Record Railiance KeyCape rollout

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -176,6 +176,22 @@ control surface now uses that dedicated client. Live verification remains
 pending until the updated KeyCape image and regenerated `keycape-config` Secret
 are rolled out.
 
+**2026-05-24:** Rolled the fix to the public Railiance SSO host
+(`kc.coulomb.social`, currently resolving to `railiance01`). The live
+`keycape-config` Secret was patched without printing or rotating secret values,
+the `main-1d68639` KeyCape image was direct-imported into k3s, and the
+deployment was set to `IfNotPresent`. Public `/authorize` now accepts
+`netkingdom-bootstrap-console` and redirects to
+`https://auth.coulomb.social/...`. Follow-up: clean up the Gitea HTTP registry
+push/pull path so direct image import is no longer needed.
+
+**2026-05-24:** Fixed the next live login failure before OTP: Authelia rejected
+KeyCape's token exchange because the upstream `keycape` client only permits
+`client_secret_basic`, while KeyCape was sending `client_secret_post`. KeyCape
+commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
+image `main-56d279a` was direct-imported into Railiance k3s, and the live
+deployment runs that tag.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret