diff --git a/docs/OPERATOR-PLAN.md b/docs/OPERATOR-PLAN.md
index e18e27d..bfc6cce 100644
--- a/docs/OPERATOR-PLAN.md
+++ b/docs/OPERATOR-PLAN.md
@@ -260,18 +260,34 @@ done in order — earlier ones unblock later ones.
       NEXT-STEPS.md, TROUBLESHOOTING.md) for stale references
 - [x] Verify customer portal `/api/me` still works end-to-end after rename
 
-### O.1 · Authentik — operator OAuth client
+### O.1 · Authentik — operator OAuth client ✓
 
-- [ ] Create `dezky-operator` OAuth provider via Authentik API
-- [ ] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
-- [ ] Confidential client; persist client_secret to `.env` as
+- [x] Create `dezky-operator` OAuth provider via Authentik API
+- [x] Set redirect URIs to `https://operator.dezky.local/auth/oidc/{callback,logout}`
+- [x] Confidential client; client_secret persisted to `.env` as
       `OPERATOR_OIDC_CLIENT_SECRET`
-- [ ] Create application binding linking the provider to a
-      `dezky-platform-admins`-only authorization flow (only group members can
-      reach the consent screen)
-- [ ] Configure MFA-required policy on this provider
-- [ ] Verify via `curl` that the discovery doc resolves at
-      `/application/o/dezky-operator/.well-known/openid-configuration`
+- [x] `Dezky Operator` application created and linked to the provider
+- [x] Group binding on the application: `dezky-platform-admins` required to
+      reach the consent screen. (Authentik 2025.10 supports group-direct
+      policy bindings — no separate `policy_group_membership` object needed)
+- [ ] **Deferred to follow-up:** MFA-required policy on this provider.
+      Authentik does this via a stage binding on the authentication flow,
+      which is app-specific configuration we'll wire when there's an actual
+      MFA enrollment to gate against. For dev with one akadmin, akadmin
+      already has WebAuthn — the auth flow prompts for it automatically
+- [x] Discovery doc verified at
+      `/application/o/dezky-operator/.well-known/openid-configuration` —
+      issuer correct, scopes include `groups`, all endpoints resolve
+
+### Gotchas worth noting
+
+- Authentik 2025.10 requires both `authorization_flow` AND `invalidation_flow`
+  when creating OAuth2 providers. The default invalidation flow is at
+  `/api/v3/flows/instances/?designation=invalidation` (slug
+  `default-provider-invalidation-flow`)
+- The `policies/group_membership/` endpoint mentioned in older Authentik
+  docs is gone in 2025.10. Use `policies/bindings/` with a direct `group`
+  reference instead
 
 ### O.2 · platform-api — multi-audience + Partner CRUD