diff --git a/tools/security-bootstrap-console/README.md b/tools/security-bootstrap-console/README.md
index ce09349..5f77f89 100644
--- a/tools/security-bootstrap-console/README.md
+++ b/tools/security-bootstrap-console/README.md
@@ -76,6 +76,22 @@ python3 tools/security-bootstrap-console/security_bootstrap_console.py \
 
 Open `http://127.0.0.1:8765`.
 
+The web UI is structured as:
+
+1. **Roles & Responsibilities** - global bootstrap roles with designated
+   operator emails.
+2. **Subsystems & Scope** - installation and initial access for LLDAP,
+   privacyIDEA, KeyCape, the custodian age envelope, and Railiance OpenBao.
+3. **Integration & Tests** - OIDC and OpenBao preflight checks, with every
+   operator command shown as a copyable console block.
+4. **Artefacts & Locations** - final non-secret overview of established
+   artefacts and where to find their custody references.
+
+Role, subsystem, integration, and artefact records use the same fields:
+`name`, `description`, `subsystem`, `responsibility`, `location`, and `state`.
+States are `nil`, `set`, `err`, and `ok`. Role chips expose the designated
+email as hover text.
+
 The UI is a guide and approval surface, not the identity provider. Current
 lightweight-mode credential placement is:
 
diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py
index eea2fee..e11ec9f 100755
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -537,6 +537,12 @@ def merged_approval_metadata(
         "custodian_age_private_key_reference",
         "setup_operator",
         "notification_contact",
+        "role_setup_operator_email",
+        "role_platform_custodian_email",
+        "role_identity_admin_email",
+        "role_openbao_operator_email",
+        "role_recovery_custodian_email",
+        "role_future_quorum_email",
         "mfa_class",
         "mfa_enrollment_source",
         "mfa_enrollment_reference",
@@ -750,6 +756,12 @@ def metadata_template() -> dict[str, Any]:
         "identity_group_confirmed": False,
         "setup_operator": "tegwick",
         "notification_contact": "bernd.worsch@gmail.com",
+        "role_setup_operator_email": "bernd.worsch@gmail.com",
+        "role_platform_custodian_email": "bernd.worsch@gmail.com",
+        "role_identity_admin_email": "bernd.worsch@gmail.com",
+        "role_openbao_operator_email": "bernd.worsch@gmail.com",
+        "role_recovery_custodian_email": "bernd.worsch@gmail.com",
+        "role_future_quorum_email": "",
         "storage_classes": ["password-safe", "offline-packet"],
         "password_safe_confirmed": False,
         "mfa_class": "totp",
@@ -812,6 +824,383 @@ def gate_payload(gate: Gate) -> dict[str, str]:
     }
 
 
+def role_email(data: dict[str, Any], role_key: str) -> str:
+    fallback = str(data.get("notification_contact") or "").strip()
+    return str(data.get(role_key) or fallback).strip()
+
+
+def role_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
+    rows = [
+        (
+            "setup-operator",
+            "Runs bootstrap commands and records non-secret evidence.",
+            "NetKingdom bootstrap",
+            "role_setup_operator_email",
+        ),
+        (
+            "platform-root-custodian",
+            "Holds the dedicated platform-root credential and approves custody gates.",
+            "NetKingdom identity",
+            "role_platform_custodian_email",
+        ),
+        (
+            "identity-admin",
+            "Administers LLDAP, privacyIDEA, and login repair during bootstrap.",
+            "Identity stack",
+            "role_identity_admin_email",
+        ),
+        (
+            "openbao-ceremony-operator",
+            "Runs the attended OpenBao ceremony without copying secret output into the control surface.",
+            "Railiance OpenBao",
+            "role_openbao_operator_email",
+        ),
+        (
+            "recovery-custodian",
+            "Can recover the platform-root credential and encrypted bootstrap bundle outside this UI.",
+            "Custody packet",
+            "role_recovery_custodian_email",
+        ),
+        (
+            "future-quorum-custodian",
+            "Reserved for later two-of-three custody migration.",
+            "Custody strategy",
+            "role_future_quorum_email",
+        ),
+    ]
+    payloads: list[dict[str, str]] = []
+    for name, description, subsystem, key in rows:
+        email = role_email(data, key)
+        payloads.append(
+            {
+                "name": name,
+                "description": description,
+                "subsystem": subsystem,
+                "responsibility": name,
+                "email": email,
+                "location": "Role assignment in local bootstrap metadata." if email else "Not assigned yet.",
+                "state": "set" if email else "nil",
+            }
+        )
+    return payloads
+
+
+def state_value(ok: bool, set_value: bool = False, err: bool = False) -> str:
+    if err:
+        return "err"
+    if ok:
+        return "ok"
+    if set_value:
+        return "set"
+    return "nil"
+
+
+def subsystem_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
+    public_key = extract_age_public_key(data.get("custodian_age_public_key"))
+    state = bootstrap_secret_state()
+    return [
+        {
+            "name": "age recipient",
+            "description": "Public age recipient used to encrypt bootstrap bundles.",
+            "subsystem": "custodian age envelope",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": age_public_key_fingerprint(public_key) or "No public recipient registered.",
+            "state": state_value(
+                bool(public_key) and yes(data, "custodian_age_public_key_confirmed"),
+                bool(public_key),
+            ),
+        },
+        {
+            "name": "platform-root user",
+            "description": "Dedicated LLDAP account used as the current king credential.",
+            "subsystem": "LLDAP",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": str(data.get("identity_account_reference") or "Not recorded."),
+            "state": state_value(identity_account_ready(data), bool(data.get("identity_account_reference"))),
+        },
+        {
+            "name": "platform-root MFA token",
+            "description": "Second factor enrolled with the authority that verifies login.",
+            "subsystem": "privacyIDEA",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": str(data.get("mfa_enrollment_reference") or "Not recorded."),
+            "state": state_value(second_factor_ready(data), yes(data, "mfa_enrolled_confirmed")),
+        },
+        {
+            "name": "bootstrap OIDC client",
+            "description": "KeyCape login path used to verify platform-root can authenticate with MFA.",
+            "subsystem": "KeyCape",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": KEYCAPE_ISSUER,
+            "state": state_value(identity_login_ready(data), bool(data.get("identity_account_reference"))),
+        },
+        {
+            "name": "openbao-0",
+            "description": "Railiance OpenBao pod, services, PVCs, and sealed pre-init state.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "namespace=openbao, pod=openbao-0",
+            "state": state_value(yes(data, "openbao_preflight_passed"), yes(data, "custody_mode_approved")),
+        },
+        {
+            "name": "encrypted bootstrap bundle",
+            "description": "Encrypted bootstrap secret bundle; plaintext directory must be absent.",
+            "subsystem": "sso-mfa/bootstrap",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": str(state["encrypted_bundle_path"]),
+            "state": state_value(
+                bool(state["encrypted_bundle_exists"]) and not bool(state["plaintext_secrets_present"]),
+                bool(state["encrypted_bundle_exists"]),
+                bool(state["plaintext_secrets_present"]),
