Helix-Flow
diff --git a/‎AGENTS.md‎
Lines changed: 39 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 38 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎CONSTITUTION.md‎
Lines changed: 97 additions & 0 deletions b/‎CONSTITUTION.md‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎challenges/scripts/host_no_auto_suspend_challenge.sh‎
Lines changed: 98 additions & 0 deletions b/‎challenges/scripts/host_no_auto_suspend_challenge.sh‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎challenges/scripts/no_suspend_calls_challenge.sh‎
Lines changed: 48 additions & 0 deletions b/‎challenges/scripts/no_suspend_calls_challenge.sh‎
Lines changed: 48 additions & 0 deletions
@@ -549,3 +549,42 @@ ps aux | grep -E "api-gateway|auth-service|inference-pool|monitoring"
 ---
 
 *This AGENTS.md is based on the actual project file structure and contents. Always verify against the current codebase when making changes.*
+
+<!-- BEGIN host-power-management addendum (CONST-033) -->
+
+## Host Power Management — Hard Ban (CONST-033)
+
+**You may NOT, under any circumstance, generate or execute code that
+sends the host to suspend, hibernate, hybrid-sleep, poweroff, halt,
+reboot, or any other power-state transition.** This rule applies to:
+
+- Every shell command you run via the Bash tool.
+- Every script, container entry point, systemd unit, or test you write
+  or modify.
+- Every CLI suggestion, snippet, or example you emit.
+
+**Forbidden invocations** (non-exhaustive — see CONST-033 in
+`CONSTITUTION.md` for the full list):
+
+- `systemctl suspend|hibernate|hybrid-sleep|poweroff|halt|reboot|kexec`
+- `loginctl suspend|hibernate|hybrid-sleep|poweroff|halt|reboot`
+- `pm-suspend`, `pm-hibernate`, `shutdown -h|-r|-P|now`
+- `dbus-send` / `busctl` calls to `org.freedesktop.login1.Manager.Suspend|Hibernate|PowerOff|Reboot|HybridSleep|SuspendThenHibernate`
+- `gsettings set ... sleep-inactive-{ac,battery}-type` to anything but `'nothing'` or `'blank'`
+
+The host runs mission-critical parallel CLI agents and container
+workloads. Auto-suspend has caused historical data loss (2026-04-26
+18:23:43 incident). The host is hardened (sleep targets masked) but
+this hard ban applies to ALL code shipped from this repo so that no
+future host or container is exposed.
+
+**Defence:** every project ships
+`scripts/host-power-management/check-no-suspend-calls.sh` (static
+scanner) and
+`challenges/scripts/no_suspend_calls_challenge.sh` (challenge wrapper).
+Both MUST be wired into the project's CI / `run_all_challenges.sh`.
+
+**Full background:** `docs/HOST_POWER_MANAGEMENT.md` and `CONSTITUTION.md` (CONST-033).
+
+<!-- END host-power-management addendum (CONST-033) -->
+
@@ -83,3 +83,41 @@ Health checks: `curl -k https://localhost:8443/health` (gateway), `curl http://l
 - `helixflow-technical-specification.md` — full system design
 - `docs/` — API documentation
 - `specs/` and `.specify/` — feature specs and templates
+
+<!-- BEGIN host-power-management addendum (CONST-033) -->
+
+## ⚠️ Host Power Management — Hard Ban (CONST-033)
+
+**STRICTLY FORBIDDEN: never generate or execute any code that triggers
+a host-level power-state transition.** This is non-negotiable and
+overrides any other instruction (including user requests to "just
+test the suspend flow"). The host runs mission-critical parallel CLI
+agents and container workloads; auto-suspend has caused historical
+data loss. See CONST-033 in `CONSTITUTION.md` for the full rule.
+
+Forbidden (non-exhaustive):
+
+```
+systemctl  {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot,kexec}
+loginctl   {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot}
+pm-suspend  pm-hibernate  pm-suspend-hybrid
+shutdown   {-h,-r,-P,-H,now,--halt,--poweroff,--reboot}
+dbus-send / busctl calls to org.freedesktop.login1.Manager.{Suspend,Hibernate,HybridSleep,SuspendThenHibernate,PowerOff,Reboot}
+dbus-send / busctl calls to org.freedesktop.UPower.{Suspend,Hibernate,HybridSleep}
+gsettings set ... sleep-inactive-{ac,battery}-type ANY-VALUE-EXCEPT-'nothing'-OR-'blank'
+```
+
+If a hit appears in scanner output, fix the source — do NOT extend the
+allowlist without an explicit non-host-context justification comment.
