Adds initial AI Agent constitution

Establishes foundational governance for the AI Agent project
by adding an initial constitution.

The constitution defines core principles, security standards,
development workflow, and governance rules.

This ensures code quality, security, and maintainability across the project.

Author: nullchimp

.github/copilot-instructions.md

@@ -7,137 +7,3 @@ You are an AI coding assistant for the ai-agent Python project. Generate high-qu
 - Python version: 3.9+
 - Test location: All tests MUST be placed in the `tests` folder
 - Architecture: Modular design with domain-specific packages in `src/<domain>`
-
-## Code Quality Requirements
-- Follow semantic versioning (`vX.Y.Z`)
-- Code must pass `pylint`, `flake8`, `mypy`, and `black` checks
-- Use 4-space indentation, max 88 characters per line
-- Functions must be under 50 lines and follow single responsibility principle
-- Prefer pure functions with dependency injection
-- Import order: stdlib, third-party, local imports
-- Auto-format with `black` and `isort`
-
-## Documentation Standards (CRITICAL)
-1. **NO DOCSTRINGS OR COMMENTS** unless absolutely necessary
-2. Code must be self-documenting through descriptive names
-3. Use comprehensive type hints instead of parameter descriptions
-4. If comments are unavoidable:
-   - Explain WHY, never WHAT
-   - Use minimal prefixes (# NOTE: or # TODO: TICKET-123)
-   - Maximum 2 lines
-5. **NEVER generate** verbose multi-line docstrings with parameter descriptions, return values, examples, or usage notes
-
-## Security & Testing
-- No hard-coded secrets (use environment variables)
-- Validate all input using dataclasses, Pydantic, or attrs
-- Unit-test logic with pytest, integration-test I/O boundaries
-- Always use virtual environments for isolation
-
-## Virtual Environment Setup
-```bash
-python3 -m venv .venv
-source .venv/bin/activate  # On Windows: venv\Scripts\activate
-pip install -r requirements.txt
-```
-
-## Folder Responsibilities
-- `.github` - Houses GitHub prompts (.github/prompts/), workflows(.github/workflows/), and Copilot instructions. Used by GitHub Actions and Copilot Chat.
-- `tests` - Contains all tests for the application
-- Root files
-    - .env – environment variables (managed via GitHub and Context7 MCP Servers)
-    - README.md, LICENSE – project overview and licensing
-
-# Steps
-1. Analyze the coding task and determine the appropriate `src/<domain>` location
-2. Design the solution using modular, pure functions with proper type hints
-3. Generate code with descriptive variable/function names that eliminate need for comments
-4. Include comprehensive type annotations for all parameters and return values
-5. Structure imports in the correct order (stdlib, third-party, local)
-6. If tests are needed, place them in the `tests` folder with appropriate naming
-
-# Output Format
-Generate complete, production-ready Python code that:
-- Follows all coding standards without deviation
-- Includes proper type hints for all functions
-- Uses descriptive names that make the code self-documenting
-- Contains minimal to no comments/docstrings
-- Is properly formatted for `black` and linting tools
-- Includes import statements in the correct order
-
-# Examples
-
-## Example 1: Service Implementation
-
-**Input**: "Create a user authentication service"
-**Output**:
-```python
-from typing import Optional
-from dataclasses import dataclass
-import bcrypt
-from jose import jwt
-
-@dataclass
-class AuthenticationResult:
-    is_valid: bool
-    user_id: Optional[str] = None
-    error_message: Optional[str] = None
-
-def hash_password(plain_password: str) -> str:
-    return bcrypt.hashpw(plain_password.encode(), bcrypt.gensalt()).decode()
-
-def verify_password(plain_password: str, hashed_password: str) -> bool:
-    return bcrypt.checkpw(plain_password.encode(), hashed_password.encode())
-
-def authenticate_user(username: str, password: str, stored_hash: str) -> AuthenticationResult:
-    if not verify_password(password, stored_hash):
-        return AuthenticationResult(False, error_message="Invalid credentials")
-    return AuthenticationResult(True, user_id=username)
-```
-
-## Example 2: Test Implementation
-
-**Input**: "Write a test for the authentication service"
-**Output** (in `tests/test_auth_service.py`):
-```python
-import pytest
-from src.auth.service import hash_password, verify_password, authenticate_user, AuthenticationResult
-
-def test_hash_password_creates_valid_hash():
-    password = "test_password_123"
-    hashed = hash_password(password)
-    assert hashed != password
-    assert len(hashed) > 20
-
-def test_verify_password_with_correct_password():
-    password = "test_password_123"
-    hashed = hash_password(password)
-    assert verify_password(password, hashed) is True
-
-def test_authenticate_user_with_valid_credentials():
-    password = "test_password_123"
-    hashed = hash_password(password)
-    result = authenticate_user("testuser", password, hashed)
-    assert result.is_valid is True
-    assert result.user_id == "testuser"
-    assert result.error_message is None
-```
-
-# CI/CD Requirements
-- Always activate virtual environment in CI pipelines:
-  ```yaml
-  - name: Set up Python
-    run: |
-      python3 -m venv .venv
-      source .venv/bin/activate
-  ```
-- Run `pytest --cov=src` and check coverage in CI
-- Run security checks: `bandit`, Safety, CodeQL, Dependabot
-- Fail build on critical CVEs
-
-# Notes
-- All generated code will be rejected if it contains unnecessary docstrings or comments
-- Type hints are mandatory and replace the need for parameter documentation
-- Function and variable names must be descriptive enough to eliminate ambiguity
-- Virtual environment setup is required before running any code
-- Security validation using dataclasses/Pydantic is non-negotiable for input handling
-- Each unnecessary comment is technical debt - the code itself should communicate intent

.specify/memory/constitution.md

@@ -1,50 +1,205 @@
-# [PROJECT_NAME] Constitution
-<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
+<!--
+  SYNC IMPACT REPORT
+  ==================
+  Version Change: Template → 1.0.0
+  
+  Modified Principles:
+  - PRINCIPLE_1_NAME → I. Modular Architecture & Separation of Concerns
+  - PRINCIPLE_2_NAME → II. Code Readability & Self-Documentation
+  - PRINCIPLE_3_NAME → III. Test-First Development (NON-NEGOTIABLE)
+  - PRINCIPLE_4_NAME → IV. Type Safety & Static Analysis
+  - PRINCIPLE_5_NAME → V. Python Best Practices
+  
+  Added Sections:
+  - Core Principles (5 principles defined)
+  - Security & Quality Standards
+  - Development Workflow & Review Process
+  - Governance
+  
+  Templates Requiring Updates:
+  ✅ plan-template.md - Reviewed, constitution check section aligns
+  ✅ spec-template.md - Reviewed, requirements and acceptance criteria align
+  ✅ tasks-template.md - Reviewed, test-first and phase structure aligns
+  ✅ coding-guidelines.instructions.md - Source of truth for principles
+  
+  Follow-up TODOs: None - all principles fully defined
+  
+  Rationale for Version 1.0.0:
+  - Initial ratification of constitution from template
+  - Establishes foundational governance for AI Agent project
+  - All principles and sections are now concrete and actionable
+-->
+
+# AI Agent Constitution
 
