diff --git a/sso-mfa/k8s/keycape/deployment.yaml b/sso-mfa/k8s/keycape/deployment.yaml
index a6754a1..e18c5ad 100644
--- a/sso-mfa/k8s/keycape/deployment.yaml
+++ b/sso-mfa/k8s/keycape/deployment.yaml
@@ -51,8 +51,11 @@ spec:
         - name: keycape
           # Image published to self-hosted Gitea OCI registry on CoulombCore (KEY-WP-0002).
           # k3s insecure registry configured for 92.205.130.254:32166 — no pull secret needed.
-          image: 92.205.130.254:32166/coulomb/key-cape:latest
-          imagePullPolicy: Always
+          # 2026-05-24: direct-imported into railiance01 k3s for the
+          # bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the
+          # HTTP registry push/pull path is being cleaned up.
+          image: 92.205.130.254:32166/coulomb/key-cape:main-56d279a
+          imagePullPolicy: IfNotPresent
 
           ports:
             - name: http
diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
index 05878a4..4e37069 100644
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -176,6 +176,22 @@ control surface now uses that dedicated client. Live verification remains
 pending until the updated KeyCape image and regenerated `keycape-config` Secret
 are rolled out.
 
+**2026-05-24:** Rolled the fix to the public Railiance SSO host
+(`kc.coulomb.social`, currently resolving to `railiance01`). The live
+`keycape-config` Secret was patched without printing or rotating secret values,
+the `main-1d68639` KeyCape image was direct-imported into k3s, and the
+deployment was set to `IfNotPresent`. Public `/authorize` now accepts
+`netkingdom-bootstrap-console` and redirects to
+`https://auth.coulomb.social/...`. Follow-up: clean up the Gitea HTTP registry
+push/pull path so direct image import is no longer needed.
+
+**2026-05-24:** Fixed the next live login failure before OTP: Authelia rejected
+KeyCape's token exchange because the upstream `keycape` client only permits
+`client_secret_basic`, while KeyCape was sending `client_secret_post`. KeyCape
+commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
+image `main-56d279a` was direct-imported into Railiance k3s, and the live
+deployment runs that tag.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret