diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
index 5050e42..b0baaa0 100644
--- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
+++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
@@ -214,9 +214,17 @@ Verify: `bash sso-mfa/k8s/verify-t05.sh` (covers LLDAP + Authelia together)
 
 ```task
 id: NK-WP-0003-T07
-status: todo
+status: blocked
 priority: high
 state_hub_task_id: "496a97c9-3e2a-486e-ba62-18449868c6cf"
+note: Blocked 2026-03-21 — keycape:v0.1 image cannot be built on the k3s node (no Docker/Go).
+      Deployment applied; pod stuck in ImagePullBackOff.
+      Secrets keycape-config + keycape-pi-token already in cluster (both correct, real PI token).
+      Capability request filed: hub ID 0e0aefd7 (routed to railiance, direct msg sent to key-cape).
+      key-cape repo must deliver:
+        1. .github/workflows/publish.yml — build+push to ghcr.io/<owner>/keycape:v0.1 on main
+        2. Update net-kingdom/sso-mfa/k8s/keycape/deployment.yaml image: to GHCR reference
+      Once image is published: kubectl rollout restart deployment/keycape -n sso
 ```
 
 Deploy KeyCape into the `sso` namespace.