chore(deps)(deps): update typer requirement from ^0.16.1 to ^0.21.1

.github/workflows/core-ci.yml

@@ -33,7 +33,7 @@ jobs:
         run: pipx install poetry
 
       - name: Cache Poetry & Pip
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cache/pypoetry

.github/workflows/daily_sync.yml

@@ -34,7 +34,7 @@ jobs:
           poetry run core-admin submit changes -m "chore(auto): Daily constitutional sync and audit"
 
       - name: "Create Pull Request if Changes Occur"
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "chore(auto): Propose changes from daily constitutional sync"

.intent/CORE-CHARTER.md

@@ -72,8 +72,13 @@ No operational rule may contradict constitutional principles.
 
 To understand CORE's governance:
 
-1. `.intent/constitution/` - Foundation documents
-2. `.intent/papers/` - Constitutional philosophy
+1. `.intent/constitution/CORE-CONSTITUTION-v0.md` - Foundation document
+2. `.intent/papers/` - Constitutional philosophy:
+   * `CORE-Constitutional-Foundations.md`
+   * `CORE-Mind-Body-Will-Separation.md`
+   * `CORE-Infrastructure-Definition.md` **(← ADDED: Infrastructure boundaries)**
+   * `CORE-Common-Governance-Failure-Modes.md`
+   * Additional constitutional papers
 3. `.intent/META/` - Schema contracts
 4. `.intent/rules/` - Operational rules
 5. This Charter
@@ -99,6 +104,12 @@ Any contradiction must be resolved in favor of: Constitution → Papers → META
 * Makes decisions within constitutional bounds
 * Delegates execution to Body
 
+**Infrastructure (src/shared/infrastructure/):** **(← ADDED: Infrastructure category)**
+* Provides mechanical coordination without strategic decisions
+* Bounded by explicit authority limits defined in constitutional papers
+* Subject to infrastructure-specific governance rules
+* See: `.intent/papers/CORE-Infrastructure-Definition.md`
+
 ---
 
 ## 6. Intentional Incompleteness

.intent/enforcement/mappings/architecture/atomic_actions.yaml

@@ -0,0 +1,50 @@
+mappings:
+  # Rule: atomic_actions.must_return_action_result
+  # Enforcement: Registration-time validation in registry.py
+  # This mapping tells the system that enforcement happens in Python code at module load time
+  atomic_actions.must_return_action_result:
+    engine: python_runtime
+    params:
+      check_type: registration_time_validation
+      enforcement_location: "body.atomic.registry.register_action"
+      validation_function: "_validate_action_signature"
+    scope:
+      applies_to:
+        - "src/body/atomic/**/*.py"
+
+  # Rule: atomic_actions.must_have_decorator
+  # Enforcement: Registration-time validation in registry.py
+  atomic_actions.must_have_decorator:
+    engine: python_runtime
+    params:
+      check_type: registration_time_validation
+      enforcement_location: "body.atomic.registry.register_action"
+      validation_function: "_validate_action_signature"
+    scope:
+      applies_to:
+        - "src/body/atomic/**/*.py"
+
+  # Rule: atomic_actions.result_must_be_structured
+  # Enforcement: Runtime validation in executor.py
+  atomic_actions.result_must_be_structured:
+    engine: python_runtime
+    params:
+      check_type: runtime_validation
+      enforcement_location: "body.atomic.executor.ActionExecutor.execute"
+      validation_function: "_validate_action_result"
+    scope:
+      applies_to:
+        - "src/body/atomic/**/*.py"
+
+  # Rule: atomic_actions.no_governance_bypass
+  # Enforcement: Both registration-time and runtime
+  atomic_actions.no_governance_bypass:
+    engine: python_runtime
+    params:
+      check_type: comprehensive_validation
+      enforcement_locations:
+        - "body.atomic.registry.register_action"
+        - "body.atomic.executor.ActionExecutor.execute"
+    scope:
+      applies_to:
+        - "src/body/atomic/**/*.py"