+            ),
+        },
+    ]
+
+
+def integration_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
+    return [
+        {
+            "name": "LLDAP admin group assignment",
+            "description": "platform-root is assigned to the current NetKingdom admin group.",
+            "subsystem": "LLDAP",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": str(data.get("identity_group_reference") or "Not recorded."),
+            "state": state_value(yes(data, "identity_group_confirmed"), bool(data.get("identity_group_reference"))),
+        },
+        {
+            "name": "privacyIDEA MFA verification",
+            "description": "The same platform-root account has an enrolled second factor.",
+            "subsystem": "privacyIDEA",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": str(data.get("mfa_enrollment_reference") or "Not recorded."),
+            "state": state_value(second_factor_ready(data), yes(data, "mfa_enrolled_confirmed")),
+        },
+        {
+            "name": "KeyCape OIDC login",
+            "description": "platform-root completed the OIDC login check through KeyCape.",
+            "subsystem": "KeyCape",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": "local bootstrap callback",
+            "state": state_value(yes(data, "oidc_login_verified")),
+        },
+        {
+            "name": "OpenBao preflight",
+            "description": "Railiance status and verify targets passed in the approved pre-init state.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "../railiance-platform",
+            "state": state_value(yes(data, "openbao_preflight_passed"), yes(data, "custody_mode_approved")),
+        },
+        {
+            "name": "OpenBao init/unseal ceremony",
+            "description": "Attended ceremony creates unseal shares and initial root token outside this UI.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "operator shell with custody packet present",
+            "state": state_value(yes(data, "openbao_initialized"), yes(data, "openbao_preflight_passed")),
+        },
+    ]
+
+
+def artifact_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
+    public_key = extract_age_public_key(data.get("custodian_age_public_key"))
+    state = bootstrap_secret_state()
+    root_disposition = str(data.get("root_token_disposition") or "")
+    return [
+        {
+            "name": "platform-root",
+            "description": "Dedicated LLDAP user for the king credential.",
+            "subsystem": "LLDAP",
+            "responsibility": "platform-root-custodian",
+            "email": role_email(data, "role_platform_custodian_email"),
+            "location": str(data.get("identity_account_reference") or "Not recorded."),
+            "state": state_value(identity_account_ready(data), bool(data.get("identity_account_reference"))),
+        },
+        {
+            "name": "net-kingdom-admins",
+            "description": "Current lightweight admin group for the platform-root identity.",
+            "subsystem": "LLDAP",
+            "responsibility": "identity-admin",
+            "email": role_email(data, "role_identity_admin_email"),
+            "location": str(data.get("identity_group_reference") or "Not recorded."),
+            "state": state_value(yes(data, "identity_group_confirmed"), bool(data.get("identity_group_reference"))),
+        },
+        {
+            "name": "platform-root password entry",
+            "description": "Password-safe entry for the dedicated identity password. Value is never stored here.",
+            "subsystem": "password safe",
+            "responsibility": "platform-root-custodian",
+            "email": role_email(data, "role_platform_custodian_email"),
+            "location": "operator password safe / offline packet",
+            "state": state_value(yes(data, "password_safe_confirmed")),
+        },
+        {
+            "name": "TOTP token",
+            "description": "privacyIDEA token for the platform-root login path.",
+            "subsystem": "privacyIDEA",
+            "responsibility": "platform-root-custodian",
+            "email": role_email(data, "role_platform_custodian_email"),
+            "location": str(data.get("mfa_enrollment_reference") or "Not recorded."),
+            "state": state_value(second_factor_ready(data), yes(data, "mfa_enrolled_confirmed")),
+        },
+        {
+            "name": "age recipient",
+            "description": "Public recipient used for encrypted bootstrap bundles.",
+            "subsystem": "custodian age envelope",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": age_public_key_fingerprint(public_key) or "Not recorded.",
+            "state": state_value(bool(public_key) and yes(data, "custodian_age_public_key_confirmed"), bool(public_key)),
+        },
+        {
+            "name": "age private key reference",
+            "description": "Non-secret pointer to the private age key location.",
+            "subsystem": "custodian age envelope",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": str(data.get("custodian_age_private_key_reference") or "Not recorded."),
+            "state": state_value(yes(data, "custodian_age_private_key_confirmed"), bool(data.get("custodian_age_private_key_reference"))),
+        },
+        {
+            "name": "secrets.enc",
+            "description": "Encrypted bootstrap bundle.",
+            "subsystem": "sso-mfa/bootstrap",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": str(state["encrypted_bundle_path"]),
+            "state": state_value(bool(state["encrypted_bundle_exists"]), False, bool(state["plaintext_secrets_present"])),
+        },
+        {
+            "name": "custody strategy",
+            "description": "Selected OpenBao ceremony control model.",
+            "subsystem": "custody model",
+            "responsibility": "platform-root-custodian",
+            "email": role_email(data, "role_platform_custodian_email"),
+            "location": str(data.get("custody_mode") or "Not selected."),
+            "state": state_value(yes(data, "custody_mode_approved"), data.get("custody_mode") in VALID_CUSTODY_MODES),
+        },
+        {
+            "name": "recovery material",
+            "description": "Recovery references for identity, MFA, age key, and encrypted bootstrap bundle.",
+            "subsystem": "custody packet",
+            "responsibility": "recovery-custodian",
+            "email": role_email(data, "role_recovery_custodian_email"),
+            "location": "offline packet / password safe references",
+            "state": state_value(yes(data, "recovery_confirmed")),
+        },
+        {
+            "name": "OpenBao custody packet",
+            "description": "Ceremony envelope with share assignment slots and root-token disposition plan.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "offline ceremony packet",
+            "state": state_value(yes(data, "custody_packet_prepared")),
+        },
+        {
+            "name": "unseal shares",
+            "description": "Real OpenBao shares produced by init. They must be routed directly to approved custody locations.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "created during attended init; not stored here",
+            "state": state_value(yes(data, "openbao_initialized"), yes(data, "openbao_preflight_passed")),
+        },
+        {
+            "name": "initial root token",
+            "description": "OpenBao bootstrap token produced by init. Use only for first configuration and disposition.",
+            "subsystem": "Railiance OpenBao",
+            "responsibility": "openbao-ceremony-operator",
+            "email": role_email(data, "role_openbao_operator_email"),
+            "location": "created during attended init; never pasted here",
+            "state": state_value(root_disposition in {"revoked", "offline-sealed"}, yes(data, "openbao_initialized")),
+        },
