Split OpenBao admin identity tasks

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -315,6 +315,12 @@ initial-root-token taint clears after the exposed OpenBao root token is
 revoked. Downstream work remains visibly tainted until derived access paths
 are reviewed and the compromise response is explicitly recorded complete.
 
+**2026-05-26:** Split Admin Identity Integration into development-owned
+configuration and operator-owned integration work. The `openbao-admin` KeyCape
+client is now code-defined in `sso-mfa/k8s/keycape/create-secrets.sh`, while
+the UI action cards only ask the operator to apply live KeyCape config,
+configure OpenBao with a protected token prompt, and verify MFA-backed login.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret