diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
index 8e330cc..1f9e16d 100644
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -8,7 +8,7 @@ status: active
 owner: codex
 topic_slug: netkingdom
 created: "2026-05-26"
-updated: "2026-05-26"
+updated: "2026-05-29"
 depends_on:
   - NET-WP-0015
   - NET-WP-0016
@@ -38,9 +38,10 @@ first non-root onboarding dry run must prove the lifecycle model.
   exist.
 - The initial OpenBao root token is recorded as revoked.
 - Trial unseal shares were rotated.
-- The KeyCape `openbao-admin` client is live and verified.
-- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still
-  pending.
+- The KeyCape `openbao-admin` client is live and verified, including the public
+  `https://kc.coulomb.social` route and certificate.
+- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
+  still pending.
 - Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
   and the first ordinary-user onboarding dry run are still pending.
 
@@ -66,6 +67,13 @@ The verification must prove the resulting OpenBao token has the intended
 `platform-admin` policy without relying on the initial root token or a manually
 minted temporary operator token.
 
+**2026-05-29:** DNS and ACME issuance for `kc.coulomb.social` are healthy:
+cert-manager issued `kc-tls`, and `sso-mfa/k8s/keycape/verify-openbao-client.sh`
+passes against the live KeyCape route. `configure-openbao-oidc.sh` has applied
+the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
+remaining T01 gate is the human browser login with MFA and a token lookup that
+shows the expected OpenBao `platform-admin` policy.
+
 ### T02 - Close OpenBao Audit And Recovery Production Gates
 
 ```task