From dafcd329b21ea629552c6de8aa6f465062eb5a26 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Fri, 29 May 2026 02:22:52 +0200
Subject: [PATCH] Fix OpenBao public route action state

---
 .../security_bootstrap_console.py                  | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py
index ddff9ff..ce44866 100755
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -577,7 +577,9 @@ def next_action(
                 return "Run OpenBao OIDC auth setup"
             if gate.name == "OIDC admin login":
                 if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
-                    return "Check KeyCape public route"
+                    if not yes(data, "openbao_oidc_client_registered"):
+                        return "Check KeyCape public route"
+                    return "Verify OpenBao OIDC admin login"
                 return "Verify OpenBao OIDC admin login"
             return gate.name
         if gate.status == "blocked":
@@ -597,7 +599,9 @@ def next_action(
                 return "Run OpenBao OIDC auth setup"
             if gate.name == "OIDC admin login":
                 if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
-                    return "Check KeyCape public route"
+                    if not yes(data, "openbao_oidc_client_registered"):
+                        return "Check KeyCape public route"
+                    return "Verify OpenBao OIDC admin login"
                 return "Verify OpenBao OIDC admin login"
             if gate.name == "Root-token disposition":
                 return "Record root-token disposition"
@@ -1377,12 +1381,12 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
         "NETKINGDOM_KEYCAPE_APPLY\n"
     )
     configure_command = f"bash {shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent / 'configure-openbao-oidc.sh'))}"
-    public_route_state = "done" if login_verified else "todo" if auth_configured else "blocked"
-    public_route_reason = "The public KeyCape route has been proven by a completed OIDC-backed OpenBao login."
+    public_route_state = "done" if client_deployed else "todo" if source_ready else "blocked"
+    public_route_reason = "The live KeyCape verifier has proven the public route, discovery endpoint, and openbao-admin client."
     if public_route_state == "todo":
         public_route_reason = "Operator action: confirm public DNS routes kc.coulomb.social to the patched KeyCape ingress and that /authorize recognizes openbao-admin."
     if public_route_state == "blocked":
-        public_route_reason = "Configure OpenBao OIDC auth before probing the public login route."
+        public_route_reason = "Ship the code-defined KeyCape OpenBao client before probing the public login route."
     public_route_command = (
         "bash <<'NETKINGDOM_KEYCAPE_PUBLIC_ROUTE'\n"
         "set -euo pipefail\n"