diff --git a/README.md b/README.md
index 2b514280e802f1..6cd63f418ea81d 100644
--- a/README.md
+++ b/README.md
@@ -8,11 +8,11 @@ Fork of `torvalds/linux` with CI-built RPMs carrying VR/XR patches.
 
 ## Current State
 
-As of 2026-05-09:
+As of 2026-05-10:
 
 | Area | Status | Notes |
 | --- | --- | --- |
-| Release artifacts | Proven, next candidate building | `v6.19.5-xr10` is the latest published secured lab release with generic and RT RPMs. `v6.19.5-xr11` is the current merged build candidate for the expanded Dirty Frag RxRPC RXGK route. |
+| Release artifacts | Proven, signed candidate queued | `v6.19.5-xr10` is the latest published secured lab release with generic and RT RPMs. Signed tag `v6.19.5-xr11` is queued in the tag-backed release workflow after a successful workflow-dispatch generic and RT proof for the expanded Dirty Frag RxRPC RXGK route. |
 | `honey` rollout | Proven (generic) | `honey` is persistently defaulted to the generic XR kernel lane. |
 | `honey` RT boot | Reboot-valid, gated | RT boot and `/sys/kernel/realtime=1` verification succeeded; Dell's repeated host packet is cautionary, so regular use still needs downstream deadline evidence. |
 | `yoga` rollout | Proven one-time generic boot | Generic XR RPM install and one-time boot succeeded; stock Rocky remains the persistent fallback. |
@@ -313,9 +313,9 @@ adding, dropping, or upstreaming a repo-managed CVE or public security backport.
 
 | CVE | Public name | linux-xr status | Repo links | External references |
 | --- | --- | --- | --- | --- |
-| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10`; the merged `v6.19.5-xr11` build route keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
-| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and the merged `v6.19.5-xr11` build route keeps it. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
-| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current `xr/main` also carries the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
+| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10`; signed candidate `v6.19.5-xr11` keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base and has a successful workflow-dispatch RPM proof while the tag-backed Release is queued. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
+| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and signed candidate `v6.19.5-xr11` keeps it with workflow-dispatch generic and RT proof while the tag-backed Release is queued. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
+| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current `xr/main` also carries the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK; signed candidate `v6.19.5-xr11` is the first release candidate with RXKAD plus RXGK coverage and has a successful workflow-dispatch RPM proof while the tag-backed Release is queued. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
 
 ## SELinux and Security Config
 
@@ -343,7 +343,7 @@ drift fails before an RPM can be accepted.
 
 ## Upstream status
 
-As of 2026-05-09, the latest published secured linux-xr lab release is
+As of 2026-05-10, the latest published secured linux-xr lab release is
 [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10).
 It keeps the `6.19.5` lab base but carries repo-managed
 [`CVE-2026-31431`](#known-patched-cves-and-security-backports),
@@ -357,12 +357,15 @@ should not become the long-lived lab target. Issue
 lab line to a selected maintained stable or longterm base and triaging all
 carry patches.
 
-The current merged build candidate is
-[`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372)
-from `xr/main` commit `3b55106d`. It keeps the `6.19.5` compatibility base,
+The current signed release candidate is
+[`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270)
+from `xr/main` commit `e25a1a77`. The prior workflow-dispatch proof
+[`25609434372`](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372)
+passed generic and RT RPM builds. `xr11` keeps the `6.19.5` compatibility base,
 adds the Dirty Frag RxRPC RXGK backport alongside the existing RXKAD route, and
-should supersede `xr10` for lab rollout only after generic and RT artifacts are
-uploaded and the target hosts boot the exact `6.19.5-11.xr.el10` kernel.
+should supersede `xr10` for lab rollout only after the tag-backed Release
+publishes RPMs plus checksums and the target hosts boot the exact
+`6.19.5-11.xr.el10` kernel.
 
 Current ingestion checkpoint:
 
@@ -396,8 +399,8 @@ Current ingestion checkpoint:
 
 | Patch/workstream | Upstream status | Next action |
 |-------|----------------|-----|
-| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base, and the merged `xr11` candidate keeps it | Keep fleet rollout on `xr10` until `xr11` artifacts pass and host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
-| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the latest published secured lab release until `xr11` artifacts pass, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
+| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base, and signed candidate `xr11` keeps it | Keep fleet rollout on `xr10` until the `xr11` tag-backed Release publishes assets and host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
+| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the latest published secured lab release until the `xr11` tag-backed Release publishes assets and host boot evidence exists, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
 | CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Publish and boot-validate `xr11` for the EOL `6.19.5` lab line, and keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. |
 | VESA DisplayID DSC BPP parser / amdgpu handling | In-flight upstream series; not present in current upstream checkout | Track Bolyukin v7 fixed-DSC-BPP series and drop this part when it lands. |
 | QP table + RC offset adjustments | Local carry; not submitted as a standalone upstream series | Split from the DisplayID parser carry using `xr/patches/0007-vesa-dsc-bpp.map.md` and decide whether this is evidence-backed upstream material or host-only risk. |