diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
index 5f7b458..a2b9e73 100644
--- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
+++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
@@ -163,7 +163,10 @@ state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
 note: Done 2026-03-25 on RAILIANCE01. privacyIDEA pod Running, TLS certs issued,
       enckey + audit keys bootstrapped (privacyidea-enckey + privacyidea-auditkeys Secrets created),
       pi-admin + trigger-admin created, trigger-admin-rights policy created via REST API.
-      REMAINING: enroll TOTP MFA for pi-admin via https://pink.coulomb.social WebUI.
+      DEFERRED: pi-admin TOTP enrollment requires an admin realm (SQLresolver pointing to PI's
+      internal admin table) — pi-manage has no enroll command, WebUI token enrollment only works
+      for resolver-backed users. Admin MFA is production hardening; pi-admin auth works
+      password-only for now. Track as T09 hardening item.
 ```
 
 Run credential bootstrap (injects privacyIDEA secrets + creates pi-admin/trigger-admin):
@@ -269,6 +272,10 @@ note: Completed 2026-03-25. All 3 test packages pass (migration, negative, profi
       Tests run with: cd src && ~/go/bin/go test ./tests/... -v
       Results: ok keycape/tests/migration, ok keycape/tests/negative, ok keycape/tests/profile
       Note: tests use httptest.Server + mocks — no live cluster connection required.
+      Test user provisioned: testuser / test.user@coulomb.social
+        TOTP serial TOTP00007147, seed KVQLHEJCTKCI3K7G2UIF54QUE5BNLBAQ
+        Validated: auth PASS via privacyIDEA /validate/check.
+      pi-admin TOTP deferred to T09 hardening.
 ```
 
 Prove the full auth flow works: