diff --git a/.agent/memory/active/napkin.md b/.agent/memory/active/napkin.md
index f21a54e..d23d50b 100644
--- a/.agent/memory/active/napkin.md
+++ b/.agent/memory/active/napkin.md
@@ -1,5 +1,41 @@
 # Napkin
 
+## Session: 2026-06-18 (final) — program COMPLETE: F6 + Tier 3 + Tier 2 + deps + v0.3.0
+
+### What Was Done
+
+- **F6 (#37)** agent-hook hardening: `|` segment split + recurse-and-check into
+  `$(...)`/backtick (quote-aware). **Tier 3**: branch coverage + floor 86 (#38),
+  Hypothesis property tests for the data boundary (#39), single-version ADR-0002
+  (#40). **Tier 2**: `docs/repository-governance.md` owner checklist (#41).
+  **Dependabot** #29 (actions, SHAs verified vs tags) + #30 (14 python deps,
+  verified green) merged. **Release PR #25 merged → `v0.3.0`** (tag + Release +
+  wheel/sdist). Program is done; Tier 4 stays deferred.
+
+### Surprises & corrections (critically assess)
+
+- **Guardrails must prefer over-blocking to under-blocking.** My first F6 cut
+  stripped quoted-delimiter heredoc bodies so a commit message could *mention* a
+  blocked command. WRONG: a quoted delimiter blocks *expansion*, not *execution* —
+  `bash <<'EOF'\n<cmd>\nEOF` still runs the body, so the strip turned a caught
+  force-push into a MISSED one. Reverted; added a regression test pinning the
+  `bash`-fed heredoc force-push as denied. Over-blocking a commit message is safe;
+  under-blocking a force-push is not. The residual (heredoc prose mentioning a
+  blocked command is over-blocked) is documented, not "fixed" unsafely.
+- **The live hook bites your own tooling.** Once heredoc bodies are scanned, a
+  `gh pr edit --body "$(cat <<EOF ... | HUSKY=0 git push ... EOF)"` is denied —
+  use `--body-file` (only the command line is scanned, not file contents), and
+  keep blocked-command sequences out of heredoc commit messages.
+- **Verified, didn't trust:** Explore agent's "validation is idempotent" claim
+  (confirmed empirically — pandas renders midnight `datetime64` to date-only);
+  Dependabot SHAs (matched upstream tags via API); the live `main` ruleset (via
+  API: PR + `code_quality` + no-deletion + non-fast-forward; NO
+  `required_status_checks`, NO tag ruleset). See [[critically-assess-subagents-and-sources]].
+- **Scope discipline on a safety rail:** closed the documented `|`/`$(...)` gaps
+  (owner-authorised) but left glued operators (`ok|git`) + bare subshells as
+  documented residuals for a future authorised session, rather than unilaterally
+  rewriting the tokeniser.
+
 ## Session: 2026-06-18 (later still) — Tier 1b F3/F8/F5/F7 landed, F6 deferred
 
 ### What Was Done
diff --git a/.agent/memory/operational/repo-continuity.md b/.agent/memory/operational/repo-continuity.md
index be794d6..72de528 100644
--- a/.agent/memory/operational/repo-continuity.md
+++ b/.agent/memory/operational/repo-continuity.md
@@ -1,18 +1,18 @@
 # Repo Continuity
 
