.md</code>. Owned-by-us repos
are listed in <code>scripts/owned-repos.txt</code> (or, until that file
exists, the meta-repo <code>propagate-governance.sh</code> script's
submodule walk excluding third-party trees).</p>
<h3 id="122-const-043--no-force-push">§12.2 (CONST-043) —
No-Force-Push</h3>
<p>No force push, force-with-lease push, history rewrite, branch
deletion of <code>main</code>/<code>master</code>, or
upstream-overwriting operation may be performed without explicit,
in-conversation user approval given for that specific operation.
Authorization for one push does not extend to subsequent pushes.
Bypassing hooks (<code>--no-verify</code>), signature verification
(<code>--no-gpg-sign</code>), or protected-branch rules also requires
explicit approval. This applies to every repository in the
HelixDevelopment / vasic-digital stack.</p>
<p><strong>Operational requirements:</strong></p>
<ul>
<li>Local pre-push hook at <code>scripts/git-hooks/pre-push</code>
(installed by <code>scripts/install-git-hooks.sh</code>) must reject
<code>--force</code> / <code>--force-with-lease</code> unless
<code>HELIX_FORCE_PUSH_APPROVED=1</code> is set.</li>
<li>The hook is a courtesy gate; this constitutional clause is the
actual contract.</li>
<li>Regular non-force pushes of new commits to existing branches on
already-configured remotes are PERMITTED without per-push approval,
scoped to a programme/conversation in which the user has authorised the
cadence.</li>
</ul>
<p><strong>Cascade requirement:</strong> Same as §12.1 — verbatim, every
owned-by-us repo's three governance files.</p>
<hr />
<h2 id="amendment-process">Amendment Process</h2>
<p>Constitution amendments require:</p>
<ol type="1">
<li>Written proposal with rationale</li>
<li>Challenge demonstrating the need</li>
<li>72-hour review period</li>
<li>Approval by project architect</li>
<li>Update to all submodule governance files</li>
</ol>
<hr />
<p><em>This Constitution is the supreme law of the HelixCode project. No
code, test, or process may contradict it.</em></p>
<h2 id="article-xi-119--anti-bluff-forensic-anchor-cascaded">Article XI
§11.9 — Anti-Bluff Forensic Anchor (Cascaded)</h2>
<blockquote>
<p>Verbatim user mandate: "We had been in position that all tests do
execute with success and all Challenges as well, but in reality the most
of the features does not work and can't be used! This MUST NOT be the
case and execution of tests and Challenges MUST guarantee the quality,
the completion and full usability by end users of the product!"</p>
<p>Operative rule: The bar for shipping is not "tests pass" but "users
can use the feature." Every PASS in this codebase MUST carry positive
runtime evidence captured during execution. No false-success results are
tolerable.</p>
</blockquote>
<h3 id="bluff-taxonomy-cascaded-from-root-constitutionmd">Bluff Taxonomy
(cascaded from root CONSTITUTION.md)</h3>
<ul>
<li>Wrapper bluff — assertions PASS but exit-code logic is buggy</li>
<li>Contract bluff — advertises capability but rejects in dispatch</li>
<li>Structural bluff — file exists but doesn't contain working code</li>
<li>Comment bluff — comment promises behavior code doesn't have</li>
<li>Skip bluff — t.Skip() without SKIP-OK: #<ticket> marker</li>
</ul>
<hr />
<h2
id="const-047--recursive-submodule-application-mandate-cascaded-from-root-constitutionmd">CONST-047
— Recursive Submodule Application Mandate (cascaded from root
CONSTITUTION.md)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-14): <em>"Make sure all work we do is
applied ALWAYS to all Submodules we control under our organizations
(vasic-digital and HelixDevelopment) fully recursively everywhere with
full bluff-proofing and comprehensive documentation, user manuals and
guides and full tests and Challenges coverage!"</em></p>
</blockquote>
<p>Every engineering deliverable produced for the main project MUST be
applied — fully and recursively — to every owned submodule under the
<code>vasic-digital</code> and <code>HelixDevelopment</code> GitHub
organizations. Each owned submodule (including this one) MUST receive in
lockstep: (1) anti-bluff posture (CONST-035 / Article XI §11.9), (2)
comprehensive documentation matching actual capabilities, (3) full tests
+ Challenges coverage with captured runtime evidence, (4) recursive
propagation through nested submodules under the same orgs, (5)
synchronized commits when meta-repo state advances this surface.</p>
<h2
id="see-the-root-constitutionmd-const-047-for-the-full-mandate-this-anchor-must-remain-in-this-submodules-constitutionmd-claudemd-and-agentsmd">See
the root <code>CONSTITUTION.md</code> §CONST-047 for the full mandate.
