Add OpenBao restore drill actions

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -263,6 +263,12 @@ Introduction & Actors, Subsystems & Scopes, Roles & Responsibilities,
 Integration & Tests, Artefacts & Locations, Usecases & Runbooks, and
 Terminology & Patterns.
 
+**2026-05-25:** Added Restore drill runbook action cards so the existing
+confirmation checkbox has a concrete path: prepare a restricted workspace,
+create/copy/hash an OpenBao Raft snapshot, encrypt it to the custodian age
+recipient, complete an isolated restore proof, rerun post-unseal verification,
+and record only non-secret completion evidence.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret