diff --git a/docs/core-hub-replacement-evidence.md b/docs/core-hub-replacement-evidence.md
index c09aad9..943bc3a 100644
--- a/docs/core-hub-replacement-evidence.md
+++ b/docs/core-hub-replacement-evidence.md
@@ -27,6 +27,10 @@ old Inter-Hub-first ops-hub path:
 - `CORE-WP-0008-T05`: `make operator-cli` wraps the same API behavior for
   deployed smoke, ops-hub bootstrap status, migration validate/import, and
   cutover readiness summaries.
+- `CORE-WP-0006`: protected `/console` prototype exists with readiness,
+  registry, migration/cutover, action-required, access metadata, and evidence
+  stream sections. `make visual-check` passed on 2026-06-27 with desktop/mobile,
+  no-overlap, horizontal-overflow, protected-route, PNG, and non-secret checks.
 - `CORE-WP-0008-T06`: the web UI is gated behind API/CLI readiness and has a
   compact whynot-aligned first-screen backlog. The UI should not start by
   recreating every old Inter-Hub screen.
@@ -92,6 +96,11 @@ wrong-audience rejection, and production rejection of local-development issuers.
 This closes the identity integration template while leaving production issuer
 wiring for the deployed Core Hub gates.
 
+2026-06-27 T18 closeout: Core Hub `CORE-WP-0006` is finished and local
+`make visual-check` passed for `/console`. The first UI surface is intentionally
+compact and protected; broader UI implementation remains gated by deployed API
+and CLI evidence through the rebuild backlog.
+
 ## Remaining Gates
 
 - Run `make deployed-smoke` or `make operator-cli CLI_ARGS="deployed-smoke ..."`
diff --git a/docs/infrastructure-stabilization-pickup-checkpoint.md b/docs/infrastructure-stabilization-pickup-checkpoint.md
index f291d05..0373d58 100644
--- a/docs/infrastructure-stabilization-pickup-checkpoint.md
+++ b/docs/infrastructure-stabilization-pickup-checkpoint.md
@@ -104,14 +104,14 @@ Resume from `docs/daily-triage-stabilization-status.md` and
 | issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. |
 | Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. |
 | artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. |
-| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, and the Core Hub FastAPI IAM Profile integration test are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the rewritten Core Hub deployed smoke/cutover and UI first-screen gates: `CUST-WP-0025-T16`, `T17`, and `T18`. |
+| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, the Core Hub FastAPI IAM Profile integration test, and Core Hub operator UI first screens are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the remaining Core Hub deployed evidence and cutover gates: `CUST-WP-0025-T16` and `T17`. |
 
 ## Next-Pick List
 
 1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: deployed
-   smoke and activity-core proof (`T16`), cutover decision coupling (`T17`),
-   and first UI screens (`T18`). T03 and T14 are complete as the identity
-   integration template and ops evidence/read-model contract gates.
+   smoke and activity-core proof (`T16`) and cutover decision coupling (`T17`).
+   T03, T14, and T18 are complete as the identity integration template, ops
+   evidence/read-model contract, and operator UI first-screen gates.
 2. Keep `CUST-WP-0047` and `CUST-WP-0049` as legacy evidence/fallback until
    Core Hub deployed smoke evidence or an explicit supersede decision closes
    them.
diff --git a/workplans/CUST-WP-0025-fos-hub-bootstrap.md b/workplans/CUST-WP-0025-fos-hub-bootstrap.md
index c46e155..71aadcb 100644
--- a/workplans/CUST-WP-0025-fos-hub-bootstrap.md
+++ b/workplans/CUST-WP-0025-fos-hub-bootstrap.md
@@ -527,7 +527,7 @@ local-only evidence.
 
 ```task
 id: CUST-WP-0025-T18
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "5b6cea8b-3982-49be-bacf-7269a3d2104e"
 ```
@@ -549,6 +549,17 @@ Use whynot-design tokens/components wherever practical and preserve
 route, and non-secret assertions. Start implementation from Core Hub
 `docs/specs/operator-ui-rebuild-backlog.md`, not from old Inter-Hub screens.
 
