diff --git a/.machine_readable/agent_instructions/debt.a2ml b/.machine_readable/agent_instructions/debt.a2ml
index f46451a6..38582054 100644
--- a/.machine_readable/agent_instructions/debt.a2ml
+++ b/.machine_readable/agent_instructions/debt.a2ml
@@ -9,7 +9,7 @@
 
 [metadata]
 version = "1.0.0"
-last-updated = "2026-03-24"
+last-updated = "2026-05-18"
 
 # ============================================================================
 # DEBT ITEMS
@@ -34,6 +34,15 @@ last-updated = "2026-03-24"
 # impact = "medium"
 # discovered = "2026-03-23"
 
+[[debt.should]]
+component = "estate-wide / standards CLAUDE.md §Package Management"
+issue = "Guix-primary ruling 2026-05-18 (Guix primary + sealed-container escape; NO Nix mirror). Tech debt to clear: (1) update standards CLAUDE.md §Package Management ('Fallback: Nix (flake.nix)' -> 'Escape hatch: sealed container; no Nix mirror'); (2) estate-wide sweep removing every flake.nix that only mirrors a guix.scm/manifest (echidna flake.nix deprecated in its L3/L1 PR as the pilot). A second packager is permitted ONLY where it is the sole source of a specific named dependency, documented as such."
+effort = "hard"
+impact = "medium"
+priority = "should"
+discovered = "2026-05-18"
+ref = "memory: reference_packaging_guix_primary_container_escape"
+
 # ============================================================================
 # COULD — would fix eventually
 # ============================================================================
diff --git a/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc b/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc
index e9f075cd..4479dfe6 100644
--- a/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc
+++ b/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc
@@ -196,15 +196,27 @@ Both are FOSS with independent governance.
 
 == Package Management
 
+RULED 2026-05-18 (estate-wide): **Guix primary + sealed-container escape; NO
+Nix mirror.** One packager per repo. A `flake.nix` that only mirrors a Guix
+manifest is drift to remove, not a fallback. A second packager is permitted
+only where it is the *sole* source of a *specific named* dependency, and that
+dependency is documented as the reason. Supersedes the prior "Nix fallback
+everywhere" rule.
+
 [cols="1,2"]
 |===
 | Priority | Tool
 
 | *Primary*
-| Guix (guix.scm)
+| Guix (`guix.scm`, `manifest.scm`)
+
+| *Escape hatch*
+| Sealed container (Podman / Containerfile, Svalinn-sealed) — the single
+  universal path for the not-in-Guix / non-free tail. Not a Nix mirror.
 
-| *Fallback*
-| Nix (flake.nix)
+| *Second packager*
+| Permitted only as the sole source of a specific named dependency,
+  documented as such (never a blanket mirror).
 
 | *JS deps*
 | Deno (deno.json imports)