diff --git a/SESSION_HANDOFF_2026-04-20_EUPL12_OUT_OF_SCOPE_SWEEP.md b/SESSION_HANDOFF_2026-04-20_EUPL12_OUT_OF_SCOPE_SWEEP.md
new file mode 100644
index 00000000..a70ab3b1
--- /dev/null
+++ b/SESSION_HANDOFF_2026-04-20_EUPL12_OUT_OF_SCOPE_SWEEP.md
@@ -0,0 +1,128 @@
+# Session Handoff — 2026-04-20 — EUPL-1.2 Out-of-Scope Hygiene + Licence Sweep
+
+**Status:** COMPLETE (5 commits + this handoff). Pushed to codeberg + origin.
+**Session model:** Opus 4.7 (1M context) — `claude-opus-4-7[1m]`
+**Session type:** Cross-project `/tractatus`-skill session launched from a parallel community session. Framework not formally initialised (session-init.js not run — cross-project skill mode per tractatus CLAUDE.md guidance: "framework enforcement is handled by the deploy script's pre-commit hooks and the CLAUDE.md rules").
+**Plan of record:** `community/docs/plans/PLAN_TRACTATUS_OUT_OF_SCOPE_HYGIENE_LICENCE_20260420.md` (lives in the community repo; executed against this tractatus repo).
+**Precedents built on:** Phase A (`c85f310f` — root LICENSE + README relicense), Phase B (`d600f6ed` — source-file headers), follow-on (`4ddc54a0` — inst_084 README hygiene).
+
+---
+
+## Commits this session (in order)
+
+| # | SHA | Subject |
+|---|---|---|
+| 1/5 | `db788548` | `chore(docs): hygiene fixes on Maintenance_Guide (inst_069/070 + inst_084)` |
+| 2/5 | `5c386d0d` | `chore(license): Apache 2.0 -> EUPL-1.2 licence template in Maintenance_Guide` |
+| 3/5 | `6d49bfbf` | `chore(docs): bundle hygiene fixes on For-Claude-Web bundle (inst_016/017/018 + inst_084)` |
+| 4/5 | `ab0a6af4` | `chore(license): Apache 2.0 -> EUPL-1.2 licence swap across 15 bundle files` |
+| 5/5 | `4c1a26e8` | `chore(docs): SESSION_HANDOFF licence + vendor URL flip` |
+
+All 5 passed the full pre-commit hook pipeline (inst_069/070 credentials, inst_008 CSP, inst_016/017/018 prohibited terms, inst_084 attack surface, inst_068 test requirements, inst_026 env-var standards). No `--no-verify`, no amends.
+
+---
+
+## Plan-vs-executed commit structure
+
+The plan named 6 commits; delivery consolidated to 5.
+
+- **Plan commits 1 + 2 merged into commit 1/5.** Discovered at first commit attempt that the pre-commit hook scans whole file content. The Maintenance_Guide's pre-existing ~22 port exposures (inst_084) block any commit that touches the file, so a credential-only commit cannot land standalone. Consolidated both concerns into one atomic hygiene commit — same shape as Phase A follow-on `4ddc54a0` (README hygiene batch).
+- **Plan commit 4 scope expanded.** The `inst_016/017/018` sweep surfaced additional pre-existing `inst_084` exposures on the same files (see below). User approved bundling both into commit 3/5.
+
+Net: plan's 6 commits -> executed 5 commits. All approvals captured explicitly.
+
+---
+
+## Scope touched per file
+
+### Maintenance_Guide (both copies, root + For Claude Web)
+- `CLAUDE_Tractatus_Maintenance_Guide.md`, `For Claude Web/tractatus-claude-web-complete/CLAUDE_Tractatus_Maintenance_Guide.md`
+- inst_069/070: 1 credential false-positive rewrite at L1101 — the scanner-triggering header phrasing replaced with "Credential reference"; meaning preserved (the line describes WHERE deployment credentials are documented, not any credential value)
+- inst_084: 9 distinct line positions redacted (ports 27017/27027/9000/9001 -> generic descriptors)
+- Licence swap: 4 edits each (preamble prose + template heading + template body + placeholder)
+
+### For-Claude-Web bundle (15 files beyond Maintenance_Guide)
+- **inst_016/017/018 (21 rewrites across 9 files):**
+  - 12 rewrites for the inst_017 absolute-assurance pattern (the "g-word" family + the "e-all" construction)
+  - 4 rewrites for the inst_018 maturity-claim pattern (the "p-ready" token)
+  - 5 `[NEEDS VERIFICATION]` markers added to uncited statistics (inst_016)
+- **inst_084 (~48 redactions across 9 files):**
+  - 42 port swaps via throwaway token-replace script (code-block and inline-code aware)
+  - 6 API-endpoint redactions on `integrated-implementation-roadmap-2025.md` (backticked and plain `/docs/api/...` paths)
+- **Licence swap (31 swaps across 15 files):**
+  - Full Apache preamble paragraph replaced with EUPL-1.2 equivalent (12 files — includes "Licence" British-spelling normalisation in the paragraph body)
+  - Individual phrase swaps for the 3 non-preamble files (27027-incident, claude-code-framework-enforcement, roadmap)
+  - Embedded full Apache TERMS AND CONDITIONS text (~55 lines each in technical-architecture.md and implementation-guide.md) replaced with concise EUPL-1.2 reference block per Phase A precedent
+
+### SESSION_HANDOFF_ENFORCEMENT_COMPLETE.md
+- 2 identical licence + vendor-URL lines updated (L6 + L329): `**Apache 2.0 License**: https://github.com/AgenticGovernance/tractatus-framework` -> `**EUPL-1.2 License**: https://codeberg.org/mysovereignty/tractatus-framework`. Combined licence + URL flip because both sit on the same line; a split commit would be unnatural.
