From 9a8ec0d9a5eac40fe2e11715e0400e22ebcfb577 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Mon, 1 Jun 2026 21:55:30 +0200
Subject: [PATCH] Finish NET-WP-0015 bootstrap handoff

---
 ...-custody-and-openbao-identity-bootstrap.md | 34 +++++++++++++++++--
 ...tstrap-automation-and-rebuild-readiness.md | 12 +++++--
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
index ef4ec2f..3543d5a 100644
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -4,7 +4,7 @@ type: workplan
 title: "King Credential And OpenBao Identity Bootstrap"
 domain: netkingdom
 repo: net-kingdom
-status: active
+status: finished
 owner: codex
 topic_slug: netkingdom
 created: "2026-05-24"
@@ -447,7 +447,7 @@ disclosed tokens, both keeping OpenBao token values off the local command line.
 
 ```task
 id: NET-WP-0015-T07
-status: in_progress
+status: done
 priority: medium
 state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
 ```
@@ -461,11 +461,19 @@ verification, and restore-drill confirmation are recorded. This task remains
 open for declarative audit configuration/durable audit shipping, residual
 taint-response closeout, and the next independent escrow holder.
 
+**2026-06-01:** Closed for the bootstrap handoff scope. The bootstrap plan has
+confirmed the available recovery/audit/rotation evidence and, more
+importantly, now has explicit production-readiness follow-up gates:
+`NET-WP-0017-T02` owns declarative/durable audit, restore evidence,
+emergency seal/unseal drill evidence, and the next independent escrow holder;
+`NET-WP-0017-T03` owns residual taint closeout. These items are no longer
+tracked as unfinished bootstrap ceremony work.
+
 ### T08 - Reset, Rotate, And Reopen Under King Oversight
 
 ```task
 id: NET-WP-0015-T08
-status: todo
+status: done
 priority: high
 state_hub_task_id: "e6a60dca-547b-4493-a36c-f6b668d1bf52"
 ```
@@ -475,6 +483,26 @@ database credentials, admin passwords, service tokens, OpenBao tokens, and
 temporary access paths. Run host/workload checks and reopen the platform only
 after the new custody state is verified.
 
+**2026-06-01:** Closed as a bootstrap-plan handoff rather than as a claim that
+all production cleanup is complete. `NET-WP-0017-T03` owns retirement of
+bootstrap admin paths and residual taint response, `NET-WP-0017-T04` owns
+bootstrap-era credential rotation/reset plus host/workload checks, and
+`NET-WP-0017-T07` owns final review and retirement/archive of superseded
+bootstrap workplans. `NET-WP-0018` will turn those gates into a smoother
+bootstrap guide, control-surface automation, validations, and rebuild-risk
+assessment.
+
+## Closeout
+
+**2026-06-01:** `NET-WP-0015` is finished. The first safe bridge is in place:
+the dedicated `platform-root` identity exists outside day-to-day operator use,
+custody mode is recorded, OpenBao was initialized and configured under the
+bootstrap ceremony, the initial root token is not the normal admin path, and
+routine OpenBao administration now works through NetKingdom/KeyCape OIDC with
+MFA and the `platform-admin` policy. Remaining production-readiness work is
+explicitly tracked in `NET-WP-0017`; rebuild automation and validation
+improvements are tracked in `NET-WP-0018`.
+
 ## Acceptance Criteria
 
 - The setup operator and king credential model are recorded without secret
diff --git a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md
index c38a7a4..6e03170 100644
--- a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md
+++ b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Bootstrap Automation And Rebuild Readiness"
 domain: netkingdom
 repo: net-kingdom
-status: ready
+status: active
 owner: codex
 topic_slug: netkingdom
 created: "2026-06-01"
@@ -69,7 +69,7 @@ say which interactions remain genuinely unavoidable.
 
 ```task
 id: NET-WP-0018-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "7ff22629-838b-41df-9feb-bb36c5d57cc1"
 ```
@@ -83,6 +83,14 @@ Done when `NET-WP-0015` is either finished and ready to archive, or its
 remaining tasks have precise owners, target workplans, and non-duplicative
 acceptance criteria.
 
+**2026-06-01:** Completed. `NET-WP-0015` was scope-closed as finished after
+the OpenBao admin bridge was proven through KeyCape/MFA. Its remaining
+production-readiness concerns were reconciled into `NET-WP-0017`: T02 owns
+audit, restore, emergency drill evidence, and escrow; T03/T04 own bootstrap
+path retirement and credential reset/rotation; T07 owns final archive review.
+`NET-WP-0018` now continues with architecture documentation, retrospective,
+guide, UI automation, validations, and rebuild-risk assessment.
+
 ### T02 - Document The Runtime Architecture
 
 ```task