Add OpenBao admin identity stage

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -303,6 +303,12 @@ prompts for the bootstrap/root token without placing it on the command line
 and reminds the operator to store the emitted token through the approved secret
 path.
 
+**2026-05-26:** Promoted the KeyCape-to-OpenBao admin path into its own stage
+before cleanup and hardening. The control surface now has S4 Admin Identity
+Integration with gates for the dedicated KeyCape OpenBao client, OpenBao
+OIDC/JWT auth configuration, and MFA-backed OpenBao admin login verification;
+cleanup and reopening move to S5/S6.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret
@@ -345,7 +351,7 @@ roles later, but must be revocable without losing root custody.
 
 ```task
 id: NET-WP-0015-T06
-status: todo
+status: in_progress
 priority: medium
 state_hub_task_id: "ef97f3cb-9792-4b9d-bd2b-8871d368a50f"
 ```