+    ]
+
+
+def command_payloads() -> list[dict[str, str]]:
+    return [
+        {
+            "name": "OpenBao status",
+            "description": "Show pod, service, PVC, and seal/init status.",
+            "command": "make -C ../railiance-platform openbao-status",
+        },
+        {
+            "name": "OpenBao preflight",
+            "description": "Run safe status and verification checks. Does not initialize OpenBao.",
+            "command": (
+                "python3 tools/security-bootstrap-console/security_bootstrap_console.py "
+                "openbao-preflight --railiance-path ../railiance-platform --run"
+            ),
+        },
+        {
+            "name": "OpenBao init ceremony",
+            "description": "Creates real unseal shares and the initial root token. Run once, attended.",
+            "command": "kubectl exec -n openbao openbao-0 -- bao operator init -key-shares=3 -key-threshold=2",
+        },
+        {
+            "name": "OpenBao unseal prompt",
+            "description": "Enter unseal shares by prompt. Do not place shares on the command line.",
+            "command": "kubectl exec -n openbao openbao-0 -- bao operator unseal",
+        },
+        {
+            "name": "OpenBao initial configuration",
+            "description": "Apply first audit, auth, mount, and policy configuration after unseal.",
+            "command": "make -C ../railiance-platform openbao-configure-initial",
+        },
+        {
+            "name": "OpenBao post-unseal verification",
+            "description": "Verify filesystem and post-unseal readiness before live secrets move in.",
+            "command": "make -C ../railiance-platform openbao-verify-post-unseal",
+        },
+    ]
+
+
+def section_gate_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
+    role_rows = role_payloads(data)
+    role_ok = all(row["state"] != "nil" for row in role_rows[:5])
+    subsystem_rows = subsystem_payloads(data)
+    integration_rows = integration_payloads(data)
+    artifact_rows = artifact_payloads(data)
+    return [
+        {
+            "key": "roles",
+            "name": "Roles & Responsibilities",
+            "status": "ok" if role_ok else "set",
+            "reason": "All active bootstrap roles have a designated email." if role_ok else "Assign an email to each active bootstrap role.",
+        },
+        {
+            "key": "subsystems",
+            "name": "Subsystems & Scope",
+            "status": "ok" if all(row["state"] in {"ok", "set"} for row in subsystem_rows) else "err",
+            "reason": "Subsystems have install/access evidence." if all(row["state"] != "nil" for row in subsystem_rows) else "Complete subsystem setup fields and confirmations.",
+        },
+        {
+            "key": "integrations",
+            "name": "Integration & Tests",
+            "status": "ok" if all(row["state"] == "ok" for row in integration_rows[:4]) else "set",
+            "reason": "Identity and OpenBao preflight checks are done." if all(row["state"] == "ok" for row in integration_rows[:4]) else "Run or confirm the remaining integration checks.",
+        },
+        {
+            "key": "artifacts",
+            "name": "Artefacts & Locations",
+            "status": "ok" if all(row["state"] != "nil" for row in artifact_rows[:10]) else "set",
+            "reason": "Core custody artefacts have locations or confirmations." if all(row["state"] != "nil" for row in artifact_rows[:10]) else "Record missing artefact locations and confirmations.",
+        },
+    ]
+
+
 def status_payload(data: dict[str, Any], metadata_path: Path) -> dict[str, Any]:
     merged = metadata_template()
     merged.update(data)
@@ -827,6 +1216,12 @@ def status_payload(data: dict[str, Any], metadata_path: Path) -> dict[str, Any]:
         "gates": [gate_payload(gate) for gate in gates],
         "key_custody_gates": [gate_payload(gate) for gate in key_custody_validation(merged)],
         "kit_gates": [gate_payload(gate) for gate in kit_validation(merged)],
+        "section_gates": section_gate_payloads(merged),
+        "roles": role_payloads(merged),
+        "subsystems": subsystem_payloads(merged),
+        "integrations": integration_payloads(merged),
+        "artifacts": artifact_payloads(merged),
+        "commands": command_payloads(),
         "bootstrap_secret_state": bootstrap_secret_state(),
         "metadata": metadata_view,
         "approval_phrase": APPROVAL_PHRASE,
@@ -1222,6 +1617,115 @@ def ui_html() -> str:
       cursor: wait;
       opacity: 0.65;
     }
+    summary {
+      display: flex;
+      justify-content: space-between;
+      gap: 12px;
+      align-items: center;
+      cursor: pointer;
+      list-style: none;
+    }
+    summary::-webkit-details-marker { display: none; }
+    .summary-title {
+      font-size: 18px;
+      line-height: 1.2;
+      font-weight: 650;
+    }
+    .section-gate {
+      border: 1px solid var(--soft-line);
+      border-radius: 4px;
+      background: #ffffff;
+      padding: 10px 12px;
+      margin: 14px 0;
+      color: var(--muted);
+      font-size: 13px;
+      line-height: 1.35;
+    }
+    .record-list, .command-list {
+      display: grid;
+      gap: 8px;
+      margin: 14px 0;
+    }
+    .record-row {
+      display: grid;
+      grid-template-columns: 62px minmax(170px, 1.2fr) minmax(120px, 0.7fr) minmax(150px, 0.8fr) minmax(150px, 1fr);
+      gap: 10px;
+      align-items: start;
+      border: 1px solid var(--soft-line);
+      border-radius: 4px;
+      background: #ffffff;
+      padding: 10px;
+    }
+    .record-name {
+      font-weight: 650;
+      line-height: 1.2;
+    }
+    .record-description, .record-meta {
+      color: var(--muted);
+      font-size: 13px;
+      line-height: 1.35;
+      margin-top: 3px;
+      overflow-wrap: anywhere;
+    }
+    .state {
+      display: inline-flex;
+      justify-content: center;
+      min-width: 42px;
+      border: 1px solid var(--line);
+      border-radius: 999px;
+      padding: 3px 8px;
+      font-family: "IBM Plex Mono", ui-monospace, monospace;
+      font-size: 12px;
+      line-height: 1.2;
+      text-transform: uppercase;
+      background: var(--warn);
+    }
+    .state.ok { background: var(--ok); }
+    .state.set { background: var(--human); }
+    .state.nil { background: #ffffff; }
+    .state.err { background: var(--bad); }
+    .role-chip {
+      display: inline-flex;
+      max-width: 100%;
+      border: 1px solid var(--soft-line);
+      border-radius: 999px;
+      padding: 3px 8px;
+      background: #ffffff;
+      color: var(--ink);
+      font-family: "IBM Plex Mono", ui-monospace, monospace;
+      font-size: 12px;
+      overflow-wrap: anywhere;
+    }
+    .command-row {
+      border: 1px solid var(--soft-line);
+      border-radius: 4px;
+      background: #ffffff;
+      padding: 10px;
+    }
+    .command-head {
+      display: flex;
+      justify-content: space-between;
+      gap: 12px;
+      align-items: start;
+    }
+    .command-code {
+      display: block;
+      width: 100%;
+      margin-top: 8px;
+      border: 1px solid var(--line);
+      border-radius: 4px;
+      background: #181818;
+      color: #ffffff;
+      padding: 10px 12px;
+      overflow-x: auto;
+      white-space: pre-wrap;
+      overflow-wrap: anywhere;
+    }
+    .copy-button {
+      min-height: 32px;
+      padding: 6px 10px;
+      font-size: 13px;
+    }
     .gates {
       border: 1px solid var(--soft-line);
       border-radius: 4px;
@@ -1285,6 +1789,7 @@ def ui_html() -> str:
       header { padding: 18px; }
       main { padding: 16px; }
       .topline, .layout, .grid { grid-template-columns: 1fr; }
+      .record-row { grid-template-columns: 1fr; }
       .metric {
         border-right: 0;
         border-bottom: 1px solid var(--soft-line);
@@ -1316,108 +1821,100 @@ def ui_html() -> str:
 
     <div class="layout">
