diff --git a/docs/openbao.md b/docs/openbao.md
index fffbe8b..bb5f49f 100644
--- a/docs/openbao.md
+++ b/docs/openbao.md
@@ -204,6 +204,9 @@ successfully with a warning after applying the other bootstrap configuration.
 Treat declarative audit configuration in the OpenBao server config/Helm values
 as mandatory before production secrets move in.
 
+The helper is idempotent. Re-running it should report existing `platform/` and
+`kubernetes/` paths as already enabled instead of failing the ceremony.
+
 After the helper succeeds, create a non-root admin token:
 
 ```bash
diff --git a/scripts/openbao-apply-initial-config.sh b/scripts/openbao-apply-initial-config.sh
index 370b7cc..dd1acbb 100755
--- a/scripts/openbao-apply-initial-config.sh
+++ b/scripts/openbao-apply-initial-config.sh
@@ -117,23 +117,47 @@ enable_file_audit() {
   fi
 
   status=$?
-  printf '%s\n' "$output" >&2
   case "$output" in
     *"cannot enable audit device via API"*)
       warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
       return 0
       ;;
     *"path is already in use"*)
-      warn "OpenBao file audit device already appears to be enabled."
+      printf 'OK: OpenBao file audit device already appears to be enabled.\n'
       return 0
       ;;
     *)
+      printf '%s\n' "$output" >&2
       warn "OpenBao audit enable failed with exit code $status."
       return 0
       ;;
   esac
 }
 
+enable_optional() {
+  local token="$1"
+  local already_message="$2"
+  shift 2
+  local output status
+  if output="$(remote_bao "$token" "$@" 2>&1)"; then
+    printf '%s\n' "$output"
+    return 0
+  fi
+
+  status=$?
+  case "$output" in
+    *"path is already in use"*)
+      printf 'OK: %s\n' "$already_message"
+      return 0
+      ;;
+    *)
+      printf '%s\n' "$output" >&2
+      warn "OpenBao command failed with exit code $status: bao $*"
+      return 0
+      ;;
+  esac
+}
+
 show_audit_list() {
   local token="$1"
   local output status
@@ -143,12 +167,12 @@ show_audit_list() {
   fi
 
   status=$?
-  printf '%s\n' "$output" >&2
   if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
     warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
     return 0
   fi
 
+  printf '%s\n' "$output" >&2
   warn "OpenBao audit list failed with exit code $status."
   return 0
 }
@@ -162,8 +186,8 @@ fi
 remote_bao "$token" status
 
 enable_file_audit "$token"
-remote_bao "$token" secrets enable -path=platform kv-v2 || true
-remote_bao "$token" auth enable kubernetes || true
+enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2
+enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes
 
 remote_sh "$token" 'bao write auth/kubernetes/config \
   kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \