Link OpenBao custody direction in INTENT and SCOPE

Add a platform secret custody section and machine-readable anchor in INTENT.md,
extend SCOPE discovery guidance, and point both to docs/OpenBaoIntroduction.md
without duplicating railiance-platform or net-kingdom operational detail.

INTENT.md

@@ -345,6 +345,33 @@ AI must not bypass the control plane. Agentic behavior must be observable, polic
 6. **Reuse over accumulation.** The repository should grow by strengthening composable capabilities, not by collecting disconnected artifacts.
 7. **Evidence over assertion.** Runtime behavior, telemetry, tests, contracts, and validation reports should back claims of readiness.
 8. **Environment matters.** Users, builders, investors, external systems, markets, and real-world problems are part of the viable system boundary.
+9. **Security from inception.** Secret custody, tenant isolation, and workload identity are architectural commitments, not production afterthoughts. Capabilities that handle sensitive material should declare path ownership, policy scope, and delivery boundaries early.
+
+## 11.1 Platform secret custody (HelixForge × NetKingdom × Coulomb)
+
+HelixForge does not operate OpenBao, but it **must model and govern** how
+capabilities use secrets across a multi-tenant platform.
+
+The direction:
+
+* **OpenBao** is the platform secrets service (custody, policy, audit,
+  delivery) — deployed and operated through `railiance-platform`.
+* **NetKingdom** owns the security architecture: identity (KeyCape), MFA,
+  tenant semantics, and the path/policy model that keeps secrets private to
+  their owners.
+* **Coulomb** is tenant zero; HelixForge workplans and capabilities should
+  prove the pattern before customer tenants arrive.
+
+Secret ownership is expressed through **KV path convention, identity claims,
+and least-privilege policies** — not through confusing OpenBao login fields.
+Humans sign in with KeyCape; **workloads** authenticate as themselves
+(Kubernetes auth, scoped tokens).
+
+Anchor document: [`docs/OpenBaoIntroduction.md`](docs/OpenBaoIntroduction.md)
+
+Canonical deployment and operator detail remain in adjacent repos
+(`railiance-platform/docs/openbao.md`,
+`net-kingdom/docs/platform-identity-security-architecture.md`).
 
 ## 12\. Contribution intent
 
@@ -385,6 +412,7 @@ The following knowledge areas should be represented in the repository or linked
 |Capability contracts|Defines interfaces, events, SLOs, ownership, and boundaries.|
 |Validators|Turns architectural intent into executable checks.|
 |Intelligence governance|Defines how automation, copilots, and agents are placed, governed, and audited.|
+|Platform secret custody|Defines how multi-tenant secret ownership, workload delivery, and operator custody align across HelixForge, NetKingdom, and Coulomb. See `docs/OpenBaoIntroduction.md`.|
 
 ## 14\. Definition of done
 
@@ -470,6 +498,15 @@ intent:
       - semantic\_validation
       - governance\_for\_intelligence
       - observability\_for\_runtime\_behavior
+
+  platform\_custody:
+    anchor: docs/OpenBaoIntroduction.md
+    custody\_service: openbao
+    identity\_plane: keycape
+    reference\_tenant: coulomb
+    intent: >
+      Secrets are private to their owners through path layout, identity
+      binding, and policy — from capability inception through production.
 ```
 
 ## 16\. Source inputs for this intent file
@@ -479,6 +516,8 @@ This file was drafted from the following project inputs:
 * **HelixForgeVision** — project vision statement provided for this repository.
 * **OrthogonalArchitectureSchema** — Orthogonal Architecture Standard Schema v1.0.1 and semantic validation profile.
 * **260525-schema-orthogonalArchitecture.xlsx** — current OAD and VSM controlled vocabulary workbook.
+* **docs/OpenBaoIntroduction.md** — platform secret custody anchor for the
+  HelixForge / NetKingdom / Coulomb direction.
 
 When these materials are moved into the repository wiki, this file should be updated with stable wiki links.
 

SCOPE.md

@@ -55,6 +55,9 @@ and operating model. It is not yet an application implementation.
   capability, service, platform, policy, automation, or intelligence elements.
 - You are shaping an Inter-Hub extension pattern, such as the initial ops-hub
   workplan.
+- You need the HelixForge view of platform secret custody, multi-tenant secret
+  ownership, or OpenBao's role across NetKingdom and Coulomb. Start with
+  `docs/OpenBaoIntroduction.md`.
 
 ---