Start OpenBao audit recovery closeout

workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

@@ -124,7 +124,7 @@ revoked or allowed to expire after the check.
 
 ```task
 id: NET-WP-0017-T02
-status: todo
+status: in_progress
 priority: high
 state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88"
 ```
@@ -139,6 +139,20 @@ Resolve the remaining OpenBao production-trust gates:
 - identify the next independent escrow holder for moving beyond temporary
   single-king custody.
 
+**2026-06-01:** Started the OpenBao audit/recovery closeout. Railiance source
+now has a declarative OpenBao file-audit stanza in
+`helm/openbao-values.yaml`, and its initial-config helper now verifies
+`bao audit list` instead of trying to create audit devices through the API.
+The Railiance post-unseal verifier also warns when
+`/openbao/audit/openbao-audit.log` is missing or empty. Live non-secret
+checks still show OpenBao healthy and unsealed with Bound data/audit PVCs, but
+the live Helm values do not yet include the declarative audit stanza and the
+audit directory is empty. Do not move production secrets into OpenBao until a
+planned Helm rollout is performed with unseal shares available, `file/` audit
+is visible, an audit log is written, durable audit shipping beyond the PVC is
+selected, and restore/emergency drill evidence plus a next escrow holder are
+recorded.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
 
 ```task