diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
index 06fb2cb..8eb78b1 100644
--- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
+++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
@@ -128,49 +128,30 @@ healthy. Migration jobs will fail on a partially-started cluster.
 
 ```task
 id: NK-WP-0003-T04
-status: todo
+status: done
 priority: high
 state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
+note: Completed 2026-03-21 via make creds-agent-init (NK-WP-0005).
+      Pod Running (ghcr.io/gpappsoft/privacyidea-docker:3.12.2, port 8080).
+      enckey + audit keys extracted to K8s Secrets privacyidea-enckey/auditkeys.
+      pi-admin and trigger-admin created. keycape-pi-token Secret in sso namespace.
+      Remaining: TLS cert for pink.coulomb.social (ACME solver pods visible — T02 cert-manager needed).
+      trigger-admin policy must be set manually via WebUI once pink.coulomb.social resolves.
 ```
 
-Deploy privacyIDEA into the `mfa` namespace.
+Completed via `make creds-agent-init`. All Steps 1–4 were automated by the agent bootstrap.
 
-> **Image fix applied (2026-03-20):** `privacyidea/privacyidea:3.12` does not exist.
-> Corrected to `privacyidea/otpserver:3.12.2` on port 5001.
-> Updated: `deployment.yaml`, `ingress.yaml`, `netpol-mfa.yaml`, `netpol-sso.yaml`.
+**Image fixes applied (2026-03-21):**
+- `privacyidea/otpserver:3.12.2` → `ghcr.io/gpappsoft/privacyidea-docker:3.12.2` (port 8080)
+- `PRIVACYIDEA_CONFIGFILE`, `PI_ADDRESS`, `PI_PORT` env vars added
+- Readiness probe changed to `tcpSocket` (`/token/` returns 401 for unauthenticated GET)
 
-**Step 1 — Create K8s secrets from KeePassXC:**
-```bash
-cd sso-mfa/k8s/privacyidea
-bash create-secrets.sh   # reads from env vars; source from KeePassXC
-```
-
-**Step 2 — Apply manifests:**
-```bash
-kubectl apply -f pvc.yaml
-kubectl apply -f configmap.yaml
-kubectl apply -f middleware.yaml
-kubectl apply -f deployment.yaml
-kubectl apply -f ingress.yaml
-```
-
-**Step 3 — Bootstrap key material (time-sensitive):**
-Run immediately once the pod reaches `Running` state. This window must not
-be missed — if the pod is deleted before this runs, the enckey is lost.
-```bash
-bash enckey-bootstrap.sh   # extracts PI_ENCFILE + audit keys → K8s Secrets + KeePassXC
-```
-
-**Step 4 — Create admin accounts:**
-```bash
-bash bootstrap-admin.sh    # creates pi-admin + trigger-admin, sets policies
-# store trigger-admin token in KeePassXC net-kingdom/privacyidea/trigger-admin
-```
-
-Verify: `bash sso-mfa/k8s/verify-t04.sh`
-
-Expected: pod Running, TLS cert issued for `pink.coulomb.social`, admin
-accounts exist, enckey backed up.
+**Remaining manual step:**
+Once `pink.coulomb.social` resolves to the cluster IP and TLS cert is issued:
+1. Log in to https://pink.coulomb.social as `pi-admin`
+2. Enroll MFA for `pi-admin` (TOTP)
+3. Verify/create trigger-admin policy: Policies → trigger-admin-rights
+   (Scope: admin, Action: triggerchallenge, AdminUser: trigger-admin)
 
 ### T05 — Deploy LLDAP