bootstrapping guidance ui and missing stuff

tools/security-bootstrap-console/README.md

@@ -59,6 +59,74 @@ python3 tools/security-bootstrap-console/security_bootstrap_console.py \
 
 Open `http://127.0.0.1:8765`.
 
+The UI is a guide and approval surface, not the identity provider. Current
+lightweight-mode credential placement is:
+
+- bootstrap bundle encryption: custodian age public key;
+- user record: LLDAP (`https://lldap.coulomb.social`);
+- MFA enrollment and QR/setup key: privacyIDEA self-service
+  (`https://pink-account.coulomb.social`);
+- privacyIDEA setup/admin repair: `pi-admin` at
+  `https://pink.coulomb.social`;
+- OIDC/IAM Profile token issuer: KeyCape (`https://kc.coulomb.social`);
+- secret custody and OpenBao admin policies: OpenBao, after the attended
+  ceremony.
+
+The UI opens the external authority in a new browser tab and records only
+non-secret progress. It does not embed or prefill secret-bearing forms unless a
+future audited integration is built for that authority.
+
+The custodian age public key is safe to store here and is used as the recipient
+for encrypted bootstrap bundles. The private age key is not stored here. Record
+only a non-secret private-key custody reference, such as a password-safe entry
+label or offline packet label. See
+`docs/security-bootstrap-age-custody.md` for the trust model.
+
+LLDAP has no public registration flow. The first user path is:
+
+1. Log in to `https://lldap.coulomb.social` as `admin`.
+2. Retrieve `LLDAP_LDAP_USER_PASS` from the password safe entry
+   `net-kingdom/LLDAP/admin`.
+3. Create the dedicated `platform-root` or `king` account.
+4. Add it to `net-kingdom-admins` for the current lightweight path.
+5. Store the new account password only in the password safe/offline custody
+   packet, not in this metadata file.
+
+For OTP enrollment, do not create a separate shadow identity in privacyIDEA if
+the LLDAP resolver is working. Use `pi-admin` to verify or repair the
+privacyIDEA realm, resolver, and self-enrollment policy. Then use
+`platform-root` in the self-service portal to generate the QR code or setup
+key and verify the factor. Admin-assisted token assignment is a fallback only;
+record it as the MFA enrollment source, but never record the seed, QR code, or
+recovery codes in this UI.
+
+After doing that, return to the control surface, set account reference
+`platform-root@lldap`, check `Account created`, `Admin group assigned`, and
+`Password stored`, then save progress.
+
+KeyCape does not have a dashboard at its root URL; `https://kc.coulomb.social`
+returning `404` is expected. Use
+`https://kc.coulomb.social/.well-known/openid-configuration` for issuer
+discovery or a registered OIDC client to test real login. The bootstrap UI acts
+as the local `netkingdom-bootstrap-console` callback at
+`http://127.0.0.1:8876/oidc/callback`.
+Treat that as a login-path check only: it should force LLDAP password auth and
+privacyIDEA MFA, then return to the local callback page. The callback exchanges
+the code and shows non-secret claims only; it does not store tokens, OTP values,
+or passwords. Mark `OIDC login verified` only for the same identity recorded in
+the credential section.
+
+If the login-check flow redirects to
+`https://kc.coulomb.social/api/oidc/authorization...` and lands on a 404, the
+KeyCape service is reachable but its browser-facing Authelia redirect config is
+not yet rolled out. Regenerate `keycape-config` with
+`sso-mfa/k8s/keycape/create-secrets.sh` and restart the KeyCape deployment
+after confirming `authelia.browserBaseURL` is `https://auth.coulomb.social`.
+
+After Authelia password login, KeyCape should show a compact OTP challenge if
+privacyIDEA reports that MFA is required. Only then should it issue the final
+OIDC authorization code back to the local callback.
+
 Print a blank offline custody packet template:
 
 ```bash