Refine OpenBao taint resolution

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -309,6 +309,12 @@ Integration with gates for the dedicated KeyCape OpenBao client, OpenBao
 OIDC/JWT auth configuration, and MFA-backed OpenBao admin login verification;
 cleanup and reopening move to S5/S6.
 
+**2026-05-26:** Refined the OpenBao trial-exposure taint model so direct
+unseal-share taint clears after confirmed unseal-key rotation, and direct
+initial-root-token taint clears after the exposed OpenBao root token is
+revoked. Downstream work remains visibly tainted until derived access paths
+are reviewed and the compromise response is explicitly recorded complete.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret