diff --git a/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md b/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
index 3214d42..0a3c6f0 100644
--- a/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
+++ b/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
@@ -317,7 +317,7 @@ on the cluster.
 
 ```task
 id: RAILIANCE-WP-0002-T04
-status: blocked
+status: done
 priority: high
 state_hub_task_id: "925ace1c-f9bf-4644-bd0b-637705d72ea6"
 ```
@@ -357,6 +357,37 @@ Approach:
 cluster (`kubectl run --rm -it psql ...`) and is recorded in the SOPS
 values used by T05.
 
+**Done (2026-05-19):**
+
+Platform side (in `railiance-platform`, commit `017934d`):
+
+- `helm/apps-pg-cluster.yaml` adds `spec.managed.roles[vergabe]`
+  (CNPG 1.28 role lifecycle is cluster-scoped — no standalone Role CR).
+- `helm/apps-pg-databases.yaml` (new) declares `Database/vergabe-db`
+  with `name: vergabe_db`, `owner: vergabe`.
+- Bootstrap credential `databases/vergabe-app-credentials`
+  (`kubernetes.io/basic-auth`, `username: vergabe`, generated password).
+
+Apps side (this workplan):
+
+- Namespace `vergabe-teilnahme` created and labeled
+  `railiance.io/postgres-client=apps-pg` (per docs/apps-pg.md
+  opt-in contract).
+- Credential Secret mirrored to
+  `vergabe-teilnahme/vergabe-app-credentials` so the application pod
+  can mount it. T05 will reference this Secret via `envFrom` or
+  individual `valueFrom.secretKeyRef`.
+
+DSN for T05's SOPS Helm values:
+
+```
+postgresql://vergabe:${PASSWORD}@apps-pg-rw.databases:5432/vergabe_db
+```
+
+End-to-end verification: `kubectl exec` into a pod in the
+`vergabe-teilnahme` namespace and run psql with the mirrored
+credentials — returns `vergabe | vergabe_db | PostgreSQL 16.13`.
+
 ---
 
 ### T05 — Author Helm release for vergabe-teilnahme