tractatus/SESSION_HANDOFF_2026-04-20_EUPL12_OUT_OF_SCOPE_SWEEP.md

Session Handoff — 2026-04-20 — EUPL-1.2 Out-of-Scope Hygiene + Licence Sweep

Status: COMPLETE (5 commits + this handoff). Pushed to codeberg + origin. Session model: Opus 4.7 (1M context) — claude-opus-4-7[1m] Session type: Cross-project /tractatus-skill session launched from a parallel community session. Framework not formally initialised (session-init.js not run — cross-project skill mode per tractatus CLAUDE.md guidance: "framework enforcement is handled by the deploy script's pre-commit hooks and the CLAUDE.md rules"). Plan of record: community/docs/plans/PLAN_TRACTATUS_OUT_OF_SCOPE_HYGIENE_LICENCE_20260420.md (lives in the community repo; executed against this tractatus repo). Precedents built on: Phase A (c85f310f — root LICENSE + README relicense), Phase B (d600f6ed — source-file headers), follow-on (4ddc54a0 — inst_084 README hygiene).

---

Commits this session (in order)

#	SHA	Subject
1/5	db788548	chore(docs): hygiene fixes on Maintenance_Guide (inst_069/070 + inst_084)
2/5	5c386d0d	chore(license): Apache 2.0 -> EUPL-1.2 licence template in Maintenance_Guide
3/5	6d49bfbf	chore(docs): bundle hygiene fixes on For-Claude-Web bundle (inst_016/017/018 + inst_084)
4/5	ab0a6af4	chore(license): Apache 2.0 -> EUPL-1.2 licence swap across 15 bundle files
5/5	4c1a26e8	chore(docs): SESSION_HANDOFF licence + vendor URL flip

All 5 passed the full pre-commit hook pipeline (inst_069/070 credentials, inst_008 CSP, inst_016/017/018 prohibited terms, inst_084 attack surface, inst_068 test requirements, inst_026 env-var standards). No --no-verify, no amends.

---

Plan-vs-executed commit structure

The plan named 6 commits; delivery consolidated to 5.

• Plan commits 1 + 2 merged into commit 1/5. Discovered at first commit attempt that the pre-commit hook scans whole file content. The Maintenance_Guide's pre-existing ~22 port exposures (inst_084) block any commit that touches the file, so a credential-only commit cannot land standalone. Consolidated both concerns into one atomic hygiene commit — same shape as Phase A follow-on 4ddc54a0 (README hygiene batch).
• Plan commit 4 scope expanded. The inst_016/017/018 sweep surfaced additional pre-existing inst_084 exposures on the same files (see below). User approved bundling both into commit 3/5.

Net: plan's 6 commits -> executed 5 commits. All approvals captured explicitly.

---

Scope touched per file

Maintenance_Guide (both copies, root + For Claude Web)

• CLAUDE_Tractatus_Maintenance_Guide.md, For Claude Web/tractatus-claude-web-complete/CLAUDE_Tractatus_Maintenance_Guide.md
• inst_069/070: 1 credential false-positive rewrite at L1101 — the scanner-triggering header phrasing replaced with "Credential reference"; meaning preserved (the line describes WHERE deployment credentials are documented, not any credential value)
• inst_084: 9 distinct line positions redacted (ports 27017/27027/9000/9001 -> generic descriptors)
• Licence swap: 4 edits each (preamble prose + template heading + template body + placeholder)

For-Claude-Web bundle (15 files beyond Maintenance_Guide)

• inst_016/017/018 (21 rewrites across 9 files):
  • 12 rewrites for the inst_017 absolute-assurance pattern (the "g-word" family + the "e-all" construction)
  • 4 rewrites for the inst_018 maturity-claim pattern (the "p-ready" token)
  • 5 [NEEDS VERIFICATION] markers added to uncited statistics (inst_016)
• inst_084 (~48 redactions across 9 files):
  • 42 port swaps via throwaway token-replace script (code-block and inline-code aware)
  • 6 API-endpoint redactions on integrated-implementation-roadmap-2025.md (backticked and plain /docs/api/... paths)
• Licence swap (31 swaps across 15 files):
  • Full Apache preamble paragraph replaced with EUPL-1.2 equivalent (12 files — includes "Licence" British-spelling normalisation in the paragraph body)
  • Individual phrase swaps for the 3 non-preamble files (27027-incident, claude-code-framework-enforcement, roadmap)
  • Embedded full Apache TERMS AND CONDITIONS text (~55 lines each in technical-architecture.md and implementation-guide.md) replaced with concise EUPL-1.2 reference block per Phase A precedent

SESSION_HANDOFF_ENFORCEMENT_COMPLETE.md

• 2 identical licence + vendor-URL lines updated (L6 + L329): **Apache 2.0 License**: https://github.com/AgenticGovernance/tractatus-framework -> **EUPL-1.2 License**: https://codeberg.org/mysovereignty/tractatus-framework. Combined licence + URL flip because both sit on the same line; a split commit would be unnatural.

