Require emergency drill evidence validation

tools/security-bootstrap-console/security_bootstrap_console.py

@@ -1931,6 +1931,11 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
         'make -C ../railiance-platform openbao-validate-restore-evidence '
         'OPENBAO_RESTORE_EVIDENCE="$OPENBAO_RESTORE_EVIDENCE"'
     )
+    validate_emergency_evidence_command = (
+        'export OPENBAO_EMERGENCY_EVIDENCE="${OPENBAO_EMERGENCY_EVIDENCE:-/tmp/netkingdom-openbao-emergency-drill/evidence.json}"\n'
+        'make -C ../railiance-platform openbao-validate-emergency-evidence '
+        'OPENBAO_EMERGENCY_EVIDENCE="$OPENBAO_EMERGENCY_EVIDENCE"'
+    )
     privacyidea_realm_command = f"bash {shlex.quote(str(PRIVACYIDEA_REALM_REPAIR))}"
 
     return [
@@ -2029,6 +2034,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
             openbao_status_command,
             downstream_taint,
         ),
+        action(
+            "Validate emergency drill evidence",
+            "Validate non-secret evidence for an attended emergency seal/unseal drill. The evidence records timing, sealed-state proof, quorum availability, post-unseal verification, and absence of secret material.",
+            validate_emergency_evidence_command,
+            downstream_taint,
+        ),
         action(
             "Prepare restore drill workspace",
             "Create a local restricted directory for temporary snapshot evidence.",