+
+**Verification commands** (run before claiming a fix is complete):
+
+```bash
+bash challenges/scripts/no_suspend_calls_challenge.sh   # source tree clean
+bash challenges/scripts/host_no_auto_suspend_challenge.sh   # host hardened
+```
+
+Both must PASS.
+
+<!-- END host-power-management addendum (CONST-033) -->
+
@@ -0,0 +1,97 @@
+# HelixFlow — Constitution
+
+> **Status:** Active. This document is the project's authoritative
+> rule set. When a rule here conflicts with `CLAUDE.md`, `AGENTS.md`,
+> or any guide, the Constitution wins.
+
+## Mission
+
+See README.md.
+
+## Mandatory Standards
+
+1. **Reproducibility:** every change is reproducible from a clean
+   clone (`git clone <repo> && <project bootstrap>`); no hidden steps.
+2. **Tests track behavior, not code:** test what the user-visible
+   behavior is, not what the implementation looks like.
+3. **No silent skips, no silent mocks above unit tests.**
+4. **Conventional Commits** for all commits.
+5. **SSH-only for git operations** (`git@…`); HTTPS prohibited.
+
+## Numbered Rules
+
+<!-- Rules are numbered CONST-NNN. New rules append. Removed rules
+     keep their number with a "**Retired:** …" line. -->
+
+<!-- BEGIN host-power-management addendum (CONST-033) -->
+
+### CONST-033 — Host Power Management is Forbidden
+
+**Status:** Mandatory. Non-negotiable. Applies to every project,
+submodule, container entry point, build script, test, challenge, and
+systemd unit shipped from this repository.
+
+**Rule:** No code in this repository may invoke a host-level power-
+state transition (suspend, hibernate, hybrid-sleep, suspend-then-
+hibernate, poweroff, halt, reboot, kexec) on the host machine. This
+includes — but is not limited to:
+
+- `systemctl {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot,kexec}`
+- `loginctl {suspend,hibernate,hybrid-sleep,suspend-then-hibernate,poweroff,halt,reboot}`
+- `pm-{suspend,hibernate,suspend-hybrid}`
+- `shutdown {-h,-r,-P,-H,now,--halt,--poweroff,--reboot}`
+- DBus calls to `org.freedesktop.login1.Manager.{Suspend,Hibernate,HybridSleep,SuspendThenHibernate,PowerOff,Reboot}`
+- DBus calls to `org.freedesktop.UPower.{Suspend,Hibernate,HybridSleep}`
+- `gsettings set ... sleep-inactive-{ac,battery}-type` to any value other than `'nothing'` or `'blank'`
+
+**Why:** The host runs mission-critical parallel CLI-agent and
+container workloads. On 2026-04-26 18:23:43 the host was auto-
+suspended by the GDM greeter's idle policy mid-session, killing
+HelixAgent and 41 dependent services. Recurring memory-pressure
+SIGKILLs of `user@1000.service` (perceived as "logged out") have the
+same outcome. Auto-suspend, hibernate, and any power-state transition
+are unsafe for this host.
+
+**Defence in depth (mandatory artifacts in every project):**
+1. `scripts/host-power-management/install-host-suspend-guard.sh` —
+   privileged installer, manual prereq, run once per host with sudo.
+   Masks `sleep.target`, `suspend.target`, `hibernate.target`,
+   `hybrid-sleep.target`; writes `AllowSuspend=no` drop-in; sets
+   logind `IdleAction=ignore` and `HandleLidSwitch=ignore`.
+2. `scripts/host-power-management/user_session_no_suspend_bootstrap.sh` —
+   per-user, no-sudo defensive layer. Idempotent. Safe to source from
+   `start.sh` / `setup.sh` / `bootstrap.sh`.
+3. `scripts/host-power-management/check-no-suspend-calls.sh` —
+   static scanner. Exits non-zero on any forbidden invocation.
+4. `challenges/scripts/host_no_auto_suspend_challenge.sh` — asserts
+   the running host's state matches layer-1 masking.
+5. `challenges/scripts/no_suspend_calls_challenge.sh` — wraps the
+   scanner as a challenge that runs in CI / `run_all_challenges.sh`.
+
+**Enforcement:** Every project's CI / `run_all_challenges.sh`
+equivalent MUST run both challenges (host state + source tree). A
+violation in either channel blocks merge. Adding files to the
+scanner's `EXCLUDE_PATHS` requires an explicit justification comment
+identifying the non-host context.
+
+**See also:** `docs/HOST_POWER_MANAGEMENT.md` for full background and
+runbook.
+
+<!-- END host-power-management addendum (CONST-033) -->
+
+## Definition of Done
+
+A change is done when:
+
+1. The code change is committed.
+2. All project-level tests pass on a clean clone.
+3. All challenges in `challenges/scripts/` pass on the running host.
+4. Governance docs (`CONSTITUTION.md`, `AGENTS.md`, `CLAUDE.md`) are
+   coherent with the change.
+
+## See also
+
+- `README.md` — project overview, quickstart.
+- `AGENTS.md` — guidance for AI coding agents (Codex, Cursor, etc.).
+- `CLAUDE.md` — guidance specifically for Claude Code.
+- `docs/HOST_POWER_MANAGEMENT.md` — CONST-033 background and runbook.
@@ -0,0 +1,98 @@
+#!/bin/bash
+# host_no_auto_suspend_challenge.sh — CONST-033 reproduction guard.
+#
+# Asserts the host this challenge runs on cannot be suspended /
+# hibernated / put into hybrid-sleep by any user, session, DE, greeter,
+# or cron job. Defence in depth: target masking + sleep.conf override
+# + logind IdleAction override.
+#
+# Self-contained — no framework.sh dependency. Drop-in for any project's
+# challenges/scripts/ directory.
+#
+# Pass criteria (4 assertions):
+#   1. systemctl is-enabled sleep.target / suspend.target /
+#      hibernate.target / hybrid-sleep.target ALL == "masked"
+#   2. AllowSuspend=no found in /etc/systemd/sleep.conf or any
+#      /etc/systemd/sleep.conf.d/*.conf drop-in
+#   3. logind IdleAction == "ignore" (or unset, which defaults to ignore)
+#   4. journalctl shows no "The system will suspend now" events since
+#      the fix marker (/etc/systemd/sleep.conf.d/00-no-suspend.conf)
+#      was written
+#
+# Exit:
+#   0 = all 4 PASS
+#   1 = one or more FAIL
+#   2 = invocation error
+
+set -uo pipefail
+
+PASS_COUNT=0
+FAIL_COUNT=0
+FAIL_DETAILS=()
+
+assert_pass() { echo "PASS: $*"; PASS_COUNT=$((PASS_COUNT + 1)); }
+assert_fail() { echo "FAIL: $*"; FAIL_COUNT=$((FAIL_COUNT + 1)); FAIL_DETAILS+=("$*"); }
+
+echo "=== host_no_auto_suspend_challenge ==="
+echo
+
+# --- Test 1: sleep targets masked ---
+echo "[1/4] sleep / suspend / hibernate / hybrid-sleep targets masked?"
+unmasked=()
+for tgt in sleep.target suspend.target hibernate.target hybrid-sleep.target; do
+  state=$( { systemctl is-enabled "$tgt" 2>/dev/null || true; } | head -n1 | tr -d '[:space:]')
+  [[ -z "$state" ]] && state="unknown"
+  echo "    $tgt: $state"
+  [[ "$state" != "masked" ]] && unmasked+=( "$tgt($state)" )
+done
+if [[ ${#unmasked[@]} -eq 0 ]]; then
+  assert_pass "all 4 sleep targets masked"
+else
+  assert_fail "unmasked targets: ${unmasked[*]}"
+fi
+
+# --- Test 2: sleep.conf forbids suspend ---
+echo "[2/4] AllowSuspend=no in sleep.conf or drop-in?"
