Clarify bootstrap custody UI flow

tools/security-bootstrap-console/README.md

@@ -37,8 +37,7 @@ python3 tools/security-bootstrap-console/security_bootstrap_console.py \
   --mfa-enrolled-confirmed \
   --mfa-enrollment-source identity-provider \
   --recovery-confirmed \
-  --custody-packet-prepared \
-  --no-secret-capture-confirmed
+  --custody-packet-prepared
 ```
 
 The command asks for the phrase `approve custody mode` unless `--yes` is passed.
@@ -49,6 +48,21 @@ For TOTP, use the QR code or setup key from the identity provider or other
 authority that will verify the login. This tool records only the non-secret
 enrollment confirmation and source.
 
+Recovery material means the operator can regain control of the platform-root
+credential and encrypted bootstrap bundle without this UI storing any values:
+the platform-root password-safe entry, MFA recovery or re-enrollment path,
+custodian age private-key location, encrypted bootstrap bundle location, and
+notification/setup contact are all known.
+
+The custody packet is separate. It is the offline OpenBao ceremony envelope:
+selected custody strategy, recovery-material references, init checklist,
+unseal-share assignment slots, root-token disposition plan, and signature/date.
+
+Secret capture is an architecture gate, not a user checkbox. The control
+surface must not request or store passwords, OTP seeds, recovery codes, private
+keys, OpenBao root tokens, or unseal shares. The UI reports this automatically
+from local metadata and plaintext bootstrap-secret presence.
+
 Serve the local approval UI:
 
 ```bash