       <form id="approval-form">
-        <section class="panel">
-          <h2>1. Bootstrap key envelope</h2>
-          <p class="notice">The custodian age public key encrypts bootstrap bundles. The private key is ceremony material and must not be pasted into this UI.</p>
-          <div class="choice-list">
-            <div class="choice"><span class="step-number">1</span><span><strong>Register public recipient</strong><span>Paste only the custodian public age recipient, for example <code>age1...</code>. This value is safe to store and lets tools encrypt new bootstrap bundles.</span></span></div>
-            <div class="choice"><span class="step-number">2</span><span><strong>Record private-key custody</strong><span>Record a non-secret reference such as <code>KeePassXC: custodian/age/private</code> or <code>offline USB label</code>. The actual private key is provided only during an unlock/apply ceremony.</span></span></div>
-            <div class="choice"><span class="step-number">3</span><span><strong>Use trial before custody</strong><span>Trial mode may use throwaway values to document the process. Custody mode encrypts real generated secrets immediately and shreds plaintext after apply.</span></span></div>
-          </div>
-          <div class="grid" style="margin-top: 14px;">
+        <details class="panel workflow-section" data-section="roles" open>
+          <summary><span class="summary-title">1. Roles & Responsibilities</span><span class="state nil" data-section-state="roles">nil</span></summary>
+          <div class="section-gate" data-section-gate="roles">Loading role gate.</div>
+          <p class="notice">Define who is accountable for each bootstrap role before touching subsystem-specific controls. Role chips in every record show the role name; hover them to see the designated email.</p>
+          <div id="roles-records" class="record-list"></div>
+          <div class="grid">
             <label class="field">
-              <span class="label">Mode</span>
-              <select id="bootstrap_mode">
+              <span class="label">Setup operator</span>
+              <input id="setup_operator" type="text" autocomplete="off" title="Local operator handle used for non-secret progress records.">
+            </label>
+            <label class="field">
+              <span class="label">Notification contact</span>
+              <input id="notification_contact" type="text" autocomplete="off" title="Email for bootstrap notifications and lockout handling.">
+            </label>
+            <label class="field">
+              <span class="label">Setup operator email</span>
+              <input id="role_setup_operator_email" type="text" autocomplete="off" title="Designated user for the setup-operator role.">
+            </label>
+            <label class="field">
+              <span class="label">Platform-root custodian email</span>
+              <input id="role_platform_custodian_email" type="text" autocomplete="off" title="Designated user for the platform-root-custodian role.">
+            </label>
+            <label class="field">
+              <span class="label">Identity admin email</span>
+              <input id="role_identity_admin_email" type="text" autocomplete="off" title="Designated user for identity-admin during bootstrap.">
+            </label>
+            <label class="field">
+              <span class="label">OpenBao operator email</span>
+              <input id="role_openbao_operator_email" type="text" autocomplete="off" title="Designated user for the attended OpenBao ceremony.">
+            </label>
+            <label class="field">
+              <span class="label">Recovery custodian email</span>
+              <input id="role_recovery_custodian_email" type="text" autocomplete="off" title="Designated user for recovery material and bootstrap bundle custody.">
+            </label>
+            <label class="field">
+              <span class="label">Future quorum email</span>
+              <input id="role_future_quorum_email" type="text" autocomplete="off" title="Optional placeholder for later two-of-three custody migration.">
+            </label>
+          </div>
+        </details>
+
+        <details class="panel workflow-section" data-section="subsystems" open>
+          <summary><span class="summary-title">2. Subsystems & Scope</span><span class="state nil" data-section-state="subsystems">nil</span></summary>
+          <div class="section-gate" data-section-gate="subsystems">Loading subsystem gate.</div>
+          <p class="notice">This section is about installing each subsystem and establishing initial user access. Integration checks come later.</p>
+          <div id="subsystems-records" class="record-list"></div>
+          <div class="grid">
+            <label class="field">
+              <span class="label">Bootstrap mode</span>
+              <select id="bootstrap_mode" title="Trial mode documents the process; custody mode is for real handover material.">
                 <option value="trial">Trial</option>
                 <option value="custody">Custody</option>
               </select>
             </label>
             <label class="field">
-              <span class="label">Public key fingerprint</span>
-              <input id="custodian_age_public_key_fingerprint" type="text" readonly title="Derived from the public age recipient; useful for comparing with your password safe entry.">
+              <span class="label">Credential label</span>
+              <input id="credential_label" type="text" autocomplete="off" title="Dedicated credential label, usually platform-root.">
             </label>
             <label class="field">
               <span class="label">Custodian public age key</span>
               <input id="custodian_age_public_key" type="text" autocomplete="off" placeholder="age1..." title="Public recipient only. Never paste AGE-SECRET-KEY material here.">
             </label>
+            <label class="field">
+              <span class="label">Public key fingerprint</span>
+              <input id="custodian_age_public_key_fingerprint" type="text" readonly title="Derived from the public age recipient.">
+            </label>
             <label class="field">
               <span class="label">Private key custody reference</span>
               <input id="custodian_age_private_key_reference" type="text" autocomplete="off" placeholder="KeePassXC: custodian/age/private" title="Non-secret pointer to where the private key is held; not the key itself.">
             </label>
-          </div>
-          <div class="choice-list" style="margin-top: 14px;">
-            <label class="choice"><input id="custodian_age_public_key_confirmed" type="checkbox"><span><strong>Public key confirmed</strong><span>The public recipient matches the custodian key material you intend to use.</span></span></label>
-            <label class="choice"><input id="custodian_age_private_key_confirmed" type="checkbox"><span><strong>Private key location confirmed</strong><span>You know where the private key is stored and can unlock it intentionally later.</span></span></label>
-          </div>
-        </section>
-
-        <section class="panel">
-          <h2>2. Platform-root identity</h2>
-          <p class="notice">Guide mode. OpenBao stores and audits secrets after the ceremony; it does not create the king account.</p>
-          <div class="choice-list">
-            <div class="choice"><span class="step-number">1</span><span><strong>Open LLDAP as bootstrap admin</strong><span>LLDAP has no public registration. Log in as <code>admin</code> using <code>LLDAP_LDAP_USER_PASS</code> from your password safe entry <code>net-kingdom/LLDAP/admin</code>. That value was generated during installation and injected into the <code>lldap-secrets</code> Kubernetes Secret.</span><span class="inline-actions"><a class="button-link" href="https://lldap.coulomb.social" target="_blank" rel="noreferrer" title="Open the LLDAP admin UI. This path uses password auth only and must be restricted before production.">Open LLDAP</a></span></span></div>