This anchor MUST remain in this submodule's CONSTITUTION.md, CLAUDE.md,
and AGENTS.md.</h2>
<h2
id="const-048-full-automation-coverage-mandate-cascaded-from-constitution-submodule-11425">CONST-048:
Full-Automation-Coverage Mandate (cascaded from constitution submodule
§11.4.25)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Make sure that every
feature, every functionality, every flow, every use case, every edge
case, every service or application, on every platform we support is
covered with full automation tests which will confirm anti-bluff policy
and provide the proof of fully working capabilities, working
implementation as expected, no issues, no bugs, fully documented, tests
covered! Nothing less than this does not give us a chance to deliver
stable product! This is mandatory constraint which MUST BE respected
without ignoring, skipping, slacking or forgetting it!"</em></p>
</blockquote>
<p>No feature / functionality / flow / use case / edge case / service /
application on any supported platform of this submodule is deliverable
until covered by automation tests proving six invariants: (1) anti-bluff
posture with captured runtime evidence (CONST-035); (2) proof of working
capability end-to-end on target topology; (3) implementation matching
documented promise; (4) no open issues/bugs surfaced; (5) full
documentation in sync; (6) four-layer test floor (pre-build + post-build
+ runtime + paired mutation).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-048 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-048 and constitution submodule <code>Constitution.md</code>
§11.4.25 for the full mandate.</p>
<h2
id="const-049-constitution-submodule-update-workflow-mandate-cascaded-from-constitution-submodule-11426">CONST-049:
Constitution-Submodule Update Workflow Mandate (cascaded from
constitution submodule §11.4.26)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every time we add something
into our root (constitution Submodule) Constitution, CLAUDE.MD and
AGENTS.MD we MUST FIRST fetch and pull all new changes / work from
constitution Submodule first! All changes we apply MUST BE commited and
pushed to all constitution Submodule upstreams! In case of conflict, IT
MUST BE carefully resolved! Nothing can be broken, made faulty,
corrupted or unusable! After merging full validation and verification
MUST BE done!"</em></p>
</blockquote>
<p>Before ANY modification to
<code>constitution/{Constitution,CLAUDE,AGENTS}.md</code> in the parent
project, the agent or operator MUST execute the 7-step pipeline: (1)
fetch + pull first inside the constitution submodule worktree; (2) apply
the change with §11.4.17 classification + verbatim mandate quote; (3)
validate (meta-test + no merge-conflict markers + cross-file
consistency); (4) commit + push to EVERY configured upstream of the
constitution submodule (governance files only — never
<code>git add -A</code>); (5) careful conflict resolution preserving
union of governance content (force-push forbidden per CONST-043 / §9.2);
(6) post-merge <code>git submodule update --remote --init</code> +
re-run cascade verifier (CONST-047); (7) bump consuming project's
<code>.gitmodules</code> pointer to the new constitution HEAD in the
SAME commit as cascade work.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-049 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-049 and constitution submodule <code>Constitution.md</code>
§11.4.26 for the full mandate.</p>
<h2
id="const-050-no-fakes-beyond-unit-tests--100-test-type-coverage-mandate-cascaded-from-constitution-submodule-11427">CONST-050:
No-Fakes-Beyond-Unit-Tests + 100%-Test-Type-Coverage Mandate (cascaded
from constitution submodule §11.4.27)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Mocks, stubs, placeholders,
TODOs or FIXMEs are allowed to exist ONLY in Unit tests! All other test
types MUST interract with real fully implemented System! No fakes, empty
implementations or bluffing is allowed of any kind! All codebase of the
project MUST BE 100% covered with every supported test type: unit tests,
integration tests, e2e tests, full automation tests, security tests,
ddos tests, scaling tests, chaos tests, stress tests, performance tests,
benchmarking tests, ui tests, ux tests, Challenges (fully incorporating
our Challenges Submodule — <a
href="https://github.com/vasic-digital/Challenges">https://github.com/vasic-digital/Challenges</a>).
EVERYTHING MUST BE tested using HelixQA (fully incorporating HelixQA
Submodule — <a
href="https://github.com/HelixDevelopment/HelixQA">https://github.com/HelixDevelopment/HelixQA</a>).
HelixQA MUST BE used with all possible written tests suites (test banks)
for every applications, service, platform, etc and execution of the full
HelixQA QA autonomous sessions! All required dependency Submodules MUST
BE added into the project as well (fully recursive!!!)."</em></p>
</blockquote>
<p>Two cooperating invariants:</p>
<p><strong>(A) No-fakes-beyond-unit-tests.</strong> Mocks, stubs, fakes,
placeholders, <code>TODO</code>, <code>FIXME</code>, "for now", "in
production this would", or empty-implementation patterns are PERMITTED
only in unit-test sources. Every other test type — integration, E2E,
full automation, security, DDoS, scaling, chaos, stress, performance,
benchmarking, UI, UX, Challenges, HelixQA — MUST exercise this
submodule's real, fully implemented system against real infrastructure.
