11 - Final Recommendation

Final status: STAGE2_6A_FIX7_CONTROL_PLANE_IMMUTABLE_READINESS_SIGNOFF_CAPABILITY_HASH_READY_FOR_T1_IMPLEMENTATION.

Recommended architecture: NOLOGIN qt001_cp_owner; Directus/Public cannot mutate/own/execute control/writer objects; sealed SHA-256 exact-set manifests for objects, roots, gates, capabilities, dependencies; controlled verifier evidence; actual database principal signoff; exact-set fail-closed readiness; honest external static analysis for function-body dependencies; acceptance requires all_blocked=true.

T1 should implement from this plan. Operator/owner authority is required for roles, extension ownership, owner transfer, ACL revoke/grant, signer/verifier/binder role membership, authoritative writer/readiness repoint, and manifest activation. Codex should not implement live; it should remain the independent reviewer.

Safe additive after explicit authorization: isolated qt001_cp objects, candidate manifests/snapshots, diagnostics, and rehearsal tests with no repoint/cutover.

Stage 2.6B must remain blocked. FIX7 implementation must pass independent Codex verification with real outputs. Missing real keyset/resume/performance capability evidence keeps scale_safe=false and blocks apply.

Operating Rules update: not needed; follows v7.58. Production verification: not applicable because this mission is design-only and performed no live mutation.