diff --git a/workplans/IHUB-WP-0018-railiance01-deployment.md b/workplans/IHUB-WP-0018-railiance01-deployment.md
index be1be18..83f7fd5 100644
--- a/workplans/IHUB-WP-0018-railiance01-deployment.md
+++ b/workplans/IHUB-WP-0018-railiance01-deployment.md
@@ -509,6 +509,35 @@ current smoke checks, and haskelseed's build-runner-only role. Updated
 `docs/new-hub-quickstart.md` so haskelseed is no longer described as a
 production/shared database runtime.
 
+### R10 - Externally verify ops-hub bootstrap gate follow-up
+
+```task
+id: IHUB-WP-0018-T10
+status: done
+priority: high
+```
+
+Added after the helix-forge follow-up asking Inter-Hub to re-check the
+production bootstrap API gate from an external client before ops-hub proceeds.
+
+**Verification note (2026-06-14):** External public probes from this workstation
+confirmed the gate is still green:
+
+- `getent ahosts hub.coulomb.social` resolves to `92.205.130.254`.
+- `curl -s -o /tmp/interhub-hubs-body.txt -w "%{http_code}" \
+  https://hub.coulomb.social/api/v2/hubs` returned `401`.
+- The unauthenticated response body was the expected API auth failure:
+  `{"code":"invalid_api_key","error":"Unauthorized"}`.
+- `curl -s -o /tmp/interhub-openapi.json -w "%{http_code}" \
+  https://hub.coulomb.social/api/v2/openapi.json` returned `200`.
+- Parsing `paths` from the downloaded OpenAPI document found all required
+  bootstrap paths: `/hubs`, `/hub-capability-manifests`, `/api-consumers`, and
+  `/policy-scopes`.
+
+The deployed workflow smoke test also now captures `/api/v2/hubs` status
+without `curl -f`, verifies it equals `401`, and fails deployment if any of the
+four bootstrap OpenAPI paths are missing.
+
 ## Exit Criteria
 
 - `https://hub.coulomb.social/` returns the Landing page (200, no auth)