bootstrapping guidance ui and missing stuff

docs/security-bootstrap-king-credential-kit.md

@@ -53,12 +53,18 @@ The UI may record:
 | Field | Example |
 | --- | --- |
 | Credential label | `platform-root` |
+| Identity account home | `lldap` |
+| Identity account reference | `platform-root@lldap` |
+| Identity account created | `true` only after the dedicated account exists |
+| Identity group reference | `net-kingdom-admins` |
+| Identity group confirmed | `true` only after the account is assigned to the group |
 | Custody posture | `temporary-single-king` or `two-of-three-planned` |
 | Notification contact | `bernd.worsch@gmail.com` |
 | Setup operator | `tegwick` |
 | Created date | `2026-05-24` |
 | Review date | date for next custody review |
 | Storage class | `password-safe`, `offline-paper`, `hardware-token`, or similar |
+| Password safe confirmed | `true` only after the credential is stored outside this UI |
 | MFA class | `totp`, `webauthn`, `hardware-token`, or similar |
 | MFA enrolled confirmed | `true` only after the factor is enrolled with its verifier |
 | MFA enrollment source | non-secret source label such as `identity-provider` or `hardware-registration` |
@@ -86,6 +92,16 @@ Suggested label: `platform-root`.
 The UI should explain that this is not a normal user and not a day-to-day admin
 account. It is rare root custody.
 
+### 1a. Create The Identity Account
+
+In the current lightweight stack, create the dedicated account in LLDAP and
+record only a non-secret reference such as `platform-root@lldap`. The password
+belongs in the operator password safe or offline custody packet, not in the
+bootstrap metadata.
+
+For the first lightweight path, assign the account to `net-kingdom-admins`.
+This is a non-secret membership fact and may be recorded as confirmed.
+
 ### 2. Choose Storage
 
 Allowed first-version choices:
@@ -116,6 +132,14 @@ must not generate an orphan OTP seed because it would not authenticate
 anything. The console records only that enrollment completed and where,
 without storing the seed, QR code, recovery codes, or screenshots.
 
+In the current NetKingdom lightweight stack, `pi-admin` is the privacyIDEA
+administrator for checking the LLDAP resolver, realm, and self-enrollment
+policy. It is not the king credential. The preferred flow is to log in to the
+privacyIDEA self-service portal as `platform-root` and enroll the token there.
+If the self-service flow is not working yet, `pi-admin` may assign a token as
+an admin-assisted fallback, but the seed and recovery values still remain out
+of the bootstrap metadata.
+
 ### 4. Prepare Recovery
 
 The operator confirms that recovery codes or equivalent recovery material exist
@@ -155,7 +179,10 @@ The software must not fill secret fields.
 The king credential kit is complete when:
 
 - the credential label exists;
+- the dedicated identity account exists;
+- the required admin group assignment is confirmed;
 - storage choice is recorded;
+- the password is confirmed stored outside this UI;
 - second factor is enrolled with its real verifier and confirmed;
 - recovery material is confirmed;
 - custody mode is selected;