Add OpenBao authenticated proof runbook

tools/security-bootstrap-console/security_bootstrap_console.py

@@ -1849,6 +1849,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
     audit_list_command = token_prompt_command("bao audit list")
     secrets_list_command = token_prompt_command("bao secrets list")
     auth_list_command = token_prompt_command("bao auth list")
+    authenticated_readiness_command = (
+        "make -C ../railiance-platform openbao-verify-authenticated\n\n"
+        "# If a previous attended OIDC login stored a still-valid token in the pod helper, use:\n"
+        "make -C ../railiance-platform openbao-verify-authenticated "
+        "OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper"
+    )
     platform_admin_token_command = token_prompt_command(
         "bao token create -policy=platform-admin -period=24h -orphan"
     )
@@ -1958,6 +1964,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
             auth_list_command,
             downstream_taint,
         ),
+        action(
+            "OpenBao authenticated readiness proof",
+            "Run the Railiance evidence-only verifier for file audit, platform secrets, Kubernetes auth, KeyCape auth, and audit-log write state. The default path prompts for a token without echoing it; the token-helper variant avoids local token movement when a valid pod helper token already exists.",
+            authenticated_readiness_command,
+            downstream_taint,
+        ),
         action(
             "Create platform-admin token",
             "Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",