+Completed 2026-06-27: Core Hub `CORE-WP-0006` is finished with a protected
+server-rendered `/console` prototype, whynot-aligned shell/classes, readiness
+gates, registry explorer, migration state, action-required gates, access
+metadata, recent evidence events, auth tests, and full-key non-disclosure tests.
+`CORE-WP-0008-T06` extracted the compact rebuild backlog in
+`/home/worsch/core-hub/docs/specs/operator-ui-rebuild-backlog.md` so broader UI
+work stays behind API/CLI readiness. Fresh verification passed with
+`make visual-check`, producing desktop/mobile screenshots and no-overlap,
+horizontal-overflow, protected-route, PNG, and non-secret assertions. This
+closes the first-screen UI gate without expanding old Inter-Hub screens.
+
 ### T19 — Ops-hub MCP server registration decision
 
 ```task
diff --git a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
index 499fc7d..b849e27 100644
--- a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
+++ b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
@@ -456,9 +456,9 @@ Recommended order:
 
 1. Keep the completed `CUST-WP-0025-T03` IAM Profile verifier/test as the
    template for Core Hub auth consumers and future production issuer wiring.
-2. Execute the rewritten Core Hub Phase 3 lane: ops evidence contract/read-model
-   gaps, deployed Core Hub smoke, activity-core Core Hub sink smoke,
-   migration/cutover readiness, and whynot-aligned first UI screens.
+2. Execute the remaining rewritten Core Hub Phase 3 lane: deployed Core Hub
+   smoke, activity-core Core Hub sink smoke, and migration/cutover readiness;
+   the whynot-aligned first UI screens are now closed as `CUST-WP-0025-T18`.
 3. Keep `CUST-WP-0047-T05` and `CUST-WP-0049-T06` as legacy/fallback Inter-Hub
    records until deployed Core Hub evidence or an explicit supersede decision
    closes them.
@@ -501,8 +501,8 @@ Progress 2026-06-27 Core Hub ops evidence contract:
 - The spec defines API resources, non-secret evidence fields, event vocabulary,
   service-inventory-to-widget/event mapping, readiness-summary inputs, and
   read-model gaps to close before UI expansion or cutover claims.
-- T07 sequencing now keeps `T16`, `T17`, and `T18` open; T14 no longer blocks
-  the Core Hub replacement lane.
+- T07 sequencing now keeps `T16` and `T17` open; T14 no longer blocks the Core
+  Hub replacement lane.
 
 Progress 2026-06-27 CUST-WP-0052 closeout:
 
@@ -511,9 +511,8 @@ Progress 2026-06-27 CUST-WP-0052 closeout:
   HelixForge/Railiance Forge practice, and posted non-secret State Hub
   requirements to `railiance-apps` and `railiance-forge`.
 - The remaining T07 gates are execution gates, not sequencing ambiguity:
-  `T16/T17` deployed evidence/cutover waits and `T18` Core Hub operator UI
-  first screens. `T14` is complete as the ops evidence contract definition
-  gate.
+  `T16/T17` deployed evidence/cutover waits. `T14` is complete as the ops
+  evidence contract definition gate.
 
 Progress 2026-06-27 IAM Profile integration:
 
@@ -522,8 +521,21 @@ Progress 2026-06-27 IAM Profile integration:
   discovery, JWKS, authorization-code + PKCE token issuance, protected endpoint
   access, required IAM Profile claims, missing-token rejection, wrong-audience
   rejection, and production rejection of local-development issuers.
-- Remaining T07 gates are now `CUST-WP-0025-T16`, `T17`, and `T18`; identity no
-  longer blocks the Core Hub replacement lane.
+- Remaining T07 gates are now `CUST-WP-0025-T16` and `T17`; identity no longer
+  blocks the Core Hub replacement lane.
+
+Progress 2026-06-27 Core Hub operator UI first screens:
+
+- Completed `CUST-WP-0025-T18` from Core Hub evidence: `CORE-WP-0006` is
+  finished with the protected `/console` prototype and `CORE-WP-0008-T06`
+  extracted the compact rebuild backlog in
+  `/home/worsch/core-hub/docs/specs/operator-ui-rebuild-backlog.md`.
+- Fresh Core Hub verification passed with `make visual-check`, covering
+  desktop/mobile screenshots, protected-route behavior, no-overlap,
+  horizontal-overflow, PNG validation, and full-key non-disclosure.
+- Remaining T07 execution gates are now `CUST-WP-0025-T16` deployed evidence and
+  `T17` cutover decision coupling; both still require staging/runtime custody or
+  migration evidence.
 
 ## Task: Create The Stable Pickup Checkpoint