Close OpenBao OIDC admin bootstrap path

tools/security-bootstrap-console/README.md

@@ -23,7 +23,7 @@ Validate non-secret kit metadata:
 
 ```bash
 python3 tools/security-bootstrap-console/security_bootstrap_console.py \
-  --metadata /tmp/security-bootstrap.json \
+  --metadata .local/security-bootstrap.json \
   validate-king-kit
 ```
 
@@ -31,7 +31,7 @@ Approve custody mode from the CLI:
 
 ```bash
 python3 tools/security-bootstrap-console/security_bootstrap_console.py \
-  --metadata /tmp/security-bootstrap.json \
+  --metadata .local/security-bootstrap.json \
   approve-custody-mode \
   --mode temporary-single-king \
   --mfa-enrolled-confirmed \
@@ -69,12 +69,14 @@ from local metadata and plaintext bootstrap-secret presence.
 Serve the local approval UI:
 
 ```bash
-python3 tools/security-bootstrap-console/security_bootstrap_console.py \
-  --metadata /tmp/security-bootstrap.json \
-  web-ui
+make security-bootstrap-ui
 ```
 
-Open `http://127.0.0.1:8765`.
+Open `http://127.0.0.1:8876`.
+
+The Make target stores non-secret progress in `.local/security-bootstrap.json`.
+That directory is intentionally ignored by Git so local setup state survives
+UI/server restarts without being committed.
 
 The web UI is structured as:
 
@@ -85,7 +87,8 @@ The web UI is structured as:
 3. **Integration & Tests** - OIDC and OpenBao preflight checks, with every
    operator command shown as a copyable console block.
 4. **Usecases & Runbooks** - guided routines for key-material compromise,
-   trial-output exposure, and generating replacement unseal keys.
+   trial-output exposure, replacement unseal keys, and OpenBao token
+   revocation.
 5. **Artefacts & Locations** - final non-secret overview of established
    artefacts and where to find their custody references.
 
@@ -106,6 +109,12 @@ mark the trial output as exposed, stop treating the generated unseal shares or
 root token as production material, then either rotate unseal keys after unseal
 or reset the trial environment before any live secrets are migrated.
 
+The **OpenBao token revocation** runbook includes a self-revoke action for the
+token currently stored in the OpenBao pod token helper and an accessor-based
+revocation action for accidentally disclosed tokens. The accessor path prompts
+inside the pod for a root/sudo-capable OpenBao token and avoids placing token
+values on the local command line.
+
 The UI is a guide and approval surface, not the identity provider. Current
 lightweight-mode credential placement is:
 
@@ -147,6 +156,16 @@ key and verify the factor. Admin-assisted token assignment is a fallback only;
 record it as the MFA enrollment source, but never record the seed, QR code, or
 recovery codes in this UI.
 
+If the live privacyIDEA instance has lost the `coulomb` realm, LLDAP resolver,
+or self-service policies, open **Usecases & Runbooks** and copy **Repair
+privacyIDEA realm and self-service**. The action is attended: it prompts for
+the `pi-admin` password and the LLDAP bind/admin password, writes them only to a
+private temporary directory, runs
+`sso-mfa/k8s/privacyidea/repair-realm-live.sh`, removes the temporary files on
+exit, and then runs `sso-mfa/k8s/verify-t06.sh`. The UI does not store either
+password, and TOTP enrollment or re-enrollment remains a human step in
+`https://pink-account.coulomb.social`.
+
 After doing that, return to the control surface, set account reference
 `platform-root@lldap`, check `Account created`, `Admin group assigned`, and
 `Password stored`, then save progress.
@@ -207,10 +226,10 @@ Optional non-secret metadata can be supplied:
 
 ```bash
 python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
-  > /tmp/security-bootstrap.json
+  > .local/security-bootstrap.json
 
 python3 tools/security-bootstrap-console/security_bootstrap_console.py \
-  --metadata /tmp/security-bootstrap.json \
+  --metadata .local/security-bootstrap.json \
   status
 ```