Restructure bootstrap UI around artefact model

tools/security-bootstrap-console/README.md

@@ -76,6 +76,22 @@ python3 tools/security-bootstrap-console/security_bootstrap_console.py \
 
 Open `http://127.0.0.1:8765`.
 
+The web UI is structured as:
+
+1. **Roles & Responsibilities** - global bootstrap roles with designated
+   operator emails.
+2. **Subsystems & Scope** - installation and initial access for LLDAP,
+   privacyIDEA, KeyCape, the custodian age envelope, and Railiance OpenBao.
+3. **Integration & Tests** - OIDC and OpenBao preflight checks, with every
+   operator command shown as a copyable console block.
+4. **Artefacts & Locations** - final non-secret overview of established
+   artefacts and where to find their custody references.
+
+Role, subsystem, integration, and artefact records use the same fields:
+`name`, `description`, `subsystem`, `responsibility`, `location`, and `state`.
+States are `nil`, `set`, `err`, and `ok`. Role chips expose the designated
+email as hover text.
+
 The UI is a guide and approval surface, not the identity provider. Current
 lightweight-mode credential placement is: