diff --git a/history/2026-06-17-openbao-production-verify.md b/history/2026-06-17-openbao-production-verify.md
index 2aaf983..def8581 100644
--- a/history/2026-06-17-openbao-production-verify.md
+++ b/history/2026-06-17-openbao-production-verify.md
@@ -88,12 +88,33 @@ ops-warden signs either way; **hosts only accept certs from CAs they trust**.
 
 ---
 
+## NET-WP-0020 T5 artifacts (2026-06-18)
+
+Automation is implemented; live cluster apply is the remaining gate.
+
+| Artifact | Repo | Status |
+| --- | --- | --- |
+| `openbao/ssh/roles-spec.yaml` | railiance-platform | Ready |
+| `openbao/policies/warden-sign.hcl` | railiance-platform | Ready |
+| `scripts/openbao-apply-ssh-engine.sh` | railiance-platform | Ready (`--dry-run` OK) |
+| `scripts/openbao-verify-ssh-engine.sh` | railiance-platform | Ready |
+| `make openbao-configure-ssh` / `openbao-verify-ssh` | railiance-platform | Ready |
+| `ansible/roles/ssh_ca_host` + `bootstrap-ssh-ca.yaml` | railiance-infra | Ready |
+| `ansible/inventory/ssh_principals.yaml` | railiance-infra | Ready (synced with warden principals) |
+| `make bootstrap-ssh-ca` | railiance-infra | Ready |
+
+Live cluster check (2026-06-18): OpenBao initialized and unsealed; `ssh/` mount,
+roles, and `warden-sign` policy **not yet applied** (no operator token in session).
+
+---
+
 ## Recommended next operator steps
 
 1. ~~Create production `warden.yaml`~~ — done on workstation.
-2. **Enable OpenBao SSH engine** + roles (`wiki/OpenBaoSshEngineChecklist.md`).
-3. **Decide migration path** (A/B/C above) with `railiance-infra`.
-4. `bao login` in WSL → `export VAULT_TOKEN=...` → `warden sign` smoke test.
+2. **Apply SSH engine automation** — `railiance-platform/docs/openbao.md` § SSH Secrets Engine:
+   `OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token make openbao-configure-ssh`
+3. **Deploy host CA trust** — `make bootstrap-ssh-ca SSH_CA_PUBKEY=/tmp/openbao-ssh-ca.pub` (path A migration).
+4. Create `warden-sign` token → `export VAULT_TOKEN=...` → `warden sign` smoke test.
 5. Enable `policy.enabled: true` only after flex-auth policies exist.
 
 ---
diff --git a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
index fe8bcd7..64fa3e4 100644
--- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
+++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
@@ -10,7 +10,7 @@ topic_slug: custodian
 planning_priority: high
 planning_order: 8
 created: "2026-06-17"
-updated: "2026-06-17"
+updated: "2026-06-18"
 state_hub_workstream_id: "a174963a-4ff1-4565-b19f-896cd4ff14a0"
 ---
 
@@ -72,9 +72,9 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
 - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
 
-**Blocked until:** OpenBao `ssh/` secrets engine enabled + host CA trust plan.
-Operator confirmed (2026-06-17): no SSH engine yet; legacy SSH predates OpenBao.
-Token/UI login not the blocker. See `history/2026-06-17-openbao-production-verify.md`.
+**Blocked until:** Operator runs NET-WP-0020 T5 live apply (`make openbao-configure-ssh`,
+`make bootstrap-ssh-ca`). Automation artifacts ready 2026-06-18; cluster still
+missing `ssh/` mount. See `history/2026-06-17-openbao-production-verify.md`.
 
 ### T3 — State Hub task status canon migration