 ## Core Principles
 
-### [PRINCIPLE_1_NAME]
-<!-- Example: I. Library-First -->
-[PRINCIPLE_1_DESCRIPTION]
-<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
+### I. Modular Architecture & Separation of Concerns
+
+Every component in the AI Agent project MUST adhere to strict modularity and separation of concerns:
+
+- **One domain = one package**: Each logical domain (e.g., `llm`, `rag`, `tools`, `api`) MUST reside in its own package under `src/<domain>`
+- **Single Responsibility Principle**: Each module, class, and function MUST have exactly one reason to change
+- **Clear boundaries**: Domain packages MUST expose well-defined interfaces and MUST NOT leak implementation details
+- **Dependency direction**: Dependencies MUST flow inward toward core business logic; outer layers (API, UI) depend on inner layers (services, models), never vice versa
+- **Isolated side effects**: Pure business logic MUST be separated from side effects (I/O, database, external APIs) which belong in service layers
+
+**Rationale**: Modular architecture enables independent development, testing, and evolution of components. It reduces coupling, improves maintainability, and allows teams to work in parallel without conflicts.
+
+### II. Code Readability & Self-Documentation
+
+Code MUST be written to be immediately understandable by humans without requiring extensive comments:
+
+- **Descriptive naming**: Variable, function, and class names MUST clearly express intent and purpose
+  - Classes: PascalCase (e.g., `SessionManager`, `DebugCapture`)
+  - Functions/variables: snake_case (e.g., `capture_event`, `session_id`)
+  - Constants: ALL_CAPS (e.g., `MAX_EVENTS_PER_SESSION`)
+- **Type hints required**: All function parameters and return values MUST include type hints for clarity and tool support
+- **Self-explanatory structure**: Code structure and flow MUST convey logic; avoid "clever" code that requires explanation
+- **Minimal comments**: Comments explain WHY decisions were made, not WHAT code does; if code needs WHAT comments, refactor for clarity
+- **Comment discipline**: Comments MUST be under 2 lines; use `# NOTE:` or `# TODO: <ticket-id>` prefixes; delete expired comments
+
+**Rationale**: Self-documenting code reduces cognitive load, speeds up onboarding, and prevents documentation drift. Type hints enable better IDE support and catch errors early.
+
+### III. Test-First Development (NON-NEGOTIABLE)
+
+Testing MUST drive implementation through strict Test-Driven Development:
+
+- **Red-Green-Refactor cycle**: Tests MUST be written first, verified to fail, then implementation makes them pass, followed by refactoring
+- **Test location**: All tests MUST be placed in the `tests/` folder at repository root, never co-located with source
+- **Test coverage**: Unit tests required for all business logic; integration tests required for I/O boundaries (API endpoints, database, external services)
+- **Coverage gate**: CI MUST enforce minimum 80% code coverage; uncovered code MUST be explicitly justified
+- **Test categories**:
+  - **Unit tests**: Pure functions, business logic, algorithms (`tests/unit/`)
+  - **Integration tests**: API endpoints, database operations, MCP sessions (`tests/integration/`)
+  - **Contract tests**: External API interfaces and protocol compliance (`tests/contract/`)
+- **Test execution**: Use `pytest --cov=src` for all test runs; tests MUST pass before any code merge
+
+**Rationale**: Test-first development catches bugs before they exist, documents intended behavior, enables confident refactoring, and ensures every line of code has proven value.
+
+### IV. Type Safety & Static Analysis
+
+All Python code MUST pass strict static analysis without warnings:
+
+- **Type checking**: `mypy` MUST run in strict mode with no type errors; use `# type: ignore[specific-error]` only with justification comment
+- **Linting**: `pylint` and `flake8` MUST pass without warnings; configure exceptions in `pyproject.toml` only when justified
+- **Code formatting**: `black` and `isort` MUST auto-format all code; 88 characters max line length; 4-space indentation
+- **Pre-commit hooks**: All quality tools (black, isort, mypy, pylint, flake8) MUST run before commits
+- **CI enforcement**: Pull requests MUST fail if any static analysis tool reports warnings or errors
+- **Validation framework**: Use Pydantic models for all external input validation (API requests, environment variables, configuration files)
+
+**Rationale**: Static analysis prevents entire classes of bugs before runtime, improves code quality, and provides better IDE support. Type safety documentation becomes executable and verified.
+
+### V. Python Best Practices
+
+All code MUST follow Python idioms and modern best practices:
+
+- **Python version**: Target Python 3.9+ for all features and dependencies
+- **Virtual environments**: Always use isolated virtual environments; never install packages globally
+- **Dependency management**: Pin exact versions in `requirements.txt`; regularly update and audit dependencies
+- **Async/await**: Use `asyncio` for I/O-bound operations (API calls, database queries, file I/O)
+- **Error handling**: Prefer specific exceptions over generic; always provide context in error messages; use structured logging
+- **Resource management**: Use context managers (`with` statements) for file handles, database connections, and locks
+- **Data classes**: Use `dataclasses`, `Pydantic`, or `attrs` for data containers; avoid dictionaries for structured data
+- **Configuration**: Load from environment variables (via `.env`); never hard-code secrets or configuration
+- **Logging**: Use structured logging with proper levels (DEBUG, INFO, WARNING, ERROR); include context (session_id, user_id, etc.)
+
+**Rationale**: Consistent Python idioms make code predictable and maintainable. Modern features (async, type hints, data classes) improve performance and developer experience.
+
+## Security & Quality Standards
 
-### [PRINCIPLE_2_NAME]
-<!-- Example: II. CLI Interface -->
-[PRINCIPLE_2_DESCRIPTION]
-<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
+### Security Requirements
 
-### [PRINCIPLE_3_NAME]
-<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
-[PRINCIPLE_3_DESCRIPTION]
-<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
+All code MUST adhere to security best practices:
 
-### [PRINCIPLE_4_NAME]
-<!-- Example: IV. Integration Testing -->
-[PRINCIPLE_4_DESCRIPTION]
-<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
+- **No hard-coded secrets**: API keys, passwords, tokens MUST be loaded from environment variables or secrets manager
+- **Input validation**: All external input (API requests, file uploads, user input) MUST be validated using Pydantic models or similar
+- **Secure communications**: HTTPS required for all external communications; verify TLS certificates
+- **Authentication**: API endpoints MUST enforce authentication via API keys; protected routes MUST verify JWTs
+- **Security scanning**: CI MUST run security tools (`bandit`, `Safety`, Dependabot) and fail on critical CVEs
+- **Audit logging**: Security events (authentication, authorization failures, data access) MUST be logged with sufficient detail
 
-### [PRINCIPLE_5_NAME]
-<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
-[PRINCIPLE_5_DESCRIPTION]
-<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
+### Quality Gates
 
-## [SECTION_2_NAME]
-<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
+Before any merge to main branch:
 
-[SECTION_2_CONTENT]
-<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
+- **All tests pass**: Unit, integration, and contract tests MUST succeed
+- **Coverage threshold**: Minimum 80% code coverage achieved
+- **Static analysis clean**: mypy, pylint, flake8 report zero warnings
+- **Security scan clean**: No critical or high-severity vulnerabilities
+- **Code formatting**: All code formatted with black and isort
+- **Documentation updated**: README, docstrings, and architecture docs reflect changes
 
-## [SECTION_3_NAME]
-<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
+## Development Workflow & Review Process
 
-[SECTION_3_CONTENT]
-<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
+### Code Review Requirements
+
+All pull requests MUST undergo code review before merge:
+
+- **Constitution compliance**: Reviewer MUST verify adherence to all principles in this constitution
+- **Test verification**: Reviewer MUST verify tests were written first and originally failed
+- **Architecture alignment**: Changes MUST align with modular architecture and separation of concerns
+- **Naming review**: Variable, function, and class names MUST be clear and descriptive
+- **Documentation**: Changes requiring documentation updates MUST include those updates in the same PR
+
+### Complexity Justification
+
+Any violation of constitution principles MUST be explicitly justified:
+
+- **Document in plan**: Complexity justification MUST appear in `specs/[feature]/plan.md`
+- **Alternative considered**: Justification MUST explain why simpler alternatives were rejected
+- **Review approval**: Complexity violations require explicit approval from senior developers
+- **Technical debt tracking**: Violations MUST be tracked as technical debt with a remediation plan
+
+### Branch Strategy
+
+- **Main branch protection**: Direct commits to `main` forbidden; all changes via pull requests
+- **Feature branches**: Use format `###-feature-name` aligned with specification documents
+- **Commit discipline**: Commit after each logical unit of work (typically one task from `tasks.md`)
 
 ## Governance
-<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
 
-[GOVERNANCE_RULES]
-<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
+### Constitutional Authority
+
+This constitution supersedes all other development practices and guidelines:
+
+- **Precedence**: In case of conflict between this constitution and other documents, constitution takes precedence
+- **Mandatory compliance**: All code changes, regardless of urgency, MUST comply with constitutional principles
+- **No exceptions without documentation**: Any exception MUST be documented and justified in the feature's `plan.md`
+
+### Amendment Process
+
+Amendments to this constitution require:
+
+1. **Proposal document**: Written proposal explaining the change, rationale, and impact
+2. **Impact analysis**: Assessment of changes required in codebase and existing specifications
+3. **Team review**: Discussion and consensus among development team
+4. **Migration plan**: For breaking changes, a clear migration path for existing code
+5. **Version update**: Semantic versioning applied to constitution version
+6. **Template propagation**: Update all affected templates (plan, spec, tasks) to align with amendments
+
+### Versioning Policy
+
+Constitution versions follow semantic versioning (MAJOR.MINOR.PATCH):
+
+- **MAJOR**: Backward-incompatible changes (principle removals, redefinitions that invalidate existing code)
+- **MINOR**: New principles or sections added, material expansions to existing principles
+- **PATCH**: Clarifications, wording improvements, typo fixes, non-semantic refinements
+
+### Compliance Review
+
+- **Every pull request**: Reviewer MUST verify constitutional compliance
+- **Quarterly audits**: Conduct quarterly reviews of codebase for constitutional drift
+- **Metrics tracking**: Track metrics on test coverage, static analysis violations, security issues
+- **Continuous improvement**: Use metrics to identify areas for process improvement
+
+### Runtime Guidance
+
+For day-to-day development guidance and practical implementation details, developers SHOULD reference:
+
+- **Coding guidelines**: `.github/instructions/coding-guidelines.instructions.md`
+- **Architecture documentation**: `docs/architecture.md`
+- **Architecture Decision Records**: `docs/ADRs/` for historical context on technical decisions
+- **Template files**: `.specify/templates/*.md` for specification and planning workflows
 
-**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
-<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->
+**Version**: 1.0.0 | **Ratified**: 2025-10-29 | **Last Amended**: 2025-10-29