Show compromised OpenBao paths as tainted

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -248,6 +248,11 @@ state, separates "init output produced" from "initialized and unsealed", and
 adds guided command cards for unseal and OpenBao `rotate-keys` replacement
 share generation.
 
+**2026-05-25:** Changed compromised/trial-exposed OpenBao material from a hard
+block into an explicit taint model. Affected artefacts and downstream command
+cards are shown with a light red background and retain the source reference, but
+the operator can still proceed deliberately on a tainted workpath.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret