feat: OpenBao unseal custody models — automation-first with blocked alternatives

Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.

docs/smooth-bootstrap-guide.md

@@ -94,7 +94,9 @@ See T03 retrospective for past realm drift bumps (now partially automated via ru
 - Deploy client config (sso-mfa/k8s/keycape/create-secrets.sh).
 - Apply keycape-config Secret, restart KeyCape.
 - Register bootstrap clients (netkingdom-bootstrap-console, openbao-admin).
-- Redirects: localhost:8250/oidc/callback etc.
+- OpenBao admin redirects: localhost CLI callbacks plus
+  `https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback` for
+  preferred browser UI login; `keycape` remains a compatibility auth mount.
 - Verify OIDC admin login: platform-root obtains OpenBao platform-admin via KeyCape/MFA.
 - Evidence: keycape client gates, openbao_oidc_* , oidc_login_verified.
 - Validate related in t02 / console.
@@ -105,9 +107,28 @@ See T03 for past callback/registration bumps (now gated).
 
 ## Step 5: OpenBao Init / Unseal / Config + OIDC Admin Binding
 
-**Attended only (console refuses live init):**
+**Unseal custody model (select first):** see `docs/openbao-unseal-custody-models.md`.
+
+| Model | When | Console |
+| --- | --- | --- |
+| `sops-held-automation` | **Default** — fast rebuild test cycles | Selectable; gate `automation` |
+| `attended-ceremony` | Production trust | Blocked until implemented |
+| `auto-unseal-transit` | Production HA | Blocked until implemented |
+
+```bash
+make security-bootstrap-openbao-unseal-custody-models
+make security-bootstrap-select-openbao-unseal-custody-model MODEL=sops-held-automation
+```
+
+Development strategy: prove automation path first (SSH engine, warden, host CA),
+then add attended and auto-unseal gates for production profiles.
+
+**Console refuses live init in all models** — automation runs via `creds-bootstrap-agent.sh`
+(sops-held) or future attended/auto-unseal playbooks.
+
 - Preflight: `make security-bootstrap-openbao-preflight --run` or console.
-- Init ceremony (human-attended): produce init output, unseal shares, root token.
+- Init/unseal: **sops-held-automation** → `sso-mfa/bootstrap/creds-bootstrap-agent.sh`;
+  **attended-ceremony** → human ceremony (planned automation hooks).
 - Post-unseal: apply initial config (auth, mounts, policies, audit).
 - OIDC auth config against KeyCape (maps claims/groups to policies e.g. net-kingdom-admins → platform-admin).
 - Key material handling: trial exposure taint, rotate unseal keys, emergency lockdown, restore drill (snapshot, isolate, verify, destroy).
@@ -201,4 +222,4 @@ This guide + the runtime architecture + retrospective turn the first bootstrap i
 
 **Next after this guide:** Align control surface (T06), add tests (T07), integrate validations (T08), assess rebuild risk (T09). 
 
-See NET-WP-0018 workplan for full acceptance.
+See NET-WP-0018 workplan for full acceptance.