diff --git a/.machine_readable/6a2/STATE.a2ml b/.machine_readable/6a2/STATE.a2ml
index 7a8bf2a4..d21d07f0 100644
--- a/.machine_readable/6a2/STATE.a2ml
+++ b/.machine_readable/6a2/STATE.a2ml
@@ -73,6 +73,7 @@ test-coverage = "CLOSED 2026-04-25 — 165 ExUnit tests; CRG C met"
 
 [session-history]
 entries = [
+  { date = "2026-05-20", description = "HCG tier-2 Phase E first-session (afternoon) — sub-issue standards#100 of channel standards#91. Phases A/B/C had already merged; Phase D was scaffold-only (http-capability-gateway#12 merged 08:24Z, bench/baseline.json _status: 'scaffold-placeholder', perf-regression gate non-blocking until D-2..D-4 land). Scope: drive Phase E artefacts that are SAFE w.r.t. Phase D being scaffold-only — runbook + audit + ingress isolation. Out of scope: E1/E2/E3/E4 wiring + Trustfile PENDING→DEPLOYED flip (gated on D-3 regression alert + D-4 real numbers, per runbook §1.1). FOUR PRs shipped + ONE issue filed. (1) PR #128 (MERGED 11:30Z) — docs/integration/hcg-tier2-rollout-runbook.md, the Phase E E5 rollout-and-rollback runbook (covers §E4 + §E5 of the integration plan because standards#100 acceptance #3 names both). 308 lines: prerequisites (Phase D landings + Phase A/B/C artefacts + operational !OWNER: block + BoJ-side + gateway-side), staging cut-over (deploy + telemetry verification + 24h soak + rollback rehearsal), 10/50/100% production rollout, observability signals (gateway + BoJ + dashboards), rollback (triggers + immediate bypass + permanent disable + post-decommission), post-rollout verification + Trustfile flip. !OWNER: markers throughout §1.3 + §4 for on-call rota, dashboard URLs, prod cert paths, traffic-shift mechanism choice, freeze windows. (2) PR #130 (MERGED 11:57Z) — fix(boj): bind Cowboy to 127.0.0.1 by default (audit #6). elixir/lib/boj_rest/application.ex passes ip: explicit binding to Plug.Cowboy options; BOJ_BIND_IP env var override; new parse_bind_ip/1 helper with fail-fast on invalid input (preferred to silently degrading to 0.0.0.0 and exposing the back-side bind). 7 new unit tests in elixir/test/application_test.exs. Previously Plug.Cowboy started with port: 7700 and NO ip: option, so it defaulted to 0.0.0.0 — the contract document's 'BoJ :7700 is not externally routable' claim and the runbook §1.4 prereq #6 were OPERATIONAL ASSERTIONS, not code-enforced. (3) PR #131 (MERGED 12:35Z) — fix(k8s): Service for BoJ to ClusterIP (audit #8). k8s/service.yaml type: LoadBalancer → ClusterIP. Added hyperpolymath.dev/exposure: 'internal-only' + hyperpolymath.dev/external-via: 'http-capability-gateway (tier-2)' annotations. Header comment with kustomize override recipe for legacy/standalone deployments. Estate cross-check: hypatia/*, rsr-certifier, opsm-service all use ClusterIP for backends; only svalinn-gateway (a gateway, not a backend) uses LoadBalancer. (4) PR #132 (MERGED 12:35Z) — fix(container): APP_HOST defaults to 127.0.0.1 (audit #7). Three sites that feed the Zig adapter binary's --host flag: stapeln.toml [targets.production], container/entrypoint.sh (lines 40 + 140), container/compose.prod.yaml. The audit named only stapeln.toml; the other two sites had the same '[::]' default that the audit missed but they all feed the same --host so they had to flip together. CI auto-trigger anomaly: pull_request workflows did not fire (likely sweep122 concurrency-pool saturation); manual Governance dispatch returned all 6 jobs green; owner re-ran from Actions tab. (5) Issue #135 filed — k8s NetworkPolicy follow-up (defence-in-depth beyond ClusterIP, Low priority, Phase E acceptance-non-critical). Three threat models named: compromised neighbour pod / operator misconfiguration / §4 defence in depth. Proposed manifest shape included; CNI-support caveat documented. (6) DEFENCE IN DEPTH ACHIEVED — three independent loopback layers now block any §3 invariant 3 violation: Elixir Cowboy (#130) + Zig adapter (#132) + k8s Service (#131). (7) Phase C §3 invariant 3 correction — the standards#91 channel-status comment claimed the BoJ-side fix was 'owner-gated, not opened as a PR'; verified by git log against elixir/lib/boj_rest/trust_policy.ex that the deny clause landed in boj-server#106 (commit 40e46f6f) as part of Phase C. Stale claim corrected in memory. (8) NEXT for Phase E (gated): E1 (Containerfile + k9-svc deployment spec finalisation) / E2 (staging deployment + traffic shift) / E3 (telemetry verification under load) / E4 (production flip) / Trustfile [CLOUDFLARE_EDGE_SECURITY].rate_limiting.tier_2_gateway.status PENDING→DEPLOYED — ALL gated on Phase D-3 (regression alert armed) + D-4 (real baseline numbers populated)." },
   { date = "2026-05-20", description = "Epic #87 Tier C session (items 11 + 12 + follow-on baseline-rot sweep): (1) Item 11 (PR #108, MERGED) — honest framing of the remaining ABI axioms. Session-prompt premise that '4 believe_me axioms remain' was stale; PROOF-NEEDS.md's 2026-05-18 audit had already classified 5 sites, all class (J), all irreducible over Idris2 0.8.0's opaque Char/String primitives (charEqSound, charEqSym, unpackLength, appendLengthSum, substrLengthBound). Fixed three loose ends: SafetyLemmas.idr's module docstring (claimed 'three axiomatic primitives', listed only three of the five) corrected to enumerate all five with prim__* attribution; appendLengthSum and substrLengthBound's `(x y : T)` multi-binder syntax (rejected by Idris2 0.8.0 at parse time) commaed to `(x, y : T)`; README.adoc gained a 'Formal verification' section so the audited posture is surfaced outside PROOF-NEEDS.md. (2) Item 12 (PR #109, MERGED) — ADR-0014 'Cross-cartridge composition safety' as an RFC framing document, no implementation. Defines composition safety as a two-level contract: static Idris2 `Boj.Composition.InvocationOf` envelope (lifting IsUnbreakable + ProtocolMatch + per-cartridge ArgsContract into the inter-cartridge call) plus dynamic Nickel `compositions` block in ADR-0007's policy-mcp PDP. Six-sub-PR campaign laid out. First proof pair is panic-attack-mcp → vordr-mcp (both cartridges exist on disk); the prompt-suggested three-step `panic-attack → sandbox → vordr` chain is parked behind ADR-0009 sandbox-mcp build-out (sandbox-mcp does not yet exist on disk). (3) SafeAPIKey baseline-rot follow-up (PR #116, MERGED 2026-05-20T08:46Z) — `logSafeBounded` proof did not type-check on Idris2 0.8.0 despite PROOF-NEEDS.md's audit claiming it did (audit was desk-read, not build). Three independent defects: removed redundant local plusLteMonotone helper (called now-gone lteTransitive and used wrong arg order on plusLteMonotoneRight/Left; stdlib's Data.Nat.plusLteMonotone has exactly the needed shape); lifted both short and long paths out of the with-block (Idris2 0.8.0 doesn't reduce `length \"***\"` at type level inside a with-block — the goal stays as `LTE (integerToNat (prim__cast_IntInteger (prim__strLength (if ...)))) 11` with the `if`-arm unreduced); right-associated the long-path proof to match `++`'s right-associativity (`a ++ b ++ c = a ++ (b ++ c)`). Plus fixed two bound-name typos in toLogSafeShortEq/toLogSafeLongEq where outer `_` discarded the prf the inner branch then referenced. Per-module `idris2 --check` is now green on all 12 safety modules (SafetyLemmas, SafeAPIKey, Safety, APIContractCoverage, CartridgeDispatch, Catalogue, CredentialIsolation, Federation, SafeCORS, SafeHTTP, SafePromptInjection, SafeWebSocket); `idris2 --build src/abi/boj.ipkg` does not complete in 9 min on dev machine (SIGTERM, gets nowhere). No new axioms; the 5-class-(J) framing from #108 preserved. (4) Estate baseline-rot CI sweep — diagnosed 5 reds on PR #116 and on main: 4 mechanical, 1 owned by parallel session. PR #118 (MERGED 2026-05-20T09:02Z) repairs tests/aspect_tests.sh grep-count