Guide OpenBao custody ceremony order

tools/security-bootstrap-console/README.md

@@ -57,6 +57,9 @@ notification/setup contact are all known.
 The custody packet is separate. It is the offline OpenBao ceremony envelope:
 selected custody strategy, recovery-material references, init checklist,
 unseal-share assignment slots, root-token disposition plan, and signature/date.
+Select the custody strategy first, prepare recovery material and the custody
+packet for that strategy, then approve the strategy. Only after that approval
+should the OpenBao preflight/init sequence begin.
 
 Secret capture is an architecture gate, not a user checkbox. The control
 surface must not request or store passwords, OTP seeds, recovery codes, private
@@ -164,6 +167,12 @@ python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-p
 
 This still does not run `bao operator init`.
 
+OpenBao itself is operated from the Railiance runbook. Public ingress is
+disabled, so the live ceremony uses Railiance `make` targets, `kubectl exec`,
+or an operator port-forward. The local UI can record non-secret milestones
+such as preflight passed, initialized/unsealed, root-token disposition, and
+restore drill passed; it must never record root tokens or unseal shares.
+
 Optional non-secret metadata can be supplied:
 
 ```bash