Close Railiance OpenBao workplan

workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md

@@ -4,13 +4,13 @@ type: workplan
 title: "OpenBao Platform Secrets Service"
 domain: railiance
 repo: railiance-platform
-status: active
+status: finished
 owner: codex
 topic_slug: railiance
 planning_priority: high
 planning_order: 2
 created: "2026-05-17"
-updated: "2026-05-26"
+updated: "2026-05-29"
 depends_on:
   - RAIL-PL-WP-0001
 state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
@@ -114,7 +114,7 @@ ceremony.
 
 ```task
 id: RAIL-PL-WP-0002-T03
-status: in_progress
+status: done
 priority: high
 state_hub_task_id: "509ccfd4-1775-4be4-b8e4-8d5bcf17f91e"
 ```
@@ -153,6 +153,14 @@ durable audit shipping, OIDC-backed admin login verification, residual taint
 response, and cleanup before live application secrets move in. These remaining
 operator-facing gates are consolidated in `NET-WP-0017`.
 
+**2026-05-29:** Railiance-owned bootstrap and break-glass scope is complete:
+`make openbao-status` and `make openbao-verify-post-unseal` pass against the
+live Railiance01 OpenBao pod, which is initialized, unsealed, and active with
+Bound data/audit PVCs. The production-trust gates that remain before ordinary
+user onboarding or live application secrets move into OpenBao are now explicitly
+owned by `NET-WP-0017`: declarative/durable audit closeout, OIDC-backed admin
+login evidence, residual taint cleanup, and hardening.
+
 ### T04 - Auth Methods And Workload Integration
 
 ```task
@@ -180,7 +188,7 @@ OpenBao injector remains disabled.
 
 ```task
 id: RAIL-PL-WP-0002-T05
-status: in_progress
+status: done
 priority: medium
 state_hub_task_id: "0d717bdd-76bc-41b4-b633-ba07214b4095"
 ```
@@ -201,6 +209,14 @@ delivery, while `artifact-store` owns S3 backend behavior and
 credential refresh decisions. NetKingdom remains the default owner for OIDC
 identity if object storage adopts `AssumeRoleWithWebIdentity`.
 
+**2026-05-29:** Initial secret-engine scope is complete for this workplan:
+OpenBao has the `platform/` KV path and Kubernetes auth configured through the
+initial configuration helper, with `platform-admin` and `platform-readonly`
+policies present. Database dynamic credentials, PKI, SSH, and object-storage
+STS vending remain future integration work owned by their downstream service
+workplans and `ARTIFACT-STORE-WP-0007`; they are not blockers for the platform
+secrets service closeout.
+
 ### T06 - Backup, Audit, Monitoring, And Verification
 
 ```task
@@ -232,7 +248,7 @@ production-readiness closeout.
 
 ```task
 id: RAIL-PL-WP-0002-T07
-status: in_progress
+status: done
 priority: medium
 state_hub_task_id: "89149b60-562b-4a5b-978d-0f9136ffa114"
 ```
@@ -262,6 +278,14 @@ Credential Vending` instead of creating duplicate S3 backend work in
 `ARTIFACT-STORE-WP-0007-T004` and follow-up routing in
 `ARTIFACT-STORE-WP-0007-T005`.
 
+**2026-05-29:** Cross-repo transition ownership is explicit enough for
+Railiance closeout. NetKingdom owns the remaining identity, OIDC admin login,
+operator UX, hardening, and onboarding-readiness gates through `NET-WP-0017`.
+Artifact-store owns S3-compatible backend and credential-vending decisions
+through `ARTIFACT-STORE-WP-0007`. Future application-specific OpenBao adoption
+belongs with the relevant S5/application workplans once user onboarding is
+unblocked.
+
 ## Acceptance Criteria
 
 - Railiance has an explicit decision on OpenBao versus HashiCorp Vault