-**Last refreshed**: 2026-06-18 (later) — **Tier 1b complete except F6**. `main`
-is green; merged this session: #28 supply-chain pinning + `audit_supply_chain` +
-packaging-schema fix, #31 honest coverage floor (`fail_under` 70→85) +
-`audit_coverage_contract`, #33 WCAG 2.2 AA accessible chart (F8), #34 remote
-size-cap (F5) + rename guide (F7). **Tier 1b F6** (the `agent_hooks.py` guardrail
-hardening) is **DEFERRED** — it modifies the safety hook that runs on every bash
-command, the "fail-closed on `$(`" requirement is ambiguous (a blanket deny
-breaks the agent's own heredoc commits), and a bad edit self-locks; it needs
-owner intent + a dedicated session. Earlier this program: gitleaks (#16),
-coverage→Code Quality (#18), release automation (live-verified, `v0.1.0`/`v0.2.0`),
-pip-audit (#24), codespell (#26). **Next: Tier 1b F6, then Tier 3, then Tier 2,
-then merge release PR #25.** Full state + the F6 analysis + the release-PR
-`--auto` mechanic live in the
+**Last refreshed**: 2026-06-18 (final) — **the "highest proportionate bar"
+program is COMPLETE; `v0.3.0` is cut** (tag + GitHub Release with wheel + sdist).
+`main` is green. Landed this session: **F6** agent-hook hardening (#37, owner
+chose recurse-and-check), **Tier 3** branch coverage + floor 86 (#38), Hypothesis
+property tests (#39), single-version ADR-0002 (#40), **Tier 2** governance
+checklist `docs/repository-governance.md` (#41), **Dependabot** #29 (actions) +
+#30 (14 python deps) verified-and-merged, then **release PR #25 → `v0.3.0`** via
+`--auto`. Earlier in the program: gitleaks (#16), coverage→Code Quality (#18),
+release automation (`v0.1.0`/`v0.2.0`), pip-audit (#24), codespell (#26),
+supply-chain (#28), F3/F8/F5/F7 (#31/#33/#34). **Tier 4 stays deliberately
+deferred.** Remaining work is **owner-only settings** (`docs/repository-governance.md`)
+plus documented F6 residuals (glued shell operators, bare subshells, heredoc-prose
+over-block). Full state in the
 [gate-expansion thread record](threads/quality-gate-surface-expansion.next-session.md).
 
 ## Active Threads
@@ -114,17 +114,18 @@ then merge release PR #25.** Full state + the F6 analysis + the release-PR
 
 ## Next Safe Step
 
-- **Tier 1b F6 — `agent_hooks.py` guardrail hardening (DEFERRED).** Get owner
-  intent on the "fail-closed on `$(`/backticks" semantics first (blanket-deny vs
-  recurse-and-check), then implement in a dedicated session. The full analysis,
-  the two bypasses it closes, the recommended safe design, and the mandatory
-  pre-verification (run the edited hook against a heredoc commit → must ALLOW)
-  are in the gate-expansion thread's Remaining Work entry. Then Tier 3 (branch
-  coverage, Hypothesis, version-policy ADR), Tier 2 (governance checklist).
-  Finally **merge release PR #25 with `--auto`** (bot PR, sits UNSTABLE) to cut
-  the accumulated release. Normal feature PRs merge with
-  `gh pr merge <n> --squash --delete-branch` once green (CI + SonarCloud).
-  Authoritative detail in the gate-expansion thread record.
+- **The program is complete — no queued program work remains.** If resuming:
+  (1) the only outstanding items are **owner-only GitHub settings** in
+  `docs/repository-governance.md` (required status checks, release-PR token, Code
+  Quality preview, `v*` tag protection) — I cannot do these; (2) **F6 residuals**
+  (glued shell operators like `ok|git`, bare subshells `(...)`, and heredoc-prose
+  over-block) are documented and deferred to a future owner-authorised session —
+  fixing the glued-operator one needs a quote-aware raw tokeniser, a
+  safety-critical change; (3) **Tier 4** (SBOM, SLSA, Scorecard, mutation testing)
+  stays deferred unless the owner asks. Steady-state: a new `chore(release)` PR
+  will accrue future feat/fix — merge it with `gh pr merge <n> --squash --auto`
+  (bot PR sits UNSTABLE; `code_quality` is the only required check). Normal PRs
+  merge with `gh pr merge <n> --squash --delete-branch` once green.
 
 ## Open Side-Tasks
 
diff --git a/.agent/memory/operational/threads/quality-gate-surface-expansion.next-session.md b/.agent/memory/operational/threads/quality-gate-surface-expansion.next-session.md
index 6bd65fc..fb29e01 100644
--- a/.agent/memory/operational/threads/quality-gate-surface-expansion.next-session.md
+++ b/.agent/memory/operational/threads/quality-gate-surface-expansion.next-session.md
@@ -183,21 +183,40 @@ All merged to `main` unless noted. `main` is green.
   lychee, mutation testing) — diminishing returns for a template; revisit only
   on explicit request.
 
-## Next Safe Step
-
-1. **#28, #31, #33, #34 are MERGED; `main` is green. Tier 1b is done except F6.**
-   Resume at **Tier 1b F6** (the deferred `agent_hooks.py` guardrail hardening —
-   read its full entry under Remaining Program Work; get owner intent on the
-   fail-closed semantics first, and pre-verify the modified hook allows a heredoc
-   commit before relying on it).
-2. Then Tier 3 (branch coverage, Hypothesis, version-policy ADR), then the
-   Tier 2 governance checklist.
-3. When the sprint's PRs are all merged, **merge release PR #25 with `--auto`**
-   to cut the accumulated release, then verify the new GitHub Release + the
-   bumped `main` version.
-4. **A deep `consolidate-docs` ran 2026-06-18:** the release-automation plan was
-   archived (doctrine confirmed homed in README/docs/workflow/audit),
-   `completed-plans.md` and the plan indexes refreshed, durable lessons distilled,
-   and a session experience note added. The napkin (222 lines) was not rotated
-   (under threshold). Remaining graduation is light and can wait for a natural
-   break.
+## PROGRAM COMPLETE (2026-06-18 final)
+
+The "highest proportionate bar" program is **done** and **`v0.3.0` is cut** — a
+`v0.3.0` tag plus a GitHub Release carrying the wheel and sdist. Landed in the
+final session:
+
+1. **F6 (#37)** — `agent_hooks.py` hardening. Owner chose **recurse-and-check**.
+   `|` added to `_shell_segments`; `_hook_bypass_reason`/`_blocked_shell_pattern_reason`
+   recurse (quote-aware) into `$(...)`/backtick bodies via `_reason_with_substitutions`.
+   **Key correction:** a first cut stripped quoted-heredoc bodies (to allow a
+   commit message mentioning a blocked command) — REVERTED because a quoted
+   delimiter blocks expansion, not execution, so `bash <<'EOF'…EOF` still runs the
+   body; stripping turned a caught force-push into a missed one (under-block).
+   Heredoc bodies are now never stripped (over-block is safe); a regression test
+   pins the `bash`-fed heredoc force-push as denied.
+2. **Tier 3** — branch coverage + floor 86 + `audit_coverage_contract` branch
+   guard (#38); Hypothesis property tests for the data boundary (#39);
+   single-version **ADR-0002** (#40, owner chose ADR over a matrix).
+3. **Tier 2** — `docs/repository-governance.md` owner-action checklist (#41).
+4. **Dependabot** — #29 (actions, SHAs verified vs upstream tags) + #30 (14 python
+   deps, verified green incl. pip-audit) merged.
+5. **Release** — PR #25 merged via `gh pr merge 25 --squash --auto` → `v0.3.0`.
+
+**Outstanding = owner-only** (in `docs/repository-governance.md`): required status
+checks, release-PR token, Code Quality preview, `v*` tag protection.
+
+**Documented F6 residuals (deferred to a future owner-authorised session):**
+glued control operators (`ok|git push --force` — shlex yields `ok|git` as one
+token; affects all four operators; needs a quote-aware raw tokeniser); bare
+subshells `(...)`; heredoc-prose over-block (a commit message quoting a blocked
+command verbatim inside a heredoc is over-blocked — safe; reword or use `-m`).
+
+**Tier 4 stays deferred** (SBOM, SLSA, Scorecard, dependency-review, lychee,
+mutation testing) — revisit only on explicit owner request.
+
+A `consolidate-docs` / closeout is the next natural step (graduate plans to
+completed, refresh the template-fitness thread now F6 is done).