openbao king credential bootstrapping

docs/openbao.md

@@ -88,6 +88,27 @@ That state is intentional until the bootstrap ceremony is completed.
 Do not initialize OpenBao in a casual shell session. Initialization emits the
 unseal keys and initial root token. Treat this as a break-glass event.
 
+### Setup Operator And King Credential
+
+The initial accountable setup operator/contact is `tegwick`
+(`bernd.worsch@gmail.com`), with Gitea identity `tegwick`. This identity can
+assemble early infrastructure, receive notifications, and operate day-to-day
+Git/Gitea workflows, but it is not the desired long-term platform root of
+trust.
+
+The actual platform-root target is a separate king credential created through
+the NetKingdom bootstrap path before OpenBao becomes live secret custody. Email
+may receive notifications, but Gitea, Git, State Hub, chat, tickets, shell
+history, and email must not store or transfer OpenBao unseal keys, root tokens,
+private keys, OTP seeds, recovery codes, or screenshots of secret output.
+
+The canonical custody policy is in
+`net-kingdom/docs/platform-root-custody.md`. The preferred production posture
+is independent two-of-three custody. Temporary single-operator king custody is
+feasible for pre-production bootstrap only when second-factor protection,
+offline recovery storage, and a low-friction upgrade path to additional
+custodians are in place.
+
 Pre-flight checks:
 
 ```bash
@@ -102,12 +123,16 @@ Proceed only when:
 - `bao status` reports `Initialized: false` and `Sealed: true`.
 - Railiance01 host/cluster backup posture is understood for this maintenance
   window.
-- three human escrow recipients are named before the command is run.
+- the guided NetKingdom bootstrap path exists for creating or importing the
+  king credential.
+- the OpenBao custody mode is recorded: preferred independent custody, or an
+  explicit temporary single-custodian king bootstrap exception.
 
 Recommended ceremony:
 
 1. Confirm the Railiance01 backup posture first.
-2. Prepare three human escrow recipients for unseal shares.
+2. Prepare the king credential and approved escrow holders or offline
+   single-custody locations.
 3. Run initialization once:
 
    ```bash
@@ -115,7 +140,8 @@ Recommended ceremony:
      bao operator init -key-shares=3 -key-threshold=2
    ```
 
-4. Give each unseal share to its escrow owner through an out-of-band channel.
+4. Give each unseal share to its escrow owner or approved king-custody location
+   through an out-of-band channel.
 5. Unseal with two shares:
 
    ```bash
@@ -187,6 +213,8 @@ Initial auth model:
 
 | Actor | Method | Notes |
 |-------|--------|-------|
+| Setup operator/contact | Gitea `tegwick` / `bernd.worsch@gmail.com` | low-trust assembly and notifications; not platform root of trust |
+| King credential | NetKingdom custody record for dedicated platform-root identity | accountable bootstrap/recovery authority; not a Git or email secret store |
 | Bootstrap operator | one-time root token | only for initial audit, mounts, auth, policies, and non-root token creation |
 | Platform operator | token with `platform-admin` | temporary until NetKingdom OIDC/admin integration is ready |
 | Read-only reviewer | token with `platform-readonly` | metadata and health visibility, no secret reads |