-            <div class="choice"><span class="step-number">2</span><span><strong>Create dedicated account</strong><span>Create a dedicated <code>platform-root</code> or <code>king</code> user. Suggested values: username <code>platform-root</code>, notification contact <code>bernd.worsch@gmail.com</code>. Add it to <code>net-kingdom-admins</code> for the current lightweight path. Do not use <code>tegwick</code> as this account.</span></span></div>
-            <div class="choice"><span class="step-number">3</span><span><strong>Enroll MFA</strong><span>Use <code>pi-admin</code> only to confirm the LLDAP resolver, realm, and self-enrollment policy. Then log in to privacyIDEA self-service as the account recorded above, usually <code>platform-root</code>, for the QR code or setup key. If self-service is not ready, use admin-assisted token assignment as a fallback and record that as the enrollment source.</span><span class="inline-actions"><a class="button-link" href="https://pink-account.coulomb.social" target="_blank" rel="noreferrer" title="Open privacyIDEA self-service to enroll or test the platform-root OTP factor.">Open self-service</a><a class="button-link secondary" href="https://pink.coulomb.social" target="_blank" rel="noreferrer" title="Open privacyIDEA admin. Use pi-admin here only to check resolver, realm, policy, or fallback token assignment.">Open admin</a></span></span></div>
-            <div class="choice"><span class="step-number">4</span><span><strong>Confirm identity path</strong><span>KeyCape is an OIDC issuer, not a dashboard; its root path returning 404 is expected. The login check starts the dedicated bootstrap-console OIDC client and should return to this console. If it never reaches the callback page, KeyCape may still need the public Authelia redirect config, this callback URI registration, or a browser OTP prompt. Mark OIDC verified only after the browser flow works for the same account.</span><span class="inline-actions"><a class="button-link" href="/oidc/start" target="_blank" rel="noreferrer" title="Start the bootstrap-console OIDC authorization flow through KeyCape. It should return to this local console callback without storing tokens.">Start OIDC login check</a><a class="button-link secondary" href="https://kc.coulomb.social/.well-known/openid-configuration" target="_blank" rel="noreferrer" title="Open KeyCape OIDC discovery JSON. This proves the issuer metadata is published.">Open discovery</a><a class="button-link secondary" href="https://kc.coulomb.social/healthz" target="_blank" rel="noreferrer" title="Open the KeyCape health endpoint. This proves the service process responds.">Open health</a></span></span></div>
-            <div class="choice"><span class="step-number">5</span><span><strong>Then OpenBao</strong><span>After custody approval, the OpenBao ceremony creates unseal shares, root-token disposition, policies, and temporary admin access.</span></span></div>
-          </div>
-          <div class="grid" style="margin-top: 14px;">
             <label class="field">
               <span class="label">Account home</span>
-              <input id="identity_account_home" type="text" autocomplete="off" value="lldap">
+              <input id="identity_account_home" type="text" autocomplete="off" value="lldap" title="Identity subsystem where the platform-root account lives.">
             </label>
             <label class="field">
               <span class="label">Account reference</span>
-              <input id="identity_account_reference" type="text" autocomplete="off" placeholder="platform-root@lldap">
+              <input id="identity_account_reference" type="text" autocomplete="off" placeholder="platform-root@lldap" title="Non-secret account reference.">
             </label>
             <label class="field">
               <span class="label">Admin group</span>
-              <input id="identity_group_reference" type="text" autocomplete="off" value="net-kingdom-admins">
-            </label>
-          </div>
-          <div class="choice-list" style="margin-top: 14px;">
-            <label class="choice"><input id="identity_account_created" type="checkbox"><span><strong>Account created</strong><span>The dedicated identity account exists in LLDAP. No password is stored here.</span></span></label>
-            <label class="choice"><input id="identity_group_confirmed" type="checkbox"><span><strong>Admin group assigned</strong><span>The account is a member of <code>net-kingdom-admins</code> in LLDAP.</span></span></label>
-            <label class="choice"><input id="password_safe_confirmed" type="checkbox"><span><strong>Password stored</strong><span>The account password is stored in your password safe or offline custody packet. No value is stored here.</span></span></label>
-            <label class="choice"><input id="oidc_login_verified" type="checkbox"><span><strong>OIDC login verified</strong><span>The account can complete the NetKingdom login path through KeyCape after MFA enrollment.</span></span></label>
-          </div>
-        </section>
-
-        <section class="panel">
-          <h2>3. Credential record</h2>
-          <p class="notice">Local non-secret metadata only. OpenBao initialization stays manual.</p>
-          <div class="grid">
-            <label class="field">
-              <span class="label">Credential label</span>
-              <input id="credential_label" type="text" autocomplete="off">
-            </label>
-            <label class="field">
-              <span class="label">Setup operator</span>
-              <input id="setup_operator" type="text" autocomplete="off">
-            </label>
-            <label class="field">
-              <span class="label">Notification contact</span>
-              <input id="notification_contact" type="text" autocomplete="off">
+              <input id="identity_group_reference" type="text" autocomplete="off" value="net-kingdom-admins" title="LLDAP group used for current bootstrap admin access.">
             </label>
             <label class="field">
               <span class="label">Second factor</span>
-              <select id="mfa_class">
+              <select id="mfa_class" title="Hardware token is optional policy, not a default requirement.">
                 <option value="">Select</option>
                 <option value="totp">TOTP</option>
                 <option value="webauthn">WebAuthn</option>
                 <option value="hardware-token">Hardware token (policy only)</option>
               </select>
             </label>
-          </div>
-        </section>
-
-        <section class="panel">
-          <h2>4. MFA and login proof</h2>
-          <p class="notice">The QR code or setup key belongs to the authority that verifies login. This UI records confirmation only.</p>
-          <div class="grid">
             <label class="field">
-              <span class="label">Enrollment source</span>
-              <select id="mfa_enrollment_source">
+              <span class="label">MFA enrollment source</span>
+              <select id="mfa_enrollment_source" title="The real verifier owns the QR code or setup key.">
                 <option value="deferred">Deferred</option>
                 <option value="identity-provider">Identity provider</option>
                 <option value="external-verifier">External verifier</option>
@@ -1425,75 +1922,37 @@ def ui_html() -> str:
               </select>
             </label>
             <label class="field">
-              <span class="label">Reference</span>
-              <input id="mfa_enrollment_reference" type="text" autocomplete="off" placeholder="provider or vault entry label">
+              <span class="label">MFA reference</span>
