Record OpenBao bootstrap status

workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md

@@ -10,7 +10,7 @@ topic_slug: railiance
 planning_priority: high
 planning_order: 2
 created: "2026-05-17"
-updated: "2026-05-24"
+updated: "2026-05-26"
 depends_on:
   - RAIL-PL-WP-0001
 state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
@@ -145,6 +145,14 @@ separate NetKingdom king credential and guided bootstrap path. T03 remains
 credential creation, custody mode approval, root-token disposition,
 reset/rotation, and restore-drill execution.
 
+**2026-05-26:** Live OpenBao is now initialized, unsealed, and post-unseal
+verified on Railiance01. NetKingdom bootstrap metadata records custody approval,
+root-token revocation, unseal-key rotation, and restore-drill confirmation.
+T03 remains `in_progress` for production-trust closeout: declarative audit,
+durable audit shipping, OIDC-backed admin login verification, residual taint
+response, and cleanup before live application secrets move in. These remaining
+operator-facing gates are consolidated in `NET-WP-0017`.
+
 ### T04 - Auth Methods And Workload Integration
 
 ```task
@@ -213,6 +221,13 @@ basic and post-unseal verification. The restore drill still must be executed
 before any live application secrets are migrated; that remains a gate under
 T03.
 
+**2026-05-26:** `make openbao-verify-post-unseal` passes against the live
+OpenBao pod: Kubernetes objects exist, the pod is running, OpenBao reports
+`Initialized: true` and `Sealed: false`, and data/audit directories exist.
+Authenticated checks for audit devices, auth methods, and mounts still require
+the OIDC-backed or temporary platform-admin path and remain part of the
+production-readiness closeout.
+
 ### T07 - Cross-Repo Transition Tasks
 
 ```task