+
+---
+
+## Preserved intentionally (per plan)
+
+- `For Claude Web/tractatus-claude-web-complete/CLAUDE_WEB_BRIEF.md:250` — "MIT or Apache license" historical context (not an active licence claim). Verified post-push: only remaining "Apache" reference across the in-scope file set.
+- All code-block port references across the bundle (exempted by `attack-surface-validator.util`'s `removeExemptedSections`).
+- Bare "27027" / "27017" digits outside the `port \d` token pattern (section titles, incident metrics, narrative references).
+
+---
+
+## Push + verification
+
+- `git push codeberg main` — success, `d600f6ed..4c1a26e8`
+- `git push origin main` — success, `d600f6ed..4c1a26e8` (self-hosted Forgejo at git.mysovereignty.digital)
+- HTTP-verify via `raw.codeberg` on 3 representative files:
+  - `SESSION_HANDOFF_ENFORCEMENT_COMPLETE.md` L6 -> `**EUPL-1.2 License**: https://codeberg.org/mysovereignty/tractatus-framework` ✓
+  - `CLAUDE_Tractatus_Maintenance_Guide.md` L1101 -> `**Credential reference**: See deployment scripts or secure notes.` ✓
+  - `For Claude Web/.../GLOSSARY.md` -> 1 "European Union Public Licence" mention, 0 remaining "Apache 2.0" mentions ✓
+
+No maintenance window required — tractatus docs are static content; no runtime impact on agenticgovernance.digital absent an explicit `./scripts/deploy.sh` invocation, which this session did NOT run.
+
+---
+
+## Deferred / out-of-scope (explicitly NOT touched)
+
+- **Broader GitHub -> Codeberg sweep** in tractatus docs. This session flipped only the 2 SESSION_HANDOFF lines (because they were on the same line as the Apache licence reference). Other GitHub URLs remain — notably:
+  - `technical-architecture.md` L719: `**GitHub:** https://github.com/AgenticGovernance/tractatus-framework`
+  - Similar references likely in README and other root docs
+- **Embedded credentials in `.git/config`** — both `codeberg` and `origin` remotes have HTTP-basic credentials embedded in their URL. Flagged in prior handoffs; separate cleanup task.
+- **Tractatus `public/**/*.html` and `public/locales/**/*.json`** — plan explicitly out-of-scope ("broader sweep, larger scope, different concerns").
+- **Tractatus `docs/markdown/**` OUTSIDE the web bundle** — plan explicitly out-of-scope ("different audience, different licence concerns; some are academic papers that may have separate licensing posture").
+- **Tractatus `scripts/**`** — plan explicitly out-of-scope ("next pass").
+
+---
+
+## Cross-repo coordination notes (for community-side session)
+
+- The community-side backlog items `69e1cf41f67641ac4faba8db` + `69e1cf56fbdc21ecc97370a3` (tractatus relicense tracking) should be annotated with "Phase C For-Claude-Web bundle complete at codeberg `4c1a26e8`". Per the plan's parallel-session coordination note, this was deferred to the community session (the backlog CLI lives at `~/projects/community/scripts/backlog-cli.js`).
+- No OVH/catalyst remote writes this session (those are community-side remotes only). No community-repo commits this session.
+
+---
+
+## Next session startup (if resuming Tractatus work)
+
+1. `cd ~/projects/tractatus && git status` — expect clean tree at `4c1a26e8` (this handoff commit will land separately; see "Remaining Work Units" below if not yet committed).
+2. `git fetch codeberg && git log --oneline codeberg/main..main` — expect empty (codeberg at the same SHA).
+3. Optional: run `node scripts/session-init.js` if starting a full governed session (this skill session did not).
+4. Read this handoff end-to-end. Focus on the "Deferred" list above for natural follow-on scope.
+
+### Suggested follow-on sequence (none urgent)
+
+1. **GitHub -> Codeberg sweep** on remaining root docs (README, etc.) and the `For Claude Web/` bundle's non-licence GitHub references. Small, mechanical, no hook-blocking expected.
+2. **Tractatus `docs/markdown/**` outside the web bundle** — larger scope, may warrant its own plan doc.
+3. **Tractatus `scripts/**`** relicense sweep (source-file headers, likely similar to Phase B shape).
+4. **Embedded-credentials cleanup in `.git/config`** for both `codeberg` and `origin` remotes.
+
+---
+
+## Governance-model reminders observed this session
+
+- **INSTRUCTION HIERARCHY** — conflict surfaced twice (plan commit 1 standalone vs inst_084 whole-file scan, plan commit 4 vs inst_084 scope expansion). Both STOPPED-and-asked the user per the rule; both resolved via explicit user approval (consolidate + expand).
+- **PLAN/EXECUTE/VERIFY** — approved plan was "treat as plan-of-record for STRUCTURE; commits 1, 2, 3, 5, 6 execute directly with judgement on line-level wording; PAUSE before commit 4". Respected both sides of that directive.
+- **No-lint-bypass rule** — honoured. Hook blocks were surfaced + addressed, never bypassed with `--no-verify`.
+- **Maintenance-window rule** — N/A (docs-only content, no runtime deploy, no maintenance page required per plan section "Push + deploy").
+- **Ask-rather-than-fabricate (licensing)** — fabrication check passed. All licence claims verified against current repo state + Phase A/B/C commit SHAs.
+
+---
+
+*(Session ends here. Commits on main at `4c1a26e8`; handoff file pending commit after this write.)*