+              <input id="mfa_enrollment_reference" type="text" autocomplete="off" placeholder="provider or vault entry label" title="Non-secret reference to the enrollment authority or vault label.">
             </label>
           </div>
           <div class="choice-list" style="margin-top: 14px;">
+            <label class="choice"><input id="custodian_age_public_key_confirmed" type="checkbox"><span><strong>Public key confirmed</strong><span>The public recipient matches the custodian key material you intend to use.</span></span></label>
+            <label class="choice"><input id="custodian_age_private_key_confirmed" type="checkbox"><span><strong>Private key location confirmed</strong><span>You know where the private key is stored and can unlock it intentionally later.</span></span></label>
+            <label class="choice"><input id="identity_account_created" type="checkbox"><span><strong>Account created</strong><span>The dedicated identity account exists in LLDAP. No password is stored here.</span></span></label>
+            <label class="choice"><input id="identity_group_confirmed" type="checkbox"><span><strong>Admin group assigned</strong><span>The account is a member of <code>net-kingdom-admins</code> in LLDAP.</span></span></label>
+            <label class="choice"><input id="password_safe_confirmed" type="checkbox"><span><strong>Password stored</strong><span>The account password is stored in your password safe or offline custody packet.</span></span></label>
             <label class="choice"><input id="mfa_enrolled_confirmed" type="checkbox"><span><strong>Factor enrolled</strong><span>The real verifier produced or accepted the factor. No seed is recorded here.</span></span></label>
           </div>
-        </section>
-
-        <section class="panel">
-          <h2>5. Custody strategy</h2>
-          <p class="notice">Select the control strategy before preparing the custody packet. Approval comes later, after recovery material and packet contents match this strategy.</p>
-          <div class="choice-list">
-            <label class="choice"><input name="custody_mode" value="temporary-single-king" type="radio"><span><strong>Temporary single king</strong><span>Recommended while Railiance is still pre-production. One dedicated platform-root custodian controls the first ceremony, with migration to quorum custody planned.</span></span></label>
-            <label class="choice"><input name="custody_mode" value="two-of-three-ready" type="radio"><span><strong>Two of three ready</strong><span>Use only when independent share holders already exist and can attend the first OpenBao init ceremony.</span></span></label>
-            <label class="choice"><input name="custody_mode" value="two-of-three-planned" type="radio"><span><strong>Two of three planned</strong><span>Records the target model but does not approve live init yet.</span></span></label>
+          <div class="inline-actions">
+            <a class="button-link" href="https://lldap.coulomb.social" target="_blank" rel="noreferrer" title="Open the LLDAP admin UI. This path uses password auth only and must be restricted before production.">Open LLDAP</a>
+            <a class="button-link secondary" href="https://pink-account.coulomb.social" target="_blank" rel="noreferrer" title="Open privacyIDEA self-service to enroll or test the platform-root OTP factor.">Open self-service</a>
+            <a class="button-link secondary" href="https://pink.coulomb.social" target="_blank" rel="noreferrer" title="Open privacyIDEA admin for resolver, realm, policy, or fallback token assignment.">Open admin</a>
           </div>
-        </section>
+        </details>
 
-        <section class="panel">
-          <h2>6. Recovery material</h2>
-          <p class="notice">Recovery material is the ability to regain control of the platform-root credential and encrypted bootstrap bundle. It is not the OpenBao ceremony packet, and this UI stores only references.</p>
-          <ul class="spec-list">
-            <li>Platform-root password entry exists in the password safe and its label is known.</li>
-            <li>MFA recovery or re-enrollment path is known, such as privacyIDEA admin repair or a stored recovery-code location if that authority issues codes.</li>
-            <li>Custodian age private-key location is known and separate from the public recipient stored here.</li>
-            <li>Encrypted bootstrap bundle location is known; plaintext bootstrap secrets are absent before custody approval.</li>
-            <li>Notification contact and setup operator are recorded for lockout handling.</li>
-          </ul>
-          <div class="choice-list">
-            <label class="choice"><input name="storage_classes" value="password-safe" type="checkbox"><span><strong>Password safe</strong><span>Credential held in a dedicated vault entry.</span></span></label>
-            <label class="choice"><input name="storage_classes" value="offline-packet" type="checkbox"><span><strong>Offline packet</strong><span>Recovery material exists outside live systems.</span></span></label>
-            <label id="hardware-storage-choice" class="choice conditional"><input name="storage_classes" value="hardware-token" type="checkbox"><span><strong>Hardware token storage</strong><span>Shown only when the selected credential policy uses a hardware token.</span></span></label>
-            <label class="choice"><input id="recovery_confirmed" type="checkbox"><span><strong>Recovery material prepared</strong><span>The items above exist outside this UI. Do not paste passwords, OTP seeds, recovery codes, or private keys here.</span></span></label>
+        <details class="panel workflow-section" data-section="integrations" open>
+          <summary><span class="summary-title">3. Integration & Tests</span><span class="state nil" data-section-state="integrations">nil</span></summary>
+          <div class="section-gate" data-section-gate="integrations">Loading integration gate.</div>
+          <p class="notice">This section connects the subsystems and shows every console command as a copyable block. Commands still run outside this browser so secret output never enters the control surface.</p>
+          <div id="integrations-records" class="record-list"></div>
+          <div class="inline-actions">
+            <a class="button-link" href="/oidc/start" target="_blank" rel="noreferrer" title="Start the bootstrap-console OIDC authorization flow through KeyCape.">Start OIDC login check</a>
+            <a class="button-link secondary" href="https://kc.coulomb.social/.well-known/openid-configuration" target="_blank" rel="noreferrer" title="Open KeyCape OIDC discovery JSON.">Open discovery</a>
+            <a class="button-link secondary" href="https://kc.coulomb.social/healthz" target="_blank" rel="noreferrer" title="Open the KeyCape health endpoint.">Open health</a>
           </div>
-        </section>
-
-        <section class="panel">
-          <h2>7. Custody packet and approval</h2>
-          <p class="notice">The custody packet is the offline ceremony envelope for the selected OpenBao strategy. It is prepared before approval, but it does not initialize OpenBao and does not contain secret values in this UI.</p>
-          <ul class="spec-list">
-            <li>Credential label, setup operator, notification contact, and selected custody strategy.</li>
-            <li>References to recovery material, not the recovery values themselves.</li>
-            <li>OpenBao init checklist, unseal-share assignment slots, and quorum plan.</li>
-            <li>Root-token disposition plan: revoke immediately or seal offline after scoped admin access works.</li>
-            <li>Signature/date line for the attended ceremony.</li>
-          </ul>
-          <div class="system-note">Secret capture is enforced by architecture: the control surface does not request secrets, and the gate checks local metadata plus plaintext bootstrap-secret presence. There is no user checkbox for this contract.</div>
-          <div class="choice-list" style="margin-bottom: 14px;">
-            <label class="choice"><input id="custody_packet_prepared" type="checkbox"><span><strong>Custody packet prepared</strong><span>The offline ceremony packet above is ready for the selected strategy. No OpenBao root token or unseal share is recorded here.</span></span></label>
-          </div>
-          <p class="notice">Approval is the explicit handoff from preparation into OpenBao preflight. It still does not run OpenBao init.</p>
-          <div class="field" style="margin-top: 14px;">
-            <span class="label">Approval phrase for selected strategy</span>
-            <input id="approval_phrase" type="text" autocomplete="off" placeholder="approve custody mode" title="Type the approval phrase only after the selected strategy, recovery material, and custody packet are ready.">
-          </div>
-        </section>
-
-        <section class="panel">
-          <h2>8. OpenBao setup path</h2>
-          <p class="notice">OpenBao comes after custody approval. Public ingress is disabled in Railiance, so the attended ceremony uses Railiance commands, kubectl exec, or operator port-forwarding rather than this browser collecting secrets.</p>
-          <ul class="spec-list">
-            <li>Before approval, limit work to deployment/status checks: <code>make -C ../railiance-platform openbao-dry-run</code>, <code>make -C ../railiance-platform openbao-deploy</code>, and <code>make -C ../railiance-platform openbao-status</code>.</li>
-            <li>After approval, run safe preflight from this repo: <code>python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight --railiance-path ../railiance-platform --run</code>.</li>
-            <li>Human init ceremony on Railiance: <code>kubectl exec -n openbao openbao-0 -- bao operator init -key-shares=3 -key-threshold=2</code>, then distribute unseal shares according to the approved packet.</li>
-            <li>Unseal and configure without pasting values here: <code>kubectl exec -n openbao openbao-0 -- bao operator unseal</code>, then <code>make -C ../railiance-platform openbao-configure-initial</code>.</li>
-            <li>Verify and prove recovery: <code>make -C ../railiance-platform openbao-verify-post-unseal</code>, snapshot, and run an isolated restore drill before live secrets move in.</li>
-          </ul>
-          <div class="choice-list">
+          <div class="choice-list" style="margin-top: 14px;">
+            <label class="choice"><input id="oidc_login_verified" type="checkbox"><span><strong>OIDC login verified</strong><span>The account can complete the NetKingdom login path through KeyCape after MFA enrollment.</span></span></label>
             <label class="choice"><input id="openbao_preflight_passed" type="checkbox"><span><strong>OpenBao preflight passed</strong><span>Status and verification checks completed after custody approval.</span></span></label>
             <label class="choice"><input id="openbao_initialized" type="checkbox"><span><strong>Initialized and unsealed</strong><span>The human ceremony completed outside this UI under the approved strategy.</span></span></label>
             <label class="choice"><input id="restore_drill_passed" type="checkbox"><span><strong>Restore drill passed</strong><span>Snapshot and isolated restore proof completed before live secrets are migrated.</span></span></label>
@@ -1506,13 +1965,42 @@ def ui_html() -> str:
               <option value="offline-sealed">Sealed offline</option>
             </select>
           </label>
+          <div id="command-list" class="command-list"></div>
+        </details>
+
+        <details class="panel workflow-section" data-section="artifacts" open>
+          <summary><span class="summary-title">4. Artefacts & Locations</span><span class="state nil" data-section-state="artifacts">nil</span></summary>
+          <div class="section-gate" data-section-gate="artifacts">Loading artefact gate.</div>
+          <p class="notice">This is the final overview of what has been established. Locations are references only; passwords, OTP seeds, age private keys, unseal shares, and root tokens are never recorded here.</p>
+          <div id="artifacts-records" class="record-list"></div>
+          <div class="choice-list">
+            <label class="choice"><input name="custody_mode" value="temporary-single-king" type="radio"><span><strong>Temporary single king</strong><span>Recommended while Railiance is still pre-production. Migration to quorum custody remains planned.</span></span></label>
+            <label class="choice"><input name="custody_mode" value="two-of-three-ready" type="radio"><span><strong>Two of three ready</strong><span>Use only when independent share holders already exist and can attend the first OpenBao init ceremony.</span></span></label>
+            <label class="choice"><input name="custody_mode" value="two-of-three-planned" type="radio"><span><strong>Two of three planned</strong><span>Records the target model but does not approve live init yet.</span></span></label>
+          </div>
+          <ul class="spec-list" style="margin-top: 14px;">
+            <li>Recovery material: password recovery, MFA recovery/re-enrollment, custodian age-key recovery, encrypted bundle recovery, and notification contact references.</li>
+            <li>Custody packet: selected strategy, recovery references, OpenBao init checklist, unseal-share assignment slots, quorum plan, root-token disposition plan, and signature/date line.</li>
+          </ul>
+          <div class="choice-list">
+            <label class="choice"><input name="storage_classes" value="password-safe" type="checkbox"><span><strong>Password safe</strong><span>Credential held in a dedicated vault entry.</span></span></label>
+            <label class="choice"><input name="storage_classes" value="offline-packet" type="checkbox"><span><strong>Offline packet</strong><span>Recovery material exists outside live systems.</span></span></label>
+            <label id="hardware-storage-choice" class="choice conditional"><input name="storage_classes" value="hardware-token" type="checkbox"><span><strong>Hardware token storage</strong><span>Shown only when the selected credential policy uses a hardware token.</span></span></label>
+            <label class="choice"><input id="recovery_confirmed" type="checkbox"><span><strong>Recovery material prepared</strong><span>The items above exist outside this UI. Do not paste secret material here.</span></span></label>
+            <label class="choice"><input id="custody_packet_prepared" type="checkbox"><span><strong>Custody packet prepared</strong><span>The offline ceremony packet is ready for the selected strategy. No OpenBao root token or unseal share is recorded here.</span></span></label>
+          </div>
+          <div class="system-note" style="margin-top: 14px;">Secret capture is enforced by architecture: the control surface does not request secrets, and the gate checks local metadata plus plaintext bootstrap-secret presence.</div>
+          <div class="field" style="margin-top: 14px;">
+            <span class="label">Approval phrase for selected strategy</span>
+            <input id="approval_phrase" type="text" autocomplete="off" placeholder="approve custody mode" title="Type the approval phrase only after the selected strategy, recovery material, and custody packet are ready.">
+          </div>
           <div class="actions">
             <button class="secondary" id="save-button" type="button" title="Save the visible non-secret progress fields to local metadata.">Save progress</button>
             <button id="approve-button" type="submit" title="Approve the selected custody strategy only after all kit gates are satisfied.">Approve selected strategy</button>
