diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
index 0c17d60..35e43be 100644
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -177,6 +177,18 @@ the local shell. It is ready to run with the MFA-backed
 audit PVC is not a durable sink and non-secret evidence hashes or State Hub
 notes are not substitutes for retained audit log custody.
 
+**2026-06-01:** Completed the authenticated OpenBao proof through the
+MFA-backed KeyCape path without printing token material. A fresh
+`bao login -no-print -method=oidc -path=keycape role=platform-admin` browser
+flow cached the pod token helper, then `make openbao-verify-authenticated
+OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper` passed. Evidence: OpenBao is
+unsealed on `2.5.4`, `file/` audit is visible, `platform/` secrets are visible,
+`kubernetes/` and `keycape/` auth methods are visible, and the audit log grew
+from 7969 bytes to 23330 bytes during the check. The cached verifier token was
+then revoked with `bao token revoke -self`. T02 remains open for durable audit
+shipping beyond the audit PVC, restore-drill evidence, emergency seal/unseal
+drill evidence, and the next independent escrow holder.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
 
 ```task