Production code MUST NOT import mock paths.</p>
<p><strong>(B) 100% test-type coverage.</strong> Codebase MUST be
covered by every supported test type the domain warrants: unit,
integration, E2E, full-automation, security, DDoS, scaling, chaos,
stress, performance, benchmarking, UI, UX, Challenges
(vasic-digital/Challenges submodule fully incorporated), HelixQA
(HelixDevelopment/HelixQA submodule fully incorporated, with full
autonomous QA sessions executing every registered test bank with
captured wire evidence).</p>
<p><strong>Required dependency submodules</strong> (recursive per
CONST-047): Challenges + HelixQA + any other functionality submodules
under vasic-digital/HelixDevelopment orgs this submodule depends on.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-050 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-050 and constitution submodule <code>Constitution.md</code>
§11.4.27 for the full mandate.</p>
<h2
id="const-051-submodules-as-equal-codebase--decoupling--dependency-layout-mandate-cascaded-from-constitution-submodule-11428">CONST-051:
Submodules-As-Equal-Codebase + Decoupling + Dependency-Layout Mandate
(cascaded from constitution submodule §11.4.28)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"All existing Submodules in
the project that we are controlling and belong to some our organizations
(vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory - we
can ALWAYS check dynamically using GitHub and GitLab CLIs) are equal
parts of the project's codebase! We MUST work on that code as much as we
do with main project's codebase! All on equal basis! Equally important!
... We MUST NEVER modify Submodules to bring into them any project
specific context since they all MUST BE ALWAYS fully decoupled, project
not-aware, fully reusable and modular (by any other project(s)),
completely testable! All Submodule dependencies that are used by
Submodule MUST BE acessed from the root of the project! We MUST NOT have
nested Submodule dependencies but accessing each from proper location
from the root of the project - directly from project's root
project_name/submodule_name or some more proper structure
project_name/submodules/submodule_name!"</em></p>
</blockquote>
<p>Three cooperating invariants apply to every owned-by-us submodule
(orgs: vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory, plus
any subsequently authorised org — discoverable via
<code>gh org list</code> / <code>glab</code>):</p>
<p><strong>(A) Equal-codebase.</strong> This submodule is an EQUAL part
of every consuming project's codebase. The consuming project's
engineering practice — analysis, extension, test creation, gap-filling,
bug-fix, documentation (user manuals, guides, diagrams, graphs, SQL
definitions, website pages, all materials) — applies to this submodule
on equal basis. Coverage ledgers (CONST-048) list this submodule as an
in-scope target.</p>
<p><strong>(B) Decoupling / reusability.</strong> This submodule MUST
remain fully decoupled from any specific consuming project. NEVER inject
project-specific context (hardcoded paths, hostnames, asset names,
naming schemes). Stay project-not-aware, reusable, modular, completely
testable as a standalone repository. When parent-project info is needed,
use configuration injection (env var, config file, constructor
parameter) — never a hardcoded reach.</p>
<p><strong>(C) Dependency-layout.</strong> Any dependency this submodule
consumes MUST be accessible from the consuming project's root at
<code>&lt;root&gt;/&lt;name&gt;/</code> or
<code>&lt;root&gt;/submodules/&lt;name&gt;/</code>. <strong>Nested
own-org submodule chains are FORBIDDEN</strong> — this submodule MUST
NOT have its own <code>.gitmodules</code> entries pulling in further
owned-by-us repos. Third-party submodules are exempt.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-051 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-051 and constitution submodule <code>Constitution.md</code>
§11.4.28 for the full mandate.</p>
<h2
id="const-052-lowercase-snake_case-naming-mandate-cascaded-from-constitution-submodule-11429">CONST-052:
Lowercase-Snake_Case-Naming Mandate (cascaded from constitution
submodule §11.4.29)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"naming convention for
Submodules and directories (applied deep into hierarchy recursively) -
all directories and Submodules MSUT HAVE lowercase names with space
separator between the words of '_' character (snake-case)! All existing
Submodules and directories which are not following this rule MUST BE
renamed! However, since this will most likely break some of the
functionalities renaming we do MUST BE applied to all references to
particular Submodule or directory! ... There MUST BE reasonable