             <button class="secondary" id="refresh-button" type="button" title="Reload the local metadata and gate status from disk.">Refresh</button>
           </div>
           <div id="message" class="message" role="status">Waiting for local approval.</div>
-        </section>
+        </details>
       </form>
 
       <aside>
@@ -1549,6 +2037,12 @@ def ui_html() -> str:
       "oidc_login_verified",
       "setup_operator",
       "notification_contact",
+      "role_setup_operator_email",
+      "role_platform_custodian_email",
+      "role_identity_admin_email",
+      "role_openbao_operator_email",
+      "role_recovery_custodian_email",
+      "role_future_quorum_email",
       "mfa_class",
       "mfa_enrollment_source",
       "mfa_enrollment_reference",
@@ -1589,6 +2083,103 @@ def ui_html() -> str:
       }
     }
 
+    function makeStateBadge(state) {
+      const badge = document.createElement("span");
+      const value = state || "nil";
+      badge.className = "state " + value;
+      badge.textContent = value;
+      return badge;
+    }
+
+    function makeRoleChip(role, email) {
+      const chip = document.createElement("span");
+      chip.className = "role-chip";
+      chip.textContent = role || "unassigned";
+      chip.title = email ? role + " -> " + email : role + " has no designated email";
+      return chip;
+    }
+
+    function renderRecords(target, rows) {
+      const root = document.getElementById(target);
+      root.replaceChildren();
+      for (const record of rows || []) {
+        const row = document.createElement("div");
+        row.className = "record-row";
+        row.append(makeStateBadge(record.state));
+
+        const identity = document.createElement("div");
+        const name = document.createElement("div");
+        name.className = "record-name";
+        name.textContent = record.name;
+        const description = document.createElement("div");
+        description.className = "record-description";
+        description.textContent = record.description;
+        identity.append(name, description);
+
+        const subsystem = document.createElement("div");
+        subsystem.className = "record-meta";
+        subsystem.textContent = record.subsystem;
+
+        const responsibility = document.createElement("div");
+        responsibility.append(makeRoleChip(record.responsibility, record.email));
+
+        const location = document.createElement("div");
+        location.className = "record-meta";
+        location.textContent = record.location;
+
+        row.append(identity, subsystem, responsibility, location);
+        root.append(row);
+      }
+    }
+
+    function renderSectionGates(gates) {
+      for (const gate of gates || []) {
+        const badge = document.querySelector(`[data-section-state='${gate.key}']`);
+        if (badge) {
+          badge.className = "state " + gate.status;
+          badge.textContent = gate.status;
+        }
+        const message = document.querySelector(`[data-section-gate='${gate.key}']`);
+        if (message) {
+          message.textContent = gate.reason;
+        }
+      }
+    }
+
+    function renderCommands(commands) {
+      const root = document.getElementById("command-list");
+      root.replaceChildren();
+      for (const item of commands || []) {
+        const row = document.createElement("div");
+        row.className = "command-row";
+
+        const head = document.createElement("div");
+        head.className = "command-head";
+        const title = document.createElement("div");
+        const name = document.createElement("div");
+        name.className = "record-name";
+        name.textContent = item.name;
+        const description = document.createElement("div");
+        description.className = "record-description";
+        description.textContent = item.description;
+        title.append(name, description);
+
+        const button = document.createElement("button");
+        button.className = "copy-button secondary";
+        button.type = "button";
+        button.textContent = "Copy";
+        button.title = "Copy this console command to the clipboard.";
+        button.dataset.command = item.command;
+        head.append(title, button);
+
+        const code = document.createElement("code");
+        code.className = "command-code";
+        code.textContent = item.command;
+        row.append(head, code);
+        root.append(row);
+      }
+    }
+
     function fillForm(metadata) {
       for (const id of fields) {
         const element = document.getElementById(id);
@@ -1630,6 +2221,12 @@ def ui_html() -> str:
       renderGates("gates", data.gates);
       renderGates("key-gates", data.key_custody_gates);
       renderGates("kit-gates", data.kit_gates);
+      renderSectionGates(data.section_gates);
+      renderRecords("roles-records", data.roles);
+      renderRecords("subsystems-records", data.subsystems);
+      renderRecords("integrations-records", data.integrations);
+      renderRecords("artifacts-records", data.artifacts);
+      renderCommands(data.commands);
       fillForm(data.metadata || {});
     }
 
@@ -1653,6 +2250,12 @@ def ui_html() -> str:
         oidc_login_verified: document.getElementById("oidc_login_verified").checked,
         setup_operator: document.getElementById("setup_operator").value.trim(),
         notification_contact: document.getElementById("notification_contact").value.trim(),
+        role_setup_operator_email: document.getElementById("role_setup_operator_email").value.trim(),
+        role_platform_custodian_email: document.getElementById("role_platform_custodian_email").value.trim(),
+        role_identity_admin_email: document.getElementById("role_identity_admin_email").value.trim(),
+        role_openbao_operator_email: document.getElementById("role_openbao_operator_email").value.trim(),
+        role_recovery_custodian_email: document.getElementById("role_recovery_custodian_email").value.trim(),
+        role_future_quorum_email: document.getElementById("role_future_quorum_email").value.trim(),
         mfa_class: document.getElementById("mfa_class").value,
         mfa_enrollment_source: document.getElementById("mfa_enrollment_source").value,
         mfa_enrollment_reference: document.getElementById("mfa_enrollment_reference").value.trim(),
@@ -1672,6 +2275,19 @@ def ui_html() -> str:
 
     document.getElementById("mfa_class").addEventListener("change", syncConditionalHardware);
 
+    document.getElementById("command-list").addEventListener("click", async (event) => {
+      const button = event.target.closest(".copy-button");
+      if (!button) return;
+      const command = button.dataset.command || "";
+      try {
+        await navigator.clipboard.writeText(command);
+        button.textContent = "Copied";
+        setTimeout(() => { button.textContent = "Copy"; }, 1000);
+      } catch (error) {
+        setMessage("Copy failed: " + error.message, "error");
+      }
+    });
+
     document.getElementById("approval-form").addEventListener("submit", async (event) => {
       event.preventDefault();
       const button = document.getElementById("approve-button");
diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
index 3ed7e10..3786b6a 100644
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -230,6 +230,12 @@ panel now explains when to run Railiance preflight, init/unseal,
 post-unseal configuration, root-token disposition, and restore proof. The
 console still refuses to capture root tokens or unseal shares.
 
+**2026-05-25:** Restructured the bootstrap UI around the operator mental model:
+Roles & Responsibilities, Subsystems & Scope, Integration & Tests, and
+Artefacts & Locations. Role, subsystem, integration, and artefact rows now use
+the same `name`, `description`, `subsystem`, `responsibility`, `location`, and
+`state` fields, and console commands are shown as copyable command blocks.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret