Constitutional engine

The constitutional engine is the one subsystem that cannot be overridden by reinforcement, policy drift, or self-modification proposals - it enforces invariants that hold regardless of what the rest of the system learns. It checks every proposed action, policy update, and self-modification proposal against three categories of constraint: epistemic hygiene (no proposal may cause synthetic events to contaminate the episodic truth layer or blur the boundary between imagined and observed experience), reward integrity (proposals that touch the reinforcement pathway require two independent signatures to prevent single-point corruption), and identity stability (proposals that would push identity drift above maxIdentityDrift are quarantined until the system restabilizes). The two-signature requirement for reward corruption is a direct response to a known AI safety risk: a single compromised signal source should not be able to corrupt the reinforcement pathway. Requiring a watchdog agent signature alongside the proposal signature makes that attack path require two independent compromises simultaneously. Quarantined proposals are preserved in the audit stream and may be resubmitted with narrower scope after stabilization.