exceptions for this rules - source code for programming languages or
Submodules which apply different naming convention - Android, Java,
Kotlin and others. ... Upstreams directory which all of our projects and
Submodules have MUST BE renamed to the lowercase letters too, however
root project containing the install_upstreams system command (it is
exported in out paths in our .bashrc or .zshrc) MUST BE updated to fully
work with both Upstreams and upstreams directory. ... NOTE: Rules
lowercase / snake-case do apply to all project files as well and
references to it and from them!"</em></p>
</blockquote>
<p>Every directory, submodule, and file in this submodule MUST use
lowercase snake_case names. Existing non-compliant names MUST be renamed
atomically with updates to every reference (configs, docs, source-code
imports, governance files). Reference drift after rename = CONST-052
violation of equal severity to the rename itself.</p>
<p><strong>Common-sense exceptions (technology-preserving):</strong>
language-mandated case for Java/Kotlin/Android/Apple/C#/Swift INSIDE
language-roots; vendor/upstream third-party submodules keep upstream
names; build artefacts (<code>node_modules</code>,
<code>__pycache__</code>, <code>.git</code>, <code>target</code>,
<code>build</code>, <code>bin</code>) keep tool-mandated names. The test
"does renaming break the technology?" trumps the rule.</p>
<p><strong><code>Upstreams/</code> → <code>upstreams/</code>
transition:</strong> the constitution submodule's
<code>install_upstreams.sh</code> (exported via
<code>.bashrc</code>/<code>.zshrc</code>) supports BOTH directory
layouts; lowercase wins when both present.</p>
<p><strong>Test coverage of renames</strong> (per CONST-050(B)):
regression test for reference resolution + full test-type matrix run +
anti-bluff wire-evidence captured.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
CONST-052 ID reference) MUST remain in this submodule's CONSTITUTION.md,
CLAUDE.md, and AGENTS.md, and propagate recursively to any nested
owned-by-us submodule. See parent project's <code>CONSTITUTION.md</code>
§CONST-052 and constitution submodule <code>Constitution.md</code>
§11.4.29 for the full mandate.</p>
<h2
id="const-053-gitignore--no-versioned-build-artifacts-mandate-cascaded-from-constitution-submodule-11430">CONST-053:
.gitignore + No-Versioned-Build-Artifacts Mandate (cascaded from
constitution submodule §11.4.30)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"every project module, every
Submodule, every servcie and apolication MUST HAVE proper .gitignore
file! We MUST NOT git version build artifacts, cache files, tmp files,
main .env file(s) or any files containing sensitive data, API keys or
token! Any build derivate which we can recreate by executing proper
mechanism for generating MUST NOT be versioned! We MUST pay attention
what is going to be commited every time we are preparing to execute
commit! If any violetion is detected it MUST be fixed before commit is
executed!"</em></p>
</blockquote>
<p>Every project module, owned-by-us submodule, service, and application
MUST ship a proper <code>.gitignore</code>.
Forbidden-from-version-control classes:</p>
<ol type="1">
<li><strong>Build artefacts</strong>: <code>/bin/</code>,
<code>/build/</code>, <code>/dist/</code>, <code>/out/</code>,
<code>target/</code>, <code>*.exe</code>, <code>*.dll</code>,
<code>*.so</code>, <code>*.dylib</code>, <code>*.a</code>,
<code>*.o</code>, <code>*.class</code>, <code>*.pyc</code>,
generator-produced files when the generator is committed.</li>
<li><strong>Cache files</strong>: <code>__pycache__/</code>,
<code>.pytest_cache/</code>, <code>.mypy_cache/</code>,
<code>.ruff_cache/</code>, <code>node_modules/</code>,
<code>.next/</code>, <code>.cache/</code>, <code>.gradle/</code>,
<code>.terraform/</code>, language-server caches.</li>
<li><strong>Temp files</strong>: <code>*.tmp</code>, <code>*.swp</code>,
<code>*~</code>, <code>.DS_Store</code>, <code>Thumbs.db</code>,
<code>*.orig</code>, <code>*.rej</code>.</li>
<li><strong>Sensitive-data files</strong>: <code>.env</code>,
<code>.env.*</code> (allow <code>.env.example</code> placeholder only —
no real secrets even as examples), <code>*.pem</code>,
<code>*.key</code>, <code>*.crt</code>, <code>id_rsa*</code>,
<code>id_ed25519*</code>, <code>.netrc</code>, <code>secrets/</code>,
<code>api_keys.sh</code>.</li>
<li><strong>Generated reports/logs</strong>: <code>*.log</code>,
<code>coverage.out</code>, <code>htmlcov/</code>, runtime captures
unless reference assets.</li>
<li><strong>OS/IDE personal state</strong>: <code>.idea/</code>,
<code>.history/</code>, <code>.vscode/</code> (except shared
settings).</li>
</ol>
<p><strong>Anti-bluff invariant</strong>: <code>.gitignore</code> line
alone is not sufficient — no file matching the forbidden patterns may be
CURRENTLY TRACKED. A tracked <code>*.log</code> despite the ignore-line
is a violation of equal severity to no ignore-line at all.</p>
<p><strong>Pre-commit attention</strong>: every commit author (human OR
agent) MUST inspect <code>git diff --staged</code> +
<code>git status</code> BEFORE executing the commit. Forbidden-class
hits abort the commit until fixed (un-stage, add to
<code>.gitignore</code>, scrub if already-tracked). Gate
<code>CM-GITIGNORE-PRECOMMIT-AUDIT</code> + paired mutation.</p>
<p><strong>Secret-leak intersection (CONST-042 / §11.4.10):</strong> a
<code>.env</code> leak is BOTH a CONST-053 and a CONST-042 violation;
rotation + post-mortem required.</p>
<p><strong>Recreatable-content test</strong>: if a documented mechanism
regenerates the file from sources, it is a build derivative and MUST be
ignored. The committed sources MUST include the generator.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-053</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. See constitution submodule
<code>Constitution.md</code> §11.4.30 for the full mandate.</p>
<h2
id="const-054-submodule-dependency-manifest-mandate-cascaded-from-constitution-submodule-11431">CONST-054:
Submodule-Dependency-Manifest Mandate (cascaded from constitution
submodule §11.4.31)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"We MUST HAVE mechanism for
each Submodule to determine / know what are its Submodule dependencies
so new projects or palces we are incorporate them can add these
Submodules to the project root and make them available! Suggested idea
is configuration file with expected Submodules Git ssh urls perhaps? New
project can read it, and recursively add each Submodule to the root of
the project and install / expose it to veryone."</em></p>
</blockquote>
<p>Every owned-by-us submodule MUST ship <code>helix-deps.yaml</code> at
its root declaring its own-org dependencies. Schema:
<code>schema_version</code>,
<code>deps: [{name, ssh_url, ref, why, layout: flat|grouped}]</code>,
<code>transitive_handling.{recursive,conflict_resolution}</code>,
<code>language_specific_subtree</code>. Tooling:
<code>incorporate-submodule &lt;ssh-url&gt;</code> adds the submodule at
the parent project's canonical path (CONST-051(C)), reads
<code>helix-deps.yaml</code>, recurses for each declared dep, aborts on
conflicting refs, emits <code>&lt;root&gt;/.helix-manifest.yaml</code>
audit record.</p>
<p>Anti-bluff guarantee: every manifest paired with a Challenge that
bootstraps a throwaway consuming project, runs
<code>incorporate-submodule</code>, asserts produced layout matches the
manifest, runs the submodule's own tests against the bootstrapped
layout, captures wire evidence per §11.4.2. A manifest without this
proof is a CONST-054 violation.</p>
<p>§11.4.31 / CONST-054 is the <strong>operational complement</strong>
of CONST-051(C): nested own-org submodule chains are FORBIDDEN —
manifests are the bridge that lets consumers reconstruct the dependency
graph at the parent root.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-054</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
dependency-graph layer. See constitution submodule
<code>Constitution.md</code> §11.4.31 for the full mandate.</p>
<h2
id="const-055-post-constitution-pull-validation-mandate-cascaded-from-constitution-submodule-11432">CONST-055:
Post-Constitution-Pull Validation Mandate (cascaded from constitution
submodule §11.4.32)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every time we fetch and pull
new changes on constitution Submodule we MUST process the whole project
and all Submodule (deep recursively) for validation and verification
taht every single rule or mandatory constraint is followed and
respected! If it is not, IT MUST BE!"</em></p>
</blockquote>
<p>Whenever a project's constitution submodule is fetched + pulled with
any content change, the project MUST run
<code>scripts/verify-all-constitution-rules.sh</code> BEFORE the new
constitution HEAD is treated as canonical for any other work. The sweep
re-runs the governance-cascade verifier AND every implementable rule
gate (CONST-053 <code>.gitignore</code> audit, CONST-051(C)
nested-own-org-chain audit, CONST-052 case audit, CONST-050(A)
mock-from-production audit, CONST-035 anti-bluff smoke, etc.) against
the post-pull tree. Failures populate the project's Issues tracker per
§11.4.15 (Status: <code>Reopened</code>, Type: <code>Bug</code>);
closure requires positive-evidence per §11.4.</p>
<p>Pull-time invocation:
<code>git submodule update --remote constitution</code> triggers the
sweep automatically (post-update hook OR commit-wrapper invocation).