.intent/enforcement/mappings/infrastructure/authority_boundaries.yaml

@@ -0,0 +1,120 @@
+# .intent/enforcement/mappings/infrastructure/authority_boundaries.yaml
+#
+# Enforces authority boundaries for Infrastructure components.
+# Based on: .intent/papers/CORE-Infrastructure-Definition.md
+
+mappings:
+  # ==========================================================================
+  # RULE 1: Infrastructure May Not Make Strategic Decisions
+  # ==========================================================================
+
+  # LAW: Infrastructure components must provide mechanical coordination without strategic decision-making
+  #
+  # CONSTITUTIONAL NOTE: Infrastructure is exempt from Mind/Body/Will layer restrictions
+  # but must still respect authority boundaries. Strategic decisions are forbidden.
+  # See: .intent/papers/CORE-Infrastructure-Definition.md Section 4.2
+  infrastructure.no_strategic_decisions:
+    engine: knowledge_gate
+    params:
+      check_type: component_responsibility
+      expected_pattern: "Infrastructure provides coordination without strategic decisions"
+    scope:
+      applies_to:
+        - "src/shared/infrastructure/**/*.py"
+      excludes:
+        - "src/shared/infrastructure/**/*_test.py"
+
+  # ==========================================================================
+  # RULE 2: Infrastructure Must Document Constitutional Authority
+  # ==========================================================================
+
+  # LAW: Infrastructure components must document their constitutional authority claims
+  #
+  # CONSTITUTIONAL NOTE: Explicit authority claims enable governance validation.
+  # All infrastructure must declare: CONSTITUTIONAL AUTHORITY, AUTHORITY LIMITS, EXEMPTIONS
+  infrastructure.constitutional_documentation:
+    engine: regex_gate
+    params:
+      check_type: docstring_content
+      required_patterns:
+        - "CONSTITUTIONAL AUTHORITY"
+        - "AUTHORITY LIMITS"
+    scope:
+      applies_to:
+        - "src/shared/infrastructure/service_registry.py"
+        - "src/shared/infrastructure/database/session_manager.py"
+        - "src/shared/infrastructure/config_service.py"
+
+  # ==========================================================================
+  # RULE 3: Infrastructure May Not Contain Business Logic
+  # ==========================================================================
+
+  # LAW: Infrastructure must remain domain-agnostic and contain no business logic
+  #
+  # CONSTITUTIONAL NOTE: Business logic in infrastructure couples coordination to domain.
+  # Infrastructure should work with any domain - no semantic understanding of operations.
+  infrastructure.no_business_logic:
+    engine: knowledge_gate
+    params:
+      check_type: component_responsibility
+      expected_pattern: "Infrastructure is domain-agnostic coordination machinery"
+    scope:
+      applies_to:
+        - "src/shared/infrastructure/**/*.py"
+
+  # ==========================================================================
+  # RULE 4: ServiceRegistry Specific - No Conditional Service Loading
+  # ==========================================================================
+
+  # LAW: ServiceRegistry must not choose between service loading strategies based on semantic context
+  #
+  # CONSTITUTIONAL NOTE: Look for conditional logic patterns that suggest strategic decision-making.
+  # Keywords like "priority", "critical", "important" indicate semantic understanding.
+  infrastructure.service_registry.no_conditional_loading:
+    engine: regex_gate
+    params:
+      forbidden_patterns:
+        - "if.*priority"
+        - "if.*critical"
+        - "if.*important"
+        - "high_priority"
+        - "low_priority"
+    scope:
+      applies_to:
+        - "src/shared/infrastructure/service_registry.py"
+
+  # ==========================================================================
+  # RULE 5: Infrastructure Must Use Explicit Error Handling
+  # ==========================================================================
+
+  # LAW: Infrastructure must not use bare except clauses that suppress all errors
+  #
+  # CONSTITUTIONAL NOTE: Bare except: pass is selective suppression by omission.
+  # All errors must be handled explicitly or propagated.
+  infrastructure.no_bare_except:
+    engine: regex_gate
+    params:
+      forbidden_patterns:
+        - "except:\\s*pass"
+        - "except Exception:\\s*pass"
+    scope:
+      applies_to:
+        - "src/shared/infrastructure/**/*.py"
+      excludes:
+        - "tests/**"
+# ==============================================================================
+# Meta: This mapping enforces infrastructure authority boundaries
+# ==============================================================================
+
+# Infrastructure is coordination machinery, not decision-making.
+# These rules ensure infrastructure stays mechanical and deterministic.
+#
+# Enforcement Strategy:
+# - knowledge_gate rules: Advisory (report findings, don't block)
+# - regex_gate rules: Advisory initially, can be promoted to blocking
+#
+# Roadmap:
+# - Phase 1: Deploy with advisory enforcement
+# - Phase 2: Add constitutional docstrings to infrastructure components
+# - Phase 3: Promote documentation rules to blocking
+# - Phase 4: Add more sophisticated ast_gate checks if needed