bash bug (`grep -c X file 2>/dev/null || echo \"0\"` produced `\"0\\n0\"` and broke `[[ -gt 0 ]]` arithmetic — swapped `|| echo \"0\"` for `|| true` on all 4 call-sites). PR #123 (OPEN) repairs .github/workflows/e2e.yml: Zig 0.15.0 → 0.15.1 (`.tool-versions` canonical; 0.15.0 retired upstream from the GitHub Actions Zig download index) and `denoland/setup-deno@5fae568d…` → `@667a34cdef…` v2.0.4 SHA (the old SHA no longer resolves; the v2.0.4 SHA already in use by publish.yml verified via GitHub API). `governance / Language / package anti-pattern policy` deliberately untouched per the parallel-session-branch-drift guardrail — owned by another session under the Estate-drift-remediation 2026-05 campaign (parent standards#66). (5) Operational notes: parallel session in this repo committed `feat(mcp-bridge): Streamable HTTP transport` (#105) on a different branch under me mid-task; caught the branch drift via `git reflog` and untangled by hard-resetting HEAD to the intended item11 branch tip. gh OAuth token from device-code login granted only `gist, read:org, repo`; pushing `.github/workflows/e2e.yml` required a `workflow` scope refresh (`gh auth refresh -h github.com -s workflow`) before the push went through — hence the split between #118 (sh fix) and #123 (yaml fix). believe-me-count in STATE.a2ml stale at 4; bumped to 5 in this commit." },
   { date = "2026-05-18", description = "k9iser-mcp PR #73 session: (1) Added k9iser-mcp cartridge — reference -iser regeneration-cartridge pattern (central K9 contract regeneration) mirroring ssg-mcp: cartridge.json, mod.js, Idris2 ABI, Zig FFI, panels. (2) Unified transaction-gated adapter: ONE internal/loopback listener, protocol-routed REST+SSE+GraphQL+gRPC-compat → SINGLE dispatch → one Zig ABI, replacing the ssg-era 3-parallel-port anti-pattern; trust gate runs before every dispatch mirroring the Idris2 exposureSatisfied contract (no gatekeeperless path); internal-only behind http-capability-gateway per ADR-0004. (3) boj-rest SSE: POST /cartridge/:name/sse on the same single Cowboy listener + trust-gated dispatch, text/event-stream. (4) Doc reconciliation: elixir/README.adoc, mcp-bridge/api-clients.js, OPERATOR-QUICKSTART.md corrected to the verified runtime + ADR-0004 tiered model (previously wrongly 'skeleton/501/pending rewrite'). (5) CI ROOT-CAUSE FIX: dogfood-gate.yml failed YAML validation at startup (0s, no jobs) on every branch incl. main — inline `python3 -c \"` placed Python at column 1 inside a `run: |` block scalar, terminating the scalar early; since 'Dogfood Gate' is a required status check this silently blocked EVERY PR in the repo. Validator extracted to .github/scripts/validate-eclexiaiser.py and invoked from the workflow (commit 891b162). Verification: Elixir 177/177 (incl. 2 SSE tests); Zig ffi 16/16 + unified adapter 5/5 (exposure-gate truth table mirroring Idris2 contract); idris2 --check K9iserMcp/SafeK9iser.idr passes. Out of scope / separately tracked: http-capability-gateway production-wiring (ADR-0004 tier-2, ~8-12wk) and iseriser-scaffold rollout. Refs hyperpolymath/k9iser#8. NOTE: merge held — GitHub Actions runner-starved estate-wide (standards#122), required checks cannot execute until that clears." },
   { date = "2026-04-27", description = "Worker briefing + hook session: (1) Created .boj/project-memories.a2ml — standing worker briefing template covering coord registration, completion contract ('push succeeds, not TODO list'), backend wiring checklist, banned patterns (unimplemented!/sorry/Admitted/believe_me/.unwrap()-as-debt), comms protocol, git hygiene, and echidna language policy. Committed 039908a + pushed to main. (2) Updated ~/.config/coord-tui/coord-hooks.sh claude() function to auto-prepend project-memories.a2ml via --append-system-prompt when launched from a repo with .boj/project-memories.a2ml. Repos without the file are unaffected." },