Operator-explicit manual invocation also available.</p>
<p>Anti-bluff: the sweep's own meta-test (paired mutation per §1.1)
plants a known violation of each enforced gate and asserts the sweep
reports FAIL for the planted gate. A sweep that exits PASS without
running every implementable gate is a CONST-055 violation.</p>
<p>CONST-055 is the <strong>enforcement engine</strong> for every other
§11.4.x and CONST-NNN rule — without it, new rules cascade as anchors
but never get enforced.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-055</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
constitutional-enforcement layer. See constitution submodule
<code>Constitution.md</code> §11.4.32 for the full mandate.</p>
<h2
id="const-056-mandatory-install_upstreams-on-cloneadd-mandate-cascaded-from-constitution-submodule-11436">CONST-056:
Mandatory install_upstreams on clone/add Mandate (cascaded from
constitution submodule §11.4.36)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Every Submodule or Git
repository we add or clone MUST BE upstreams installed using
Upstreamable utility which MUST BE available through exported paths of
the host system (in .bashrc or .zhrc) using install_upstreams command
executed from the root of the cloned (added) repository - only if in it
is Upstreams or upstreams directory present with bash script files
(recipes) for all repository's upstreams!"</em></p>
</blockquote>
<p>Every clone / add of a Git repository under HelixCode MUST be
followed by <code>install_upstreams</code> invocation from the
repository's root IF its tree contains <code>upstreams/</code> (or
legacy <code>Upstreams/</code> per CONST-052 transition) populated with
<code>*.sh</code> recipe files. The utility (installed on operator's
<code>PATH</code> via <code>.bashrc</code>/<code>.zshrc</code>;
implementation in the constitution submodule's
<code>install_upstreams.sh</code> — already supports BOTH directory
names since constitution commit <code>45d3678</code>) reads the recipe
files, configures every declared upstream as a named git remote, and
fans out <code>origin</code> push URLs.</p>
<p>Skipping the invocation when <code>upstreams/</code> is present
silently breaks §2.1 (multi-upstream push is the norm) — the next push
lands on only one upstream. Gate
<code>CM-INSTALL-UPSTREAMS-ON-CLONE</code> + paired mutation.
Automation: the future <code>incorporate-submodule</code> per CONST-054
auto-invokes; manual invocation supported. Pre-commit check:
<code>git remote -v | grep -c push</code> reports expected count.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-056</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.36 for the full mandate.</p>
<h2
id="const-057-type-aware-closure-status-vocabulary-cascaded-from-constitution-submodule-11433">CONST-057:
Type-aware Closure-Status Vocabulary (cascaded from constitution
submodule §11.4.33)</h2>
<p>Every project tracking work items by Type per §11.4.16 MUST close
them with the Type-appropriate terminal <code>**Status:**</code> value,
drawn from this 3-element closed map:</p>
<table>
<thead>
<tr>
<th>Item <code>**Type:**</code></th>
<th>Closure <code>**Status:**</code> value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>Bug</code></td>
<td><code>Fixed (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Feature</code></td>
<td><code>Implemented (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Task</code></td>
<td><code>Completed (→ Fixed.md)</code></td>
</tr>
</tbody>
</table>
<p>The <code>(→ Fixed.md)</code> suffix is preserved across all three so
the existing migration-discipline tooling (atomic Issues.md → Fixed.md
move per §11.4.19) keeps working without per-Type branching. Generators
(<code>generate_issues_summary.sh</code>,
<code>generate_fixed_summary.sh</code>, the §11.4.23 colorizer) MUST
treat the three terminal values as semantically equivalent (all "closed,
positive evidence captured") while preserving the literal in the emitted
document.</p>
<p>Closing a <code>Feature</code> with <code>Fixed (→ Fixed.md)</code>
or a <code>Task</code> with <code>Implemented (→ Fixed.md)</code> is a
CONST-057 violation. Gate <code>CM-CLOSURE-VOCAB-TYPE-AWARE</code> walks
every Fixed.md heading + every Issues.md heading whose
<code>**Status:**</code> is one of the three terminal values and asserts
the Status-Type match. Composes with §11.4.15 / §11.4.16 / §11.4.19 /
§11.4.23.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-057</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.33 for the full mandate.</p>
<h2
id="const-058-reopened-source-attribution-mandate-cascaded-from-constitution-submodule-11434">CONST-058:
Reopened-Source Attribution Mandate (cascaded from constitution
submodule §11.4.34)</h2>
<p>Every Issues.md (or equivalent project tracker) heading whose
<code>**Status:**</code> is <code>Reopened</code> MUST carry, within 8
non-blank lines of the heading, a <code>**Reopened-Details:**</code>
line capturing four sub-facts:</p>
<ul>
<li><strong>By:</strong> <code>AI</code> or <code>User</code>
(source-of-truth observer who flipped the status). <code>AI</code>
covers in-loop reopens (test failure, gate regression, captured-evidence
retrospect). <code>User</code> covers operator-side observations (manual
testing, end-user report, design reconsideration).</li>
<li><strong>On:</strong> ISO date (<code>YYYY-MM-DD</code>).</li>
<li><strong>Reason:</strong> one-line cause classification — chosen from
the closed vocabulary
<code>{ test-failed | manual-testing-detected | captured-evidence-contradicts | end-user-report | cycle-re-discovered | design-reconsidered }</code>.
