diff --git a/scripts/setup-ai-workspace-all-in-one.sh b/scripts/setup-ai-workspace-all-in-one.sh
index e4905c7..0c8696f 100755
--- a/scripts/setup-ai-workspace-all-in-one.sh
+++ b/scripts/setup-ai-workspace-all-in-one.sh
@@ -1193,58 +1193,6 @@ boot_new = (
 if boot_old in tasks_text and boot_new not in tasks_text:
     tasks_text = tasks_text.replace(boot_old, boot_new, 1)
 
-# 2c) DIAGNOSTIC (macOS): bootstrap runs under no_log; capture rc/stdout/stderr
-# and write them to a readable file so the real init_vault_admin.sh error can be
-# inspected. (Temporary; remove once green.)
-diag_anchor = (
-    "  no_log: true\n"
-    "  when:\n"
-    "    - not ansible_check_mode\n"
-)
-diag_new = (
-    "  no_log: false\n"
-    "  register: vault_admin_bootstrap_result\n"
-    "  failed_when: false\n"
-    "  when:\n"
-    "    - not ansible_check_mode\n"
-)
-if diag_anchor in tasks_text and "vault_admin_bootstrap_result" not in tasks_text:
-    tasks_text = tasks_text.replace(diag_anchor, diag_new, 1)
-diag_tasks = (
-    "\n- name: Show Vault admin bootstrap diagnostics (macOS)\n"
-    "  ansible.builtin.debug:\n"
-    "    msg:\n"
-    "      - \"rc={{ vault_admin_bootstrap_result.rc | default('n/a') }}\"\n"
-    "      - \"stdout={{ vault_admin_bootstrap_result.stdout_lines | default([]) }}\"\n"
-    "      - \"stderr={{ vault_admin_bootstrap_result.stderr_lines | default([]) }}\"\n"
-    "  when:\n"
-    "    - ansible_os_family == 'Darwin'\n"
-    "    - vault_admin_bootstrap_result is defined\n"
-    "\n- name: Write Vault bootstrap diagnostics to file (macOS)\n"
-    "  ansible.builtin.copy:\n"
-    "    dest: \"/Users/shenlan/workspaces/cloud-neutral-toolkit/vault-bootstrap-debug.log\"\n"
-    "    content: |\n"
-    "      rc={{ vault_admin_bootstrap_result.rc | default('n/a') }}\n"
-    "      ===== STDOUT =====\n"
-    "      {{ vault_admin_bootstrap_result.stdout | default('') }}\n"
-    "      ===== STDERR =====\n"
-    "      {{ vault_admin_bootstrap_result.stderr | default('') }}\n"
-    "  when:\n"
-    "    - ansible_os_family == 'Darwin'\n"
-    "    - vault_admin_bootstrap_result is defined\n"
-    "  ignore_errors: true\n"
-    "\n- name: Fail when Vault admin bootstrap failed (macOS)\n"
-    "  ansible.builtin.assert:\n"
-    "    that:\n"
-    "      - (vault_admin_bootstrap_result.rc | default(1)) == 0\n"
-    "    fail_msg: \"vault admin bootstrap failed; see vault-bootstrap-debug.log\"\n"
-    "  when:\n"
-    "    - ansible_os_family == 'Darwin'\n"
-    "    - vault_admin_bootstrap_result is defined\n"
-)
-if "Show Vault admin bootstrap diagnostics (macOS)" not in tasks_text:
-    tasks_text = tasks_text.rstrip("\n") + "\n" + diag_tasks
-
 tasks_path.write_text(tasks_text)
 
 # 2d) init_vault_admin.sh resolves the admin entity_id by logging in as the