constitution firewall

.specify/templates/plan-template.md

@@ -31,7 +31,12 @@
 
 *GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
 
-[Gates determined based on constitution file]
+- Confirm each change lives in the directory that owns the behavior.
+- Confirm shared logic stays in `modules/` and host-specific assembly stays in
+  `hosts/<name>/`.
+- Confirm any firewall, NAT, nftables, or port-forwarding work is scoped to
+  `hosts/<name>/firewall.nix` for the affected host.
+- Confirm any secret-dependent behavior respects `config.my.secureHost`.
 
 ## Project Structure