diff --git a/docs/openbao.md b/docs/openbao.md
index 4f109cd..32b40f4 100644
--- a/docs/openbao.md
+++ b/docs/openbao.md
@@ -88,6 +88,27 @@ That state is intentional until the bootstrap ceremony is completed.
 Do not initialize OpenBao in a casual shell session. Initialization emits the
 unseal keys and initial root token. Treat this as a break-glass event.
 
+### Setup Operator And King Credential
+
+The initial accountable setup operator/contact is `tegwick`
+(`bernd.worsch@gmail.com`), with Gitea identity `tegwick`. This identity can
+assemble early infrastructure, receive notifications, and operate day-to-day
+Git/Gitea workflows, but it is not the desired long-term platform root of
+trust.
+
+The actual platform-root target is a separate king credential created through
+the NetKingdom bootstrap path before OpenBao becomes live secret custody. Email
+may receive notifications, but Gitea, Git, State Hub, chat, tickets, shell
+history, and email must not store or transfer OpenBao unseal keys, root tokens,
+private keys, OTP seeds, recovery codes, or screenshots of secret output.
+
+The canonical custody policy is in
+`net-kingdom/docs/platform-root-custody.md`. The preferred production posture
+is independent two-of-three custody. Temporary single-operator king custody is
+feasible for pre-production bootstrap only when second-factor protection,
+offline recovery storage, and a low-friction upgrade path to additional
+custodians are in place.
+
 Pre-flight checks:
 
 ```bash
@@ -102,12 +123,16 @@ Proceed only when:
 - `bao status` reports `Initialized: false` and `Sealed: true`.
 - Railiance01 host/cluster backup posture is understood for this maintenance
   window.
-- three human escrow recipients are named before the command is run.
+- the guided NetKingdom bootstrap path exists for creating or importing the
+  king credential.
+- the OpenBao custody mode is recorded: preferred independent custody, or an
+  explicit temporary single-custodian king bootstrap exception.
 
 Recommended ceremony:
 
 1. Confirm the Railiance01 backup posture first.
-2. Prepare three human escrow recipients for unseal shares.
+2. Prepare the king credential and approved escrow holders or offline
+   single-custody locations.
 3. Run initialization once:
 
    ```bash
@@ -115,7 +140,8 @@ Recommended ceremony:
      bao operator init -key-shares=3 -key-threshold=2
    ```
 
-4. Give each unseal share to its escrow owner through an out-of-band channel.
+4. Give each unseal share to its escrow owner or approved king-custody location
+   through an out-of-band channel.
 5. Unseal with two shares:
 
    ```bash
@@ -187,6 +213,8 @@ Initial auth model:
 
 | Actor | Method | Notes |
 |-------|--------|-------|
+| Setup operator/contact | Gitea `tegwick` / `bernd.worsch@gmail.com` | low-trust assembly and notifications; not platform root of trust |
+| King credential | NetKingdom custody record for dedicated platform-root identity | accountable bootstrap/recovery authority; not a Git or email secret store |
 | Bootstrap operator | one-time root token | only for initial audit, mounts, auth, policies, and non-root token creation |
 | Platform operator | token with `platform-admin` | temporary until NetKingdom OIDC/admin integration is ready |
 | Read-only reviewer | token with `platform-readonly` | metadata and health visibility, no secret reads |
diff --git a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
index b22044a..9aca2ac 100644
--- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
+++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
@@ -10,7 +10,7 @@ topic_slug: railiance
 planning_priority: high
 planning_order: 2
 created: "2026-05-17"
-updated: "2026-05-23"
+updated: "2026-05-24"
 depends_on:
   - RAIL-PL-WP-0001
 state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
@@ -137,6 +137,14 @@ post-unseal initial configuration path. The actual initialization/unseal
 ceremony remains gated on named human escrow recipients and must not happen in
 a casual agent shell.
 
+**2026-05-24:** Revised the custody model: `tegwick`
+(`bernd.worsch@gmail.com`, Gitea `tegwick`) is the setup operator/contact, not
+the long-term platform root of trust. The OpenBao ceremony is now gated on a
+separate NetKingdom king credential and guided bootstrap path. T03 remains
+`in_progress`: the live OpenBao init/unseal ceremony is still gated on king
+credential creation, custody mode approval, root-token disposition,
+reset/rotation, and restore-drill execution.
+
 ### T04 - Auth Methods And Workload Integration
 
 ```task
@@ -226,6 +234,11 @@ platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
 protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
 and stale HashiCorp Vault wording follow-ups.
 
+**2026-05-24:** Updated NetKingdom custody linkage:
+`net-kingdom/docs/platform-root-custody.md`, `NET-WP-0015`, and `NET-WP-0016`
+now define `tegwick` as setup operator/contact and a separate king credential
+as the platform-root custody target for OpenBao.
+
 **2026-05-17:** Linked the artifact-store transition to
 `ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
 Credential Vending` instead of creating duplicate S3 backend work in