Add signed custody roster workflow

examples/security-bootstrap/custody-roster.example.json

@@ -0,0 +1,51 @@
+{
+  "schema": "netkingdom.custody-roster.v1",
+  "roster_id": "netkingdom-openbao-custody-2of3-20260602-example",
+  "custody_model": "two-of-three-planned",
+  "status": "planned",
+  "scope": "OpenBao platform recovery, emergency unseal, and custody migration",
+  "created_at": "2026-06-02T00:00:00Z",
+  "review_date": "2026-07-02",
+  "approved_by": {
+    "role": "platform-custodian",
+    "signing_principal": "platform-custodian",
+    "public_key_reference": "~/.ssh/id_custodian_agent.pub"
+  },
+  "holders": [
+    {
+      "holder_id": "holder-1",
+      "role": "king-holder",
+      "contact": {
+        "email": "king@example.test",
+        "phone": "+49-000-0000000"
+      },
+      "identity_reference": "planned:lldap/platform-root",
+      "admin_user": true,
+      "custody_material": "future share slot 1"
+    },
+    {
+      "holder_id": "holder-2",
+      "role": "escrow-holder-1",
+      "contact": {
+        "email": "escrow-one@example.test",
+        "phone": "+49-000-0000001"
+      },
+      "identity_reference": "planned:lldap/custody-escrow-1",
+      "admin_user": false,
+      "custody_material": "future share slot 2"
+    },
+    {
+      "holder_id": "holder-3",
+      "role": "escrow-holder-2",
+      "contact": {
+        "email": "escrow-two@example.test",
+        "phone": "+49-000-0000002"
+      },
+      "identity_reference": "planned:lldap/custody-escrow-2",
+      "admin_user": false,
+      "custody_material": "future share slot 3"
+    }
+  ],
+  "secret_material_recorded": false,
+  "notes": "Real contact data belongs only in .local/ or an encrypted custody store, never in Git or State Hub."
+}