chore(continuity): Tier 1b complete bar F6; record F6 deferral

.agent/memory/active/napkin.md

@@ -1,5 +1,36 @@
 # Napkin
 
+## Session: 2026-06-18 (later still) — Tier 1b F3/F8/F5/F7 landed, F6 deferred
+
+### What Was Done
+
+- **F3** (#31): coverage `fail_under` 70→85 + `audit_coverage_contract`.
+- **F8** (#33): WCAG 2.2 AA chart — darkened the amber bar, white-haloed the
+  target marker, alt-text sidecar. Five PRs merged green this session (28/31/32/
+  33/34), each through CI + CodeQL + SonarCloud.
+- **F5/F7** (#34): remote 10 MiB streaming size-cap (in a connection-closing
+  `with`) + `docs/using-this-template.md` rename guide.
+
+### Surprises & corrections (critically assess)
+
+- **A failing accessibility check can reveal an *existing* bug, not just the new
+  requirement.** The dark target marker (`#374151`) already failed 3:1 on most
+  bars — invisible on blue/teal/red/purple — before F8. Computing the contrasts
+  honestly (independent WCAG helper in the test) surfaced it.
+- **Don't trust a thread-hint's framing of a security change — verify intent.**
+  F6's "fail-closed on `$(`/backticks" reads as a blanket deny, but that would
+  break legitimate command substitution *including this agent's own
+  `git commit -m "$(cat <<EOF …)"` heredoc pattern*, and the hook runs on the
+  working-tree copy → a bad edit self-locks. **Deferred F6** for owner intent +
+  a dedicated session rather than rush a dangerous, ambiguous edit to the safety
+  rail. Recommended design recorded (pipe-separator + recurse-into-substitution,
+  not blanket-deny; pre-verify the edited hook allows a heredoc commit).
+- **Reviewer adoption, filtered:** code-review on F8 (added the missing exercise
+  assertion, extracted `_chart_title`); security-review on F5 (connection leak →
+  `with`; assert `stream=True`). Each adopted finding got a test. The `with`
+  exposed a fake-response needing a closeable `raw` — a test-fixture fix, not a
+  prod bug.
+
 ## Session: 2026-06-18 (later) — supply-chain PR #28, SonarCloud gate, multi-agent collision
 
 ### What Was Done

.agent/memory/operational/repo-continuity.md

@@ -1,16 +1,18 @@
 # Repo Continuity
 
-**Last refreshed**: 2026-06-18 (later) — **supply-chain PR #28 + coverage PR #31
-both MERGED**. `main` is green and now carries: SHA-pinned actions +
-`dependabot.yml` + `audit_supply_chain` + the packaging-schema fix (#28), and the
-honest coverage floor (`fail_under` 70→85) + `audit_coverage_contract` (#31).
-Earlier this program: gitleaks gate (#16), coverage→GitHub Code Quality (#18),
-**release automation** (live-verified — `v0.1.0` + `v0.2.0` released),
-**pip-audit** gate (#24), **codespell** gate (#26) all merged. An
-owner-approved **"highest proportionate bar" program** (4 lanes) is in progress —
-Tier 1a done; Tier 1b **F3 done**; **next is Tier 1b F8** (WCAG 2.2 AA accessible
-chart), then F5/6/7, Tier 3, Tier 2, then merge release PR #25.
-Full program state + the critical release-PR `--auto` mechanic live in the
+**Last refreshed**: 2026-06-18 (later) — **Tier 1b complete except F6**. `main`
+is green; merged this session: #28 supply-chain pinning + `audit_supply_chain` +
+packaging-schema fix, #31 honest coverage floor (`fail_under` 70→85) +
+`audit_coverage_contract`, #33 WCAG 2.2 AA accessible chart (F8), #34 remote
+size-cap (F5) + rename guide (F7). **Tier 1b F6** (the `agent_hooks.py` guardrail
+hardening) is **DEFERRED** — it modifies the safety hook that runs on every bash
+command, the "fail-closed on `$(`" requirement is ambiguous (a blanket deny
+breaks the agent's own heredoc commits), and a bad edit self-locks; it needs
+owner intent + a dedicated session. Earlier this program: gitleaks (#16),
+coverage→Code Quality (#18), release automation (live-verified, `v0.1.0`/`v0.2.0`),
+pip-audit (#24), codespell (#26). **Next: Tier 1b F6, then Tier 3, then Tier 2,
+then merge release PR #25.** Full state + the F6 analysis + the release-PR
+`--auto` mechanic live in the
 [gate-expansion thread record](threads/quality-gate-surface-expansion.next-session.md).
 
