diff --git a/sso-mfa/bootstrap/creds-state.yaml b/sso-mfa/bootstrap/creds-state.yaml
index 277fda3..c581cba 100644
--- a/sso-mfa/bootstrap/creds-state.yaml
+++ b/sso-mfa/bootstrap/creds-state.yaml
@@ -22,11 +22,11 @@ secrets_applied:
   lldap: true
   authelia: true
   privacyidea: true
-  keycape:     false
+  keycape: true
 
 # Post-apply bootstrap (agent-run when pod is Ready)
 enckey_bootstrapped: true
-pi_admin_created: true
+pi_admin_created: false
 
 # Derived: all true â†’ bootstrap complete
 bootstrap_complete: false
diff --git a/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age
index f648c92..728c664 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age
index e66d80d..0f31992 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/keycape/key.pem.age b/sso-mfa/bootstrap/secrets.enc/keycape/key.pem.age
new file mode 100644
index 0000000..233e182
Binary files /dev/null and b/sso-mfa/bootstrap/secrets.enc/keycape/key.pem.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/keycape/pi_admin_token.age b/sso-mfa/bootstrap/secrets.enc/keycape/pi_admin_token.age
index 4986f23..cde7eb8 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/keycape/pi_admin_token.age and b/sso-mfa/bootstrap/secrets.enc/keycape/pi_admin_token.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age
index fc8c8a7..f04765a 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age
index 3dde7f8..a6c6e64 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age
index 90ebe14..202435d 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/privacyidea/pi.enc.age b/sso-mfa/bootstrap/secrets.enc/privacyidea/pi.enc.age
index ca64efe..60f4a3c 100644
--- a/sso-mfa/bootstrap/secrets.enc/privacyidea/pi.enc.age
+++ b/sso-mfa/bootstrap/secrets.enc/privacyidea/pi.enc.age
@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> X25519 07rQFhkhdJod0LA2ITJtukS2hHCbOVfPYFUIadgzSD0
-SKN1Ue8uPW18Pf5AHfhfsFQVHQLIcEN5Gyjlm8DOwik
---- +TSu1Sv/56OWNFLwLWR22dKBeIVJcF9+DNO7GeVuMX4
-%¤ùÈiˆv}FíŸ¥õÛYÕF)õ%C[åÙe²ôŠþ°‡ößA-¡Ô¥gn…iãæŸlÁ-o§wX<Õ‚QÝgyE¬)£ê‘ptAì¼Ñî:{
-Ãù­çµæZ~Fm$#C¶U`.>†*0­vœs³»9ŒœojrÔ[
\ No newline at end of file
+-> X25519 0cL2SNhcEH4wBC1vfpvRl9FxngjQTTxDYLlxOJUEVE8
+5OYPPIRd+p4WLSDP41pj48L4/vX8yiqaLqkROpEszuY
+--- R9SZeBe8nV0AqCzYqF+ww6z0g13TI/tSYOHCt+CcGE4
+>îXßáAŠR¾/˜ÑÉ¤ÀòjqvL½0Ly&Ö3ºzn¥¾ø>O/ç]±ü¡ˆmºàÊ×¹Xs¦47ø=¸œ'S×:¨	tï—5uJ b¯Š•E[cÛäAùå¤¡*¿u.Á÷@¬IcAÝB/á–Í78ö×•ö­ÎÏ3P
\ No newline at end of file
diff --git a/sso-mfa/bootstrap/secrets.enc/privacyidea/private.pem.age b/sso-mfa/bootstrap/secrets.enc/privacyidea/private.pem.age
index 6f88114..f318143 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/privacyidea/private.pem.age and b/sso-mfa/bootstrap/secrets.enc/privacyidea/private.pem.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/privacyidea/public.pem.age b/sso-mfa/bootstrap/secrets.enc/privacyidea/public.pem.age
index 3a50b0d..39d8373 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/privacyidea/public.pem.age and b/sso-mfa/bootstrap/secrets.enc/privacyidea/public.pem.age differ
diff --git a/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age
index f6e4118..9bd4bcb 100644
Binary files a/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age and b/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age differ