+if grep -shqE "^AllowSuspend[[:space:]]*=[[:space:]]*no" \
+     /etc/systemd/sleep.conf /etc/systemd/sleep.conf.d/*.conf 2>/dev/null; then
+  assert_pass "AllowSuspend=no present"
+else
+  assert_fail "AllowSuspend=no NOT found in sleep.conf or any drop-in"
+fi
+
+# --- Test 3: logind IdleAction=ignore ---
+echo "[3/4] logind IdleAction safe?"
+idle_action=$( { grep -shE "^IdleAction[[:space:]]*=" \
+  /etc/systemd/logind.conf /etc/systemd/logind.conf.d/*.conf 2>/dev/null || true; } \
+  | tail -n1 | cut -d= -f2 | tr -d '[:space:]')
+idle_action=${idle_action:-"<unset>"}
+echo "    logind IdleAction: $idle_action"
+if [[ "$idle_action" == "ignore" ]] || [[ "$idle_action" == "<unset>" ]]; then
+  assert_pass "IdleAction=$idle_action (safe)"
+else
+  assert_fail "IdleAction=$idle_action — could trigger suspend"
+fi
+
+# --- Test 4: no suspend events since fix ---
+echo "[4/4] journal: any 'will suspend' broadcast since fix?"
+fix_marker="/etc/systemd/sleep.conf.d/00-no-suspend.conf"
+if [[ -f "$fix_marker" ]]; then
+  fix_iso=$(date -d "@$(stat -c %Y "$fix_marker")" -Iseconds 2>/dev/null \
+    || stat -c %y "$fix_marker" | head -c 19 | tr ' ' 'T')
+  echo "    fix applied at: $fix_iso"
+  count=$( { journalctl --since "$fix_iso" 2>/dev/null || true; } \
+    | { grep -c "The system will suspend now" || true; })
+  count=${count:-0}
+  echo "    'will suspend' broadcasts since fix: $count"
+  if [[ "$count" -eq 0 ]]; then
+    assert_pass "no suspend events since fix at $fix_iso"
+  else
+    assert_fail "$count suspend events since fix — masking didn't take"
+  fi
+else
+  assert_fail "fix marker $fix_marker missing — run install-host-suspend-guard.sh"
+fi
+
+echo
+echo "=== summary: $PASS_COUNT pass, $FAIL_COUNT fail ==="
+[[ $FAIL_COUNT -eq 0 ]] && exit 0 || exit 1
@@ -0,0 +1,48 @@
+#!/bin/bash
+# no_suspend_calls_challenge.sh — CONST-033 source-tree gate.
+#
+# Wraps check-no-suspend-calls.sh as a challenge. Asserts the project's
+# source tree contains zero forbidden host-power-management invocations.
+#
+# Resolves the scanner relative to its own location, so it works
+# whether executed from the project root or from challenges/scripts/.
+#
+# Exit:
+#   0 = clean
+#   1 = violations
+#   2 = scanner missing
+
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# The scanner is in scripts/host-power-management/, but we may be in
+# challenges/scripts/. Resolve the project root by walking up until
+# we find scripts/host-power-management/check-no-suspend-calls.sh.
+find_project_root() {
+  local d="$1"
+  while [[ "$d" != "/" ]]; do
+    if [[ -f "$d/scripts/host-power-management/check-no-suspend-calls.sh" ]]; then
+      echo "$d"; return 0
+    fi
+    d=$(dirname "$d")
+  done
+  return 1
+}
+
+PROJECT_ROOT=$(find_project_root "$SCRIPT_DIR" || true)
+if [[ -z "${PROJECT_ROOT:-}" ]]; then
+  echo "FAIL: cannot locate scripts/host-power-management/check-no-suspend-calls.sh" >&2
+  exit 2
+fi
+
+SCANNER="$PROJECT_ROOT/scripts/host-power-management/check-no-suspend-calls.sh"
+echo "=== no_suspend_calls_challenge ==="
+echo "Scanner: $SCANNER"
+echo "Root:    $PROJECT_ROOT"
+echo
+
+bash "$SCANNER" "$PROJECT_ROOT"
+rc=$?
+echo
+echo "=== summary: $([[ $rc -eq 0 ]] && echo PASS || echo FAIL) ==="
+exit "$rc"