Good project. but are the constraints (never fabricate results, never modify credentials) enforced structurally, or are they prompt-level instructions the agent could technically ignore? For example, does the "score must not decrease" rule have a git hook that auto-reverts, or is it relying on something else?