---

Preserved intentionally (per plan)

• For Claude Web/tractatus-claude-web-complete/CLAUDE_WEB_BRIEF.md:250 — "MIT or Apache license" historical context (not an active licence claim). Verified post-push: only remaining "Apache" reference across the in-scope file set.
• All code-block port references across the bundle (exempted by attack-surface-validator.util's removeExemptedSections).
• Bare "27027" / "27017" digits outside the port \d token pattern (section titles, incident metrics, narrative references).

---

Push + verification

• git push codeberg main — success, d600f6ed..4c1a26e8
• git push origin main — success, d600f6ed..4c1a26e8 (self-hosted Forgejo at git.mysovereignty.digital)
• HTTP-verify via raw.codeberg on 3 representative files:
  • SESSION_HANDOFF_ENFORCEMENT_COMPLETE.md L6 -> **EUPL-1.2 License**: https://codeberg.org/mysovereignty/tractatus-framework ✓
  • CLAUDE_Tractatus_Maintenance_Guide.md L1101 -> **Credential reference**: See deployment scripts or secure notes. ✓
  • For Claude Web/.../GLOSSARY.md -> 1 "European Union Public Licence" mention, 0 remaining "Apache 2.0" mentions ✓

No maintenance window required — tractatus docs are static content; no runtime impact on agenticgovernance.digital absent an explicit ./scripts/deploy.sh invocation, which this session did NOT run.

---

Deferred / out-of-scope (explicitly NOT touched)

• Broader GitHub -> Codeberg sweep in tractatus docs. This session flipped only the 2 SESSION_HANDOFF lines (because they were on the same line as the Apache licence reference). Other GitHub URLs remain — notably:
  • technical-architecture.md L719: **GitHub:** https://github.com/AgenticGovernance/tractatus-framework
  • Similar references likely in README and other root docs
• Embedded credentials in .git/config — both codeberg and origin remotes have HTTP-basic credentials embedded in their URL. Flagged in prior handoffs; separate cleanup task.
• Tractatus public/**/*.html and public/locales/**/*.json — plan explicitly out-of-scope ("broader sweep, larger scope, different concerns").
• Tractatus docs/markdown/** OUTSIDE the web bundle — plan explicitly out-of-scope ("different audience, different licence concerns; some are academic papers that may have separate licensing posture").
• Tractatus scripts/** — plan explicitly out-of-scope ("next pass").

---

Cross-repo coordination notes (for community-side session)

• The community-side backlog items 69e1cf41f67641ac4faba8db + 69e1cf56fbdc21ecc97370a3 (tractatus relicense tracking) should be annotated with "Phase C For-Claude-Web bundle complete at codeberg 4c1a26e8". Per the plan's parallel-session coordination note, this was deferred to the community session (the backlog CLI lives at ~/projects/community/scripts/backlog-cli.js).
• No OVH/catalyst remote writes this session (those are community-side remotes only). No community-repo commits this session.

---

Next session startup (if resuming Tractatus work)

1. cd ~/projects/tractatus && git status — expect clean tree at 4c1a26e8 (this handoff commit will land separately; see "Remaining Work Units" below if not yet committed).
2. git fetch codeberg && git log --oneline codeberg/main..main — expect empty (codeberg at the same SHA).
3. Optional: run node scripts/session-init.js if starting a full governed session (this skill session did not).
4. Read this handoff end-to-end. Focus on the "Deferred" list above for natural follow-on scope.

Suggested follow-on sequence (none urgent)

1. GitHub -> Codeberg sweep on remaining root docs (README, etc.) and the For Claude Web/ bundle's non-licence GitHub references. Small, mechanical, no hook-blocking expected.
2. Tractatus docs/markdown/** outside the web bundle — larger scope, may warrant its own plan doc.
3. Tractatus scripts/** relicense sweep (source-file headers, likely similar to Phase B shape).
4. Embedded-credentials cleanup in .git/config for both codeberg and origin remotes.

---

Governance-model reminders observed this session

• INSTRUCTION HIERARCHY — conflict surfaced twice (plan commit 1 standalone vs inst_084 whole-file scan, plan commit 4 vs inst_084 scope expansion). Both STOPPED-and-asked the user per the rule; both resolved via explicit user approval (consolidate + expand).
• PLAN/EXECUTE/VERIFY — approved plan was "treat as plan-of-record for STRUCTURE; commits 1, 2, 3, 5, 6 execute directly with judgement on line-level wording; PAUSE before commit 4". Respected both sides of that directive.
• No-lint-bypass rule — honoured. Hook blocks were surfaced + addressed, never bypassed with --no-verify.
• Maintenance-window rule — N/A (docs-only content, no runtime deploy, no maintenance page required per plan section "Push + deploy").
• Ask-rather-than-fabricate (licensing) — fabrication check passed. All licence claims verified against current repo state + Phase A/B/C commit SHAs.

---

(Session ends here. Commits on main at 4c1a26e8; handoff file pending commit after this write.)