Refine bootstrap actions and runbook templates

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -269,6 +269,15 @@ create/copy/hash an OpenBao Raft snapshot, encrypt it to the custodian age
 recipient, complete an isolated restore proof, rerun post-unseal verification,
 and record only non-secret completion evidence.
 
+**2026-05-25:** Refined the action/runbook model in the control surface:
+Integration & Tests now carries stateful runbook tasks and gates, while
+Usecases & Runbooks contains status-less action cards and neutral runbook
+templates. Added copyable OpenBao inspection actions for `bao audit list`,
+`bao secrets list`, and `bao auth list` with local hidden token prompts,
+removed duplicate OpenBao status/unseal cards from the stateful Integration
+command list, and restored Artefacts & Locations above Usecases & Runbooks in
+the workflow.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret