Require concrete OpenBao restore evidence

workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

@@ -210,6 +210,17 @@ Remaining T02 gates are restore-drill evidence, emergency seal/unseal drill
 evidence, the next independent escrow holder, and an explicit risk note if
 ordinary onboarding proceeds before the production Audit Core sink exists.
 
+**2026-06-01:** Tightened the restore-drill evidence gate. The local bootstrap
+metadata currently says `restore_drill_passed: true`, but that checkbox alone
+does not preserve enough non-secret evidence for review. Railiance now has a
+restore evidence JSON template and `make openbao-validate-restore-evidence`
+validator that checks for snapshot hashes, encrypted-snapshot hash/location,
+isolated restore completion, unseal/status/test-secret verification, isolated
+environment destruction, and `no_secret_material_recorded`. The NetKingdom
+control surface now includes a **Validate restore drill evidence** runbook
+card. T02 should not count the restore gate closed until a real non-secret
+evidence file from the prior or repeated drill passes that validator.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
 
 ```task