docs: record OpenBao SSH engine missing as WP-0008 T2 blocker

Operator confirmed legacy SSH predates OpenBao; ssh/ mount not enabled.
Document migration paths and update workplan wait condition.

history/2026-06-17-openbao-production-verify.md

@@ -47,24 +47,54 @@ See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist.
 
 ---
 
+## Operator session (2026-06-17) — WP-0008 T2
+
+| Check | Result |
+| --- | --- |
+| `warden.yaml` + `inventory.yaml` on workstation | Done (operator) |
+| Test keypair `agt-state-hub-bridge_ed25519` | Done (operator) |
+| OpenBao UI login | `netkingdom` / `platform-admin` — OK |
+| **`ssh/` secrets engine** | **Not enabled** — confirmed by operator |
+| Legacy SSH | Predates OpenBao and ops-warden (file/static-key era) |
+
+**Conclusion:** T2 cannot complete until the OpenBao SSH engine is bootstrapped
+and host trust is planned (see migration paths below). Token and warden config
+are not the blocker.
+
+---
+
 ## Blockers for end-to-end `warden sign`
 
-| Blocker | Owner | Notes |
+| Blocker | Owner | Status |
 | --- | --- | --- |
-| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` |
-| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` |
-| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` |
-| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in |
+| SSH secrets engine not mounted | `railiance-platform` / operator | **Confirmed missing** |
+| Host `TrustedUserCAKeys` for OpenBao SSH CA | `railiance-infra` | Not started (legacy CA on hosts today) |
+| Workstation `warden.yaml` | Operator | Done |
+| Scoped `VAULT_TOKEN` in shell | Operator | UI login OK; CLI `bao login` still needed for `warden` |
+| flex-auth `ssh-certificate` policies | `flex-auth` | Future (T5) |
+
+---
+
+## Migration paths (legacy SSH → OpenBao SSH engine)
+
+| Path | When | Host impact |
+| --- | --- | --- |
+| **A — New OpenBao CA** | Greenfield or willing to rotate trust | OpenBao generates new CA; distribute new `.pub` via `railiance-infra` |
+| **B — Dual trust** | Gradual migration | Hosts trust legacy CA **and** OpenBao SSH CA during transition |
+| **C — Import legacy CA** | Keep same host trust file | Import existing CA private key into SSH engine (custody ceremony) |
+| **D — Defer** | Prove warden only | `backend: local` + legacy `ca_key` until platform ready |
+
+ops-warden signs either way; **hosts only accept certs from CAs they trust**.
 
 ---
 
 ## Recommended next operator steps
 
-1. Create production `warden.yaml` with `backend: vault` and `vault.addr`.
-2. Export short-lived `VAULT_TOKEN` after OIDC login.
-3. Run `wiki/OpenBaoSshEngineChecklist.md` items 1–6.
-4. Test: `warden sign <actor> --pubkey <path>` against a known inventory actor.
-5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist.
+1. ~~Create production `warden.yaml`~~ — done on workstation.
+2. **Enable OpenBao SSH engine** + roles (`wiki/OpenBaoSshEngineChecklist.md`).
+3. **Decide migration path** (A/B/C above) with `railiance-infra`.
+4. `bao login` in WSL → `export VAULT_TOKEN=...` → `warden sign` smoke test.
+5. Enable `policy.enabled: true` only after flex-auth policies exist.
 
 ---
 

workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md

@@ -72,7 +72,9 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
 - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
 
-**Blocked until:** scoped token + SSH roles on Railiance OpenBao. Operator guide in session notes.
+**Blocked until:** OpenBao `ssh/` secrets engine enabled + host CA trust plan.
+Operator confirmed (2026-06-17): no SSH engine yet; legacy SSH predates OpenBao.
+Token/UI login not the blocker. See `history/2026-06-17-openbao-production-verify.md`.
 
 ### T3 — State Hub task status canon migration