 ## Active Threads
@@ -36,7 +38,10 @@ Full program state + the critical release-PR `--auto` mechanic live in the
 - Merged this program: #16 gitleaks, #18 coverage→Code Quality, #19/#20/#22
   release automation, #24 pip-audit, #26 codespell, **#28 supply-chain pinning +
   `audit_supply_chain` + packaging-schema fix**, **#31 honest coverage floor
-  (85) + `audit_coverage_contract`**. `main` is green.
+  (85) + `audit_coverage_contract`**, **#33 WCAG 2.2 AA accessible chart (F8)**,
+  **#34 remote size-cap (F5) + rename guide (F7)**. `main` is green.
+- **Tier 1b F6 DEFERRED** (the `agent_hooks.py` guardrail hardening) — full
+  analysis + recommended safe design in the thread record's Remaining Work.
 - **Open: release PR #25 `chore(release): v0.3.0`** (standing, intentionally
   accumulating every merged feat/fix — merge with `--auto` at sprint end; it now
   also includes #28 + #31). The next prepare run will retitle it to the bumped
@@ -78,8 +83,14 @@ Full program state + the critical release-PR `--auto` mechanic live in the
   (honest coverage floor 85 + `audit_coverage_contract`), config-reviewed (fixed
   a false-positive on an absent `omit` key) and merged. Checkpointing here so the
   WCAG work (F8) starts with fresh context.
-- Next: **Tier 1b F8** (WCAG 2.2 AA accessible chart) → F5/6/7 → Tier 3 → Tier 2;
-  then merge release PR #25. Authoritative detail in the gate-expansion thread.
+- 2026-06-18 (later still, cont.): landed **F8** (PR #33, WCAG chart — code-review
+  adopted) and **F5+F7** (PR #34, remote size-cap + rename guide — security-review
+  adopted the connection-closing `with` and `stream=True` assertions). **Deferred
+  F6** (the `agent_hooks.py` guardrail) on safety/ambiguity grounds — see the
+  thread record. Tier 1b is complete bar F6.
+- Next: **Tier 1b F6** (deferred — owner intent + dedicated session) → Tier 3 →
+  Tier 2; then merge release PR #25. Authoritative detail in the gate-expansion
+  thread.
 
 ## Repo-Wide Invariants / Non-Goals
 
@@ -103,15 +114,16 @@ Full program state + the critical release-PR `--auto` mechanic live in the
 
 ## Next Safe Step
 
-- **Tier 1b F8 — WCAG 2.2 AA accessible chart** (next; org accessibility mandate
-  makes this important to get right): write a text alternative from
-  `render_summary` (SC 1.1.1); darken `#d08d46` and halo the target marker for
-  ≥3:1 contrast (SC 1.4.11); test the sidecar + the contrast ratios. See the
-  template-fitness-remediation plan. Then F5/6/7, Tier 3 (branch coverage,
-  Hypothesis, version-policy ADR), Tier 2 (governance checklist). Finally **merge
-  release PR #25 with `--auto`** to cut the accumulated release. Normal feature
-  PRs merge with `gh pr merge <n> --squash --delete-branch` once green (CI +
-  SonarCloud); the bot-opened release PR #25 needs `--auto` (it sits UNSTABLE).
+- **Tier 1b F6 — `agent_hooks.py` guardrail hardening (DEFERRED).** Get owner
+  intent on the "fail-closed on `$(`/backticks" semantics first (blanket-deny vs
+  recurse-and-check), then implement in a dedicated session. The full analysis,
+  the two bypasses it closes, the recommended safe design, and the mandatory
+  pre-verification (run the edited hook against a heredoc commit → must ALLOW)
+  are in the gate-expansion thread's Remaining Work entry. Then Tier 3 (branch
+  coverage, Hypothesis, version-policy ADR), Tier 2 (governance checklist).
+  Finally **merge release PR #25 with `--auto`** (bot PR, sits UNSTABLE) to cut
+  the accumulated release. Normal feature PRs merge with
+  `gh pr merge <n> --squash --delete-branch` once green (CI + SonarCloud).
   Authoritative detail in the gate-expansion thread record.
 