Other values permitted with explicit
<code>Reason: &lt;free text&gt;</code> annotation but the closed list
MUST be tried first.</li>
<li><strong>Evidence:</strong> path to or short description of the
captured artefact justifying the reopen — log file, recording, gate
failure ID, operator quote, etc. Reopens without evidence are §11.4.6 /
§11.4.7 violations (demotion from Fixed requires captured evidence under
the conditions that re-exposed the defect).</li>
</ul>
<p>The Issues_Summary.md Status column MUST distinguish the four
<code>Reopened</code> sub-states by source so a sweep query for "reopens
by AI in the last 30 days" is mechanically possible. Suggested column
rendering: <code>Reopened (AI: test-failed)</code> vs
<code>Reopened (User: manual-testing)</code>. Gate
<code>CM-ITEM-REOPENED-DETAILS</code> mirrors
<code>CM-ITEM-OPERATOR-BLOCKED-DETAILS</code> (§11.4.21 walk pattern).
Composes with §11.4.6 / §11.4.7 / §11.4.15 / §11.4.21.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-058</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.34 for the full mandate.</p>
<h2
id="const-059-canonical-root-inheritance-clarity-cascaded-from-constitution-submodule-11435">CONST-059:
Canonical-Root Inheritance Clarity (cascaded from constitution submodule
§11.4.35)</h2>
<p>The <strong>constitution submodule's</strong> three files
(<code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>,
<code>constitution/AGENTS.md</code>) ARE the <strong>canonical
root</strong> (also called the <strong>parent</strong> files). They
contain only universal rules per §11.4.17.</p>
<p>The consuming project's <strong>repository-root files</strong>
(<code>&lt;project-root&gt;/CLAUDE.md</code>,
<code>&lt;project-root&gt;/AGENTS.md</code>, optionally
<code>&lt;project-root&gt;/Constitution.md</code>) are <strong>consumer
extensions</strong>. They MUST start with the inheritance pointer
(either the Claude-Code native <code>@constitution/CLAUDE.md</code>
import or the portable
<code>## INHERITED FROM constitution/CLAUDE.md</code> heading). They
contain only project-specific rules per §11.4.17.</p>
<p><strong>When in doubt about which file to edit:</strong> universal
rule → constitution submodule's file; project-specific rule → consumer's
file. Default consumer-side when uncertain (§11.4.17 — narrower scope is
cheap to widen).</p>
<p><strong>Terminology:</strong> "the parent CLAUDE.md" / "the root
Constitution" → constitution-submodule file at
<code>constitution/&lt;filename&gt;</code>; "the project CLAUDE.md" /
"this project's AGENTS.md" → consumer-side file at
<code>&lt;project-root&gt;/&lt;filename&gt;</code>.</p>
<p><strong>No silent demotion or silent promotion.</strong> Moving a
rule between layers MUST be a visible commit — <code>git mv</code> of a
section if it's a clean clone, or explicit
<code>Lifted from &lt;project&gt; to constitution per §11.4.35</code> /
<code>Demoted from constitution to &lt;project&gt; per §11.4.35</code>
commit-message annotation.</p>
<p>Gate <code>CM-CANONICAL-ROOT-CLARITY</code> verifies (a) consumer's
<code>CLAUDE.md</code> opens with the inheritance pointer, (b)
constitution submodule's three files are present at the expected path,
(c) no <code>## INHERITED FROM</code> block in the constitution
submodule's own files (those ARE the source-of-truth, not consumers).
Composes with §11.4.17.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-059</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.35 for the full mandate.</p>
<h2
id="const-060-fetch-before-edit-mandate-cascaded-from-constitution-submodule-11437">CONST-060:
Fetch-before-edit Mandate (cascaded from constitution submodule
§11.4.37)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>"Make sure that
feedback_fetch_before_edit memory rule is part of our constitution
Submodule - the root Consitution, AGENTS.MD and CLAUDE.MD. Validate and
verify that Proejct-Toolkit and all Submodules do inherit all of them!
