This pull request significantly revises and expands both the operating contract for contributors (AGENTS.md) and the product requirements (docs/requirements.md). The changes clarify project boundaries, strengthen security and architecture guardrails, and provide much more detailed, actionable standards for persistence, security, and operational practices. These updates ensure that all contributors have a clear, enforceable framework for safe, auditable, and maintainable development.

Key changes include:

1. Project Governance and Contribution Standards

• AGENTS.md is rewritten to clearly separate the main product (test mining platform) from retained tooling (Symphony), requiring every PR to declare its target and to split cross-boundary changes. It introduces explicit sections for mission, sources of truth, non-negotiable guardrails, architecture rules, coding standards, security hygiene, testing, configuration, observability, delivery workflow, and escalation procedures.

2. Persistence and Database Requirements

• The product requirements now specify PostgreSQL as the only required database provider for v1, with SQL Server support deferred but not blocked. Provider-specific features are allowed in v1 if future portability is considered. Integration tests must use real PostgreSQL, not in-memory providers.
• All persistent entities must include common fields for audit, concurrency, and soft-deletion, with detailed rules for each.
• A new UserAccount entity is defined, and all audit references must resolve to this entity.

3. Security and Data Protection

• Strict guardrails are introduced: never log, persist, or emit secrets; enforce allow-lists for target URLs; require encryption at rest for sensitive material; and prohibit hand-editing of generated code. [1] [2]
• Detailed requirements for encryption and masking of sensitive data are added, including retroactive masking if a field's classification changes.

4. Artefact Retention and Cleanup

• Artefact storage is now governed by explicit retention windows and size caps (e.g., screenshots retained for 30 days, capped at 10 MB), with administrative override possible. A background process will enforce cleanup and audit deletions.

5. Human Approval and AI Guardrails

• Healing proposals that alter persisted scenarios must always require human approval in v1; auto-apply policies are deferred and heavily restricted for future versions.

6. Operational Metrics and Performance Targets

• Performance targets are now precise (e.g., p50/p95 latencies for key operations), and observability requirements ensure these can be measured and verified in production.

These changes collectively raise the bar for safety, auditability, and clarity in both code and process, and should be carefully reviewed by all contributors.