feat: OpenBao unseal custody models — automation-first with blocked alternatives

Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.

tools/security-bootstrap-console/tests/test_security_bootstrap_console.py

@@ -16,9 +16,35 @@ SPEC.loader.exec_module(console)
 def test_metadata_template_has_core_fields():
     tmpl = console.metadata_template()
     assert isinstance(tmpl, dict)
-    core = ["approval_scope", "bootstrap_mode", "custody_mode", "review_date"]
+    core = [
+        "approval_scope",
+        "bootstrap_mode",
+        "custody_mode",
+        "openbao_unseal_custody_model",
+        "review_date",
+    ]
     for f in core:
         assert f in tmpl
+    assert tmpl["openbao_unseal_custody_model"] == console.DEFAULT_OPENBAO_UNSEAL_CUSTODY_MODEL
+
+
+def test_openbao_unseal_custody_model_gate_automation_default():
+    data = console.metadata_template()
+    gate = console.openbao_unseal_custody_model_gate(data)
+    assert gate.status == "done"
+    init_gate = console.openbao_init_ceremony_gate(data)
+    assert init_gate.status == "automation"
+
+
+def test_openbao_unseal_custody_planned_models_blocked():
+    for model in ("attended-ceremony", "auto-unseal-transit"):
+        data = console.metadata_template()
+        