Require concrete OpenBao restore evidence

tools/security-bootstrap-console/security_bootstrap_console.py

@@ -1926,6 +1926,11 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
         "7. Destroy the isolated environment and record only non-secret evidence in this UI.\n"
         "RESTORE_DRILL"
     )
+    validate_restore_evidence_command = (
+        'export OPENBAO_RESTORE_EVIDENCE="${OPENBAO_RESTORE_EVIDENCE:-/tmp/netkingdom-openbao-restore-drill/evidence.json}"\n'
+        'make -C ../railiance-platform openbao-validate-restore-evidence '
+        'OPENBAO_RESTORE_EVIDENCE="$OPENBAO_RESTORE_EVIDENCE"'
+    )
     privacyidea_realm_command = f"bash {shlex.quote(str(PRIVACYIDEA_REALM_REPAIR))}"
 
     return [
@@ -2048,6 +2053,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
             isolated_restore_command,
             downstream_taint,
         ),
+        action(
+            "Validate restore drill evidence",
+            "Validate the non-secret restore-drill evidence JSON. A checkbox alone is not enough for NET-WP-0017-T02; the evidence must include hashes, isolated restore proof, verification flags, and destruction evidence without secret material.",
+            validate_restore_evidence_command,
+            downstream_taint,
+        ),
         action(
             "Run post-restore readiness check",
             "Re-run the Railiance post-unseal checks after restore evidence has been captured.",