From c0c6ead5ddd29e7f730d71d2edab4de1d75d46f9 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Mon, 1 Jun 2026 22:52:42 +0200
Subject: [PATCH] Record OpenBao authenticated verifier proof

---
 ...RAIL-PL-WP-0002-openbao-platform-secrets-service.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
index a29ca0c..ef2c141 100644
--- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
+++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md
@@ -276,6 +276,16 @@ through the local shell at all. Durable audit shipping beyond the audit PVC
 remains intentionally open until a tested sink is selected; State Hub notes and
 hashes are evidence, not retained audit custody.
 
+**2026-06-01:** Ran the authenticated verifier against the live pod token
+helper immediately after a fresh `bao login -no-print -method=oidc
+-path=keycape role=platform-admin` browser/MFA flow. The verifier passed:
+OpenBao is unsealed on `2.5.4`, `bao audit list` shows `file/`,
+`bao secrets list` shows `platform/`, `bao auth list` shows `kubernetes/` and
+`keycape/`, and `/openbao/audit/openbao-audit.log` grew from 7969 bytes to
+23330 bytes during the check. No token value was printed or copied into the
+workplan. The cached verifier token was then revoked with
+`bao token revoke -self`.
+
 ### T07 - Cross-Repo Transition Tasks
 
 ```task