Follow the constitution Submodule documentation for details."</em></p>
</blockquote>
<p>The FIRST git-touching action of every session, on every consuming
project (owned or third-party), MUST be:</p>
<div class="sourceCode" id="cb4"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> fetch <span class="at">--all</span> <span class="at">--prune</span></span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> log <span class="at">--oneline</span> HEAD..@{u}</span>
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> submodule foreach <span class="at">--recursive</span> <span class="st">&#39;git fetch --all --prune --quiet&#39;</span></span></code></pre></div>
<p>If <code>HEAD..@{u}</code> is non-empty, integrate the upstream
changes BEFORE any local edit. Acting on stale local state produces
three failure modes documented in the originating §11.4.37 incident
(multi-agent / parallel-session work): (1) <strong>redundant
work</strong> — the agent re-does what a parallel session already
finished, (2) <strong>false confidence</strong> — completion reports for
already-done work, (3) <strong>divergent history</strong> — duplicate
sibling commits that double the conflict surface on next push.</p>
<p><strong>Anti-bluff invariant</strong>: the fetch+log check MUST
produce captured evidence — the actual <code>HEAD..@{u}</code> output,
even if empty. Skipping the check on the basis of "I just fetched" or
"nothing could have changed in the last N minutes" is a §11.4.6
(no-guessing) violation: the remote state is not knowable without a
fetch.</p>
<p><strong>Cascade requirement</strong>: This anchor (verbatim or by
<code>CONST-060</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
parallel-session-coordination layer. See constitution submodule
<code>Constitution.md</code> §11.4.37 for the full mandate.</p>
<h2
id="const-061-pre-force-push-merge-first-mandate-cascaded-from-constitution-submodule-11441">CONST-061:
Pre-Force-Push Merge-First Mandate (cascaded from constitution submodule
§11.4.41)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-17): <em>"make sure we bring
everything from branches to our side before forc push is done! Afer
everything is safely and fully merged and all potential conflicts (if
any) resolved, then do force push! make sure nothing isnlost, broken or
corrupted on bith sides! add these rules in our root Constitution,
CLAUDE.MD, AGENTS.MD (constitution Submodule) if itnis not added
already! Extremely important rules and mandatory constraints we MUST
HAVE and fully respect!"</em></p>
</blockquote>
<p>Any force-push (<code>--force</code>,
<code>--force-with-lease</code>, <code>+&lt;ref&gt;</code>, equivalent
history-rewrite) authorised under CONST-043 MUST be preceded by a
mechanical 4-step merge-first pipeline:</p>
<ol type="1">
<li><strong>Fetch every remote</strong> —
<code>git fetch --all --prune --tags</code> against origin + every
upstream; capture output.</li>
<li><strong>Integrate every divergent commit locally</strong> — rebase /
merge / operator-confirmed cherry-pick per appropriate strategy for
every non-empty <code>HEAD..&lt;remote&gt;/&lt;branch&gt;</code>
range.</li>
<li><strong>Audit the integrated tree</strong> — no conflict markers
anywhere
(<code>grep -rn '^&lt;&lt;&lt;&lt;&lt;&lt;&lt; \|^=======$\|^&gt;&gt;&gt;&gt;&gt;&gt;&gt; '</code>
returns empty in governance + source + test files); no file silently
dropped; previously-passing tests still pass; captured-evidence
artefacts still validate.</li>
<li><strong>Force-push</strong> — only after steps 1-3 produce clean
integration evidence: <code>git push --force-with-lease</code> (NEVER
<code>--force</code> alone unless authorised per §9.2 sub-clause
6).</li>
</ol>
<p><strong>Two-gate composition with CONST-043.</strong> §11.4.41 does
NOT relax CONST-043's operator-approval requirement — it adds a SECOND
mechanical gate. CONST-043 alone authorises a push that loses remote
work; §11.4.41 alone risks pushing without operator awareness. Both
required.</p>
<p><strong>Three failure modes prevented:</strong> (a) remote-side
content loss when parallel sessions land work between fetches; (b)
stale-state acts when <code>--force-with-lease</code> reads stale local
refs without prior fetch; (c) conflict-driven corruption when markers
get committed verbatim (observed 2026-05-17 in helix_qa + containers
governance files).</p>
<p><strong>Verification artefact</strong>: every governed force-push
emits a <code>docs/changelogs/&lt;tag&gt;.md</code> "Force-push
merge-first audit" section capturing fetch output, per-remote divergence
log, integration strategy, conflict-marker scan, test delta, push output
with lease SHA, + CONST-043 authorisation quote. Gate
<code>CM-FORCE-PUSH-MERGE-FIRST</code> + paired mutation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-061</code> ID reference) MUST appear in every owned
submodule's <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
remote-data-integrity layer. See constitution submodule
<code>Constitution.md</code> §11.4.41 for the full mandate.</p>
</body>
</html>