 ## Open Side-Tasks

.agent/memory/operational/threads/quality-gate-surface-expansion.next-session.md

@@ -66,6 +66,9 @@ All merged to `main` unless noted. `main` is green.
   `audit_coverage_contract` repo_audit check (floor + omit-list guard — guards
   what the coverage gate structurally cannot). Normal feature PRs merge with
   `gh pr merge <n> --squash --delete-branch` once green (CI + SonarCloud).
+- **Accessible-chart PR #33 — MERGED** (Tier 1b F8, WCAG 2.2 AA).
+- **Adoptability PR #34 — MERGED** (Tier 1b F5 remote size cap + F7 rename
+  guide). **F6 (the agent_hooks guardrail) is DEFERRED** — see Remaining Work.
 - **Packaging-schema fix folded into PR #28** (committed `f5225cb`), separate from
   supply-chain: `pyproject` `[tool.hatch.build.targets.wheel].sources` `["src"]`
   → `{ "src" = "" }` (array tripped the *Even Better TOML* SchemaStore Hatch
@@ -96,13 +99,36 @@ All merged to `main` unless noted. `main` is green.
     `audit_coverage_contract` (floor + omit-list guard). The audit asserts a
     *floor* (>=85, raising allowed) and that `omit` stays a subset of the
     justified set — guarding what the coverage gate structurally cannot.
-  - **F8 accessible chart — NEXT** (org WCAG 2.2 AA mandate, currently unmet): write a
-    text alternative from `render_summary` (SC 1.1.1); darken `#d08d46` and halo
-    the target marker for ≥3:1 contrast (SC 1.4.11); test the sidecar + contrasts.
-  - **F5/F6/F7 adoptability**: remote-fetch size cap + trust-boundary note;
-    guardrail fail-closed + simplify in `agent_hooks.py` (treat `|` as separator,
-    fail-closed on `$(`/backticks; allow-path tests for git commit/push/status);
-    a "rename this template" guide.
+  - **F8 accessible chart — DONE (PR #33).** Darkened the amber bar
+    `#d08d46`→`#b07a37` (2.77→3.69:1), added a white halo to the target marker
+    (it failed 3:1 on most bars), and a `<chart>.png.txt` alt-text sidecar from
+    `render_chart_alt_text`. Tests pin the WCAG contrasts with an independent
+    contrast helper. (Discovery: the dark target marker was an *existing* a11y
+    bug — invisible on blue/teal/red/purple bars.)
+  - **F5 remote size cap — DONE (PR #34).** `default_remote_reader` streams under
+    a 10 MiB `REMOTE_MAX_BYTES` cap (declared-Content-Length early reject + decoded
+    streaming cap), inside a `with` so the connection closes on every exit.
+  - **F7 rename guide — DONE (PR #34).** `docs/using-this-template.md`, linked
+    from the README.
+  - **F6 guardrail hardening — DEFERRED (needs owner input + a dedicated
+    session).** Goal: close two bypasses in the self-imposed safety rail
+    (`tools/agent_hooks.py`): (a) `_shell_segments` (line ~484) does NOT split on
+    `|`, so a piped stage isn't analysed as its own segment; (b) the anchored
+    force-push/etc. regexes are defeated by `$(...)`/backticks — e.g.
+    `echo $(git push --force)` slips through because the trailing `)` breaks the
+    `(\s|$)` anchor. **Why deferred:** "fail-closed on `$(`/backticks" is
+    ambiguous and, taken as a *blanket deny*, would break legitimate command
+    substitution — including the agent's own `git commit -m "$(cat <<'EOF' …)"`
+    heredoc pattern — and the hook runs on the working-tree copy, so a bad edit
+    self-locks the agent out of committing the fix. **Recommended safe design:**
+    add `|` to the `_shell_segments` separator set (safe; `||` stays distinct),
+    and *recurse into* `$(...)`/backtick substitutions to check the inner command
+    for blocked patterns (mirroring the existing `_shell_launcher_command`
+    recursion) rather than blanket-denying. **Before relying on any edit, run the
+    modified hook directly against (i) a heredoc `git commit` → must ALLOW,
+    (ii) `echo $(git push --force)` → must DENY, (iii) `git status` → ALLOW.**
+    Owner to confirm whether they want strict blanket-deny (and accept simple
+    `-m` messages for git commit/push) or the recurse-and-check interpretation.
 - **Tier 3 — Pythonic additions**:
   - branch coverage (`--cov-branch`) + raise threshold;
   - Hypothesis property-based tests for the CSV/data boundary;
@@ -159,9 +185,13 @@ All merged to `main` unless noted. `main` is green.
 
