chore(deploy): add custody recovery drill target [skip ci]

deploy/railiance/RUNBOOK.md

@@ -113,6 +113,18 @@ kubectl rollout restart deployment/inter-hub -n inter-hub
 kubectl rollout status deployment/inter-hub -n inter-hub
 ```
 
+Custody-backed recovery verification:
+
+```bash
+# after the approved custody unlock makes the age identity available
+make recovery-drill
+```
+
+The drill prints UTC/local timestamps, verifies that the committed SOPS file can
+be decrypted in memory, checks the expected Secret metadata and key names, and
+does not print secret values. Keep the PASS output as non-secret recovery
+evidence.
+
 ## Database Migration
 
 IHP migrations can be run from the production image when needed. Because the