openbao king credential bootstrapping

workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md

@@ -10,7 +10,7 @@ topic_slug: railiance
 planning_priority: high
 planning_order: 2
 created: "2026-05-17"
-updated: "2026-05-23"
+updated: "2026-05-24"
 depends_on:
   - RAIL-PL-WP-0001
 state_hub_workstream_id: "fd1c045a-01d4-43be-980f-acbda6c64e6c"
@@ -137,6 +137,14 @@ post-unseal initial configuration path. The actual initialization/unseal
 ceremony remains gated on named human escrow recipients and must not happen in
 a casual agent shell.
 
+**2026-05-24:** Revised the custody model: `tegwick`
+(`bernd.worsch@gmail.com`, Gitea `tegwick`) is the setup operator/contact, not
+the long-term platform root of trust. The OpenBao ceremony is now gated on a
+separate NetKingdom king credential and guided bootstrap path. T03 remains
+`in_progress`: the live OpenBao init/unseal ceremony is still gated on king
+credential creation, custody mode approval, root-token disposition,
+reset/rotation, and restore-drill execution.
+
 ### T04 - Auth Methods And Workload Integration
 
 ```task
@@ -226,6 +234,11 @@ platform secrets authority while SOPS/age remains bootstrap/Git-at-rest
 protection. Still needs ops-warden, ops-bridge, artifact-store, S5 app,
 and stale HashiCorp Vault wording follow-ups.
 
+**2026-05-24:** Updated NetKingdom custody linkage:
+`net-kingdom/docs/platform-root-custody.md`, `NET-WP-0015`, and `NET-WP-0016`
+now define `tegwick` as setup operator/contact and a separate king credential
+as the platform-root custody target for OpenBao.
+
 **2026-05-17:** Linked the artifact-store transition to
 `ARTIFACT-STORE-WP-0007 - MinIO Compatibility, MaxIO Fork Assessment, And STS
 Credential Vending` instead of creating duplicate S3 backend work in