Add OpenBao compromise runbooks to bootstrap UI

tools/security-bootstrap-console/README.md

@@ -84,7 +84,9 @@ The web UI is structured as:
    privacyIDEA, KeyCape, the custodian age envelope, and Railiance OpenBao.
 3. **Integration & Tests** - OIDC and OpenBao preflight checks, with every
    operator command shown as a copyable console block.
-4. **Artefacts & Locations** - final non-secret overview of established
+4. **Usecases & Runbooks** - guided routines for key-material compromise,
+   trial-output exposure, and generating replacement unseal keys.
+5. **Artefacts & Locations** - final non-secret overview of established
    artefacts and where to find their custody references.
 
 Role, subsystem, integration, and artefact records use the same fields:
@@ -99,6 +101,11 @@ role metadata and Cancel restores the last loaded values. Command cards use
 available, needs to be run, should be repeated after a state change, or has
 already succeeded.
 
+The **Key material compromised** runbook is also useful for trial ceremonies:
+mark the trial output as exposed, stop treating the generated unseal shares or
+root token as production material, then either rotate unseal keys after unseal
+or reset the trial environment before any live secrets are migrated.
+
 The UI is a guide and approval surface, not the identity provider. Current
 lightweight-mode credential placement is: