diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
index 35e43be..f096217 100644
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -43,8 +43,11 @@ first non-root onboarding dry run must prove the lifecycle model.
 - OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login
   completed successfully and the resulting token lookup showed the
   `platform-admin` policy for `platform-root`.
-- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
-  and the first ordinary-user onboarding dry run are still pending.
+- Declarative local OpenBao audit and authenticated audit visibility are
+  complete; enterprise durable tenant-aware audit retention has been split into
+  the standalone `audit-core` product. Residual taint closeout,
+  cleanup/rotation, and the first ordinary-user onboarding dry run are still
+  pending.
 
 ## Tasks
 
@@ -132,7 +135,10 @@ state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88"
 Resolve the remaining OpenBao production-trust gates:
 
 - configure audit declaratively if API-managed audit remains rejected;
-- confirm where audit logs are durably shipped beyond the audit PVC;
+- record the interim Audit Core interface used before enterprise durable audit
+  retention is implemented;
+- hand off durable tenant-aware audit shipping beyond the audit PVC to
+  `audit-core`;
 - retain non-secret restore-drill evidence and repeat the drill if any
   material changed;
 - record emergency seal/unseal drill evidence; and
@@ -189,6 +195,21 @@ then revoked with `bao token revoke -self`. T02 remains open for durable audit
 shipping beyond the audit PVC, restore-drill evidence, emergency seal/unseal
 drill evidence, and the next independent escrow holder.
 
+**2026-06-01:** Split enterprise audit retention out of this task and into the
+new standalone `/home/worsch/audit-core` repo. `audit-core` now has
+`INTENT.md`, a product requirements definition, and a minimal replaceable mock
+backend that writes JSONL audit events to
+`/tmp/audit-core/audit-YYYYMMDDTHH.jsonl` and cleans up files older than seven
+days. A smoke event for the OpenBao authenticated readiness proof was written
+through the mock interface, and `audit-core` tests pass. This mock backend is
+acceptable for bootstrap/development wiring and NetKingdom UI integration, but
+it is not durable audit custody and must not be presented as enterprise
+retention. NET-WP-0017-T02 now treats the full tenant-aware durable audit
+fabric as an `audit-core` follow-up rather than an OpenBao bootstrap subtask.
+Remaining T02 gates are restore-drill evidence, emergency seal/unseal drill
+evidence, the next independent escrow holder, and an explicit risk note if
+ordinary onboarding proceeds before the production Audit Core sink exists.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
 
 ```task