docs(framework): P3.1 fast-follow — governance wording + gate scope + bare-launch note

Non-blocking items from the #575 dual-engine review:
- CONSTITUTION.md: state explicitly there is NO CONSTITUTION.local.md and hard
  gates are not locally overridable (clarity vs LAYER-MODEL overlay-eligibility)
- verify-sanitized.sh: expand identity scan to *.yml/*.yaml/*.toml/*.env/*.service
  (operator data could hide in shipped configs) — gate green, no new hits
- AGENTS.md: clarify the intentional bare-launch stop-if-missing strictness vs the
  launcher's readOptional tolerance (which keeps pre-upgrade hosts working)

Refs #542, closes #576

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packages/mosaic/framework/tools/quality/scripts/verify-sanitized.sh

@@ -12,7 +12,7 @@
 #   2. STRUCTURAL (private $HOME default in *.sh) — scanned everywhere EXCEPT examples/,
 #        because worked example overlays/personas legitimately show placeholder paths.
 #
-# File types: *.md, *.sh, *.ps1, *.json, and the extensionless CLI scripts under
+# File types: *.md, *.sh, *.ps1, *.json, *.yml/*.yaml, *.toml, *.env, *.service, and the CLI scripts under
 # tools/_scripts/. Excludes node_modules/ and this gate file.
 #
 # NOTE: '\bPDA\b' intentionally matches "PDA-friendly" (the contamination removed in P2);
@@ -39,7 +39,7 @@ cd "$FRAMEWORK_ROOT" || { echo "FRAMEWORK_ROOT not found: $FRAMEWORK_ROOT" >&2;
 # Identity scope = ALL shipped text files (examples/ INCLUDED).
 _files_identity() {
   find . -type f \
-    \( -name '*.md' -o -name '*.sh' -o -name '*.ps1' -o -name '*.json' -o -path '*/tools/_scripts/*' \) \
+    \( -name '*.md' -o -name '*.sh' -o -name '*.ps1' -o -name '*.json' -o -name '*.yml' -o -name '*.yaml' -o -name '*.toml' -o -name '*.env' -o -name '*.service' -o -path '*/tools/_scripts/*' \) \
     -not -path '*/node_modules/*' -not -path "./$SELF_REL" -print0
 }
 # Structural scope = shipped scripts, examples/ EXCLUDED.