.intent/enforcement/mappings/infrastructure/cli_commands.yaml

@@ -0,0 +1,89 @@
+mappings:
+  # LAW: All CLI commands MUST declare explicit metadata
+  #
+  # ENFORCEMENT: Runtime tracking during registry sync
+  # - command_sync_service logs coverage statistics
+  # - Inference provides fallback for unmigrated commands
+  # - No blocking enforcement (migration in progress)
+  #
+  # METRICS: Track coverage via command_sync_service logging:
+  #   "Commands with @command_meta: X/Y (Z%)"
+  #
+  # TARGET: 100% explicit metadata (phased migration)
+  cli.command.metadata_required:
+    engine: runtime_metric
+    params:
+      enforced_by: "features.maintenance.command_sync_service._sync_commands_to_db"
+      metric: "Commands with @command_meta"
+      tracking: "Logged during 'core-admin fix db-registry'"
+      phase: "migration"
+    scope:
+      applies_to: ["src/body/cli/commands/**/*.py"]
+
+  # LAW: Command canonical_name MUST follow hierarchical dot notation
+  #
+  # ENFORCEMENT: Validated by Pydantic CommandMeta dataclass
+  # - Pattern enforced in __post_init__
+  # - Invalid names raise ValueError at decoration time
+  cli.command.canonical_naming:
+    engine: dataclass_validation
+    params:
+      enforced_by: "shared.models.command_meta.CommandMeta.__post_init__"
+      validation: "Regex pattern in dataclass"
+      failure_mode: "ValueError on invalid canonical_name"
+    scope:
+      applies_to: ["@command_meta decorators"]
+
+  # LAW: Command behavior MUST be valid enum value
+  #
+  # ENFORCEMENT: Type-checked by CommandBehavior enum
+  # - Python will reject invalid enum values at parse time
+  cli.command.behavior_classification:
+    engine: type_system
+    params:
+      enforced_by: "shared.models.command_meta.CommandBehavior enum"
+      validation: "Python enum type checking"
+      allowed_values: ["read", "validate", "mutate", "transform"]
+    scope:
+      applies_to: ["@command_meta(behavior=...)"]
+
+  # LAW: Command layer MUST be valid enum value
+  #
+  # ENFORCEMENT: Type-checked by CommandLayer enum
+  cli.command.layer_assignment:
+    engine: type_system
+    params:
+      enforced_by: "shared.models.command_meta.CommandLayer enum"
+      validation: "Python enum type checking"
+      allowed_values: ["mind", "body", "will"]
+    scope:
+      applies_to: ["@command_meta(layer=...)"]
+
+  # LAW: Mutating commands SHOULD be marked as dangerous
+  #
+  # ENFORCEMENT: Advisory only (no blocking)
+  # - Developers responsible for correct dangerous flag
+  # - Code review should verify consistency
+  cli.command.dangerous_marking:
+    engine: advisory
+    params:
+      guidance: "Commands with behavior='mutate' should set dangerous=True"
+      enforcement: "Code review"
+    scope:
+      applies_to: ["src/body/cli/commands/**/*.py"]
+
+  # LAW: No duplicate canonical names
+  #
+  # ENFORCEMENT: Runtime deduplication in command_sync_service
+  # - Duplicates logged as warnings
+  # - First occurrence wins, duplicates skipped
+  # - Prevents database constraint violations
+  cli.command.no_duplicates:
+    engine: runtime_check
+    params:
+      enforced_by: "features.maintenance.command_sync_service._sync_commands_to_db"
+      deduplication_logic: "seen_names set tracking"
+      action: "Log warning and skip duplicate"
+      logged_as: "WARNING:...Duplicate command name detected"
+    scope:
+      applies_to: ["Registry sync process"]