Complete OpenBao emergency drill gate

workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

@@ -127,7 +127,7 @@ revoked or allowed to expire after the check.
 
 ```task
 id: NET-WP-0017-T02
-status: in_progress
+status: done
 priority: high
 state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88"
 ```
@@ -277,6 +277,19 @@ and non-secret evidence remain under `/tmp/netkingdom-openbao-restore-drill/`.
 `make security-bootstrap-validate-t02` now shows the restore evidence gate as
 done. T02 remains open only for emergency seal/unseal metadata and evidence.
 
+**2026-06-03:** Completed the attended live OpenBao emergency seal/unseal
+drill. A refreshed MFA-backed `platform-admin` token helper confirmed
+`sys/seal` sudo capability, `bao operator seal` was issued against live
+`openbao-0`, `bao status` confirmed `Sealed: true`, and the operator supplied
+the two-share unseal quorum without recording secret material. Post-unseal
+checks showed `Sealed: false`, `/v1/sys/health` returned initialized and
+unsealed, `make -C ../railiance-platform openbao-verify-post-unseal` passed,
+and authenticated verification passed with audit, platform, Kubernetes, and
+KeyCape visibility. Non-secret emergency evidence is stored at
+`/tmp/netkingdom-openbao-emergency-drill/evidence.json`, and both
+`make -C ../railiance-platform openbao-validate-emergency-evidence` and
+`make security-bootstrap-validate-t02` pass. NET-WP-0017-T02 is complete.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
 
 ```task