 ## Next Safe Step
 
-1. **#28 (supply-chain) and #31 (F3 coverage) are MERGED; `main` is green.**
-   Resume at **Tier 1b F8** (WCAG 2.2 AA accessible chart) — its own branch + PR.
-2. Then F5/6/7, then Tier 3, then the Tier 2 checklist.
+1. **#28, #31, #33, #34 are MERGED; `main` is green. Tier 1b is done except F6.**
+   Resume at **Tier 1b F6** (the deferred `agent_hooks.py` guardrail hardening —
+   read its full entry under Remaining Program Work; get owner intent on the
+   fail-closed semantics first, and pre-verify the modified hook allows a heredoc
+   commit before relying on it).
+2. Then Tier 3 (branch coverage, Hypothesis, version-policy ADR), then the
+   Tier 2 governance checklist.
 3. When the sprint's PRs are all merged, **merge release PR #25 with `--auto`**
    to cut the accumulated release, then verify the new GitHub Release + the
    bumped `main` version.

.agent/plans/runtime-infrastructure/current/template-fitness-remediation.md

@@ -9,16 +9,19 @@ todos:
     content: "F2 — make the CSV boundary robust to pandas NA/dtype sniffing, with negative tests."
     status: completed
   - id: honest-gates
-    content: "F3 — raise coverage threshold toward achieved and audit the omit-list."
-    status: pending
+    content: "F3 — raise coverage threshold toward achieved and audit the omit-list. DONE (PR #31)."
+    status: completed
   - id: ci-workflow
     content: "F4 — add a CI workflow that runs check-ci on push and PR."
     status: completed
   - id: accessible-output
-    content: "F8 — emit a text alternative for the chart and lift failing contrasts."
-    status: pending
-  - id: adoptability
-    content: "F5/F6/F7 — trust-boundary note + size cap, guardrail simplify-and-fail-close, rename guide."
+    content: "F8 — emit a text alternative for the chart and lift failing contrasts. DONE (PR #33)."
+    status: completed
+  - id: adoptability-f5-f7
+    content: "F5 remote size cap + trust-boundary note and F7 rename guide. DONE (PR #34)."
+    status: completed
+  - id: guardrail-f6
+    content: "F6 — agent_hooks.py guardrail hardening. DEFERRED: needs owner intent on the fail-closed semantics + a dedicated security-reviewed session (a blanket $( deny would break the agent's own heredoc commits). See the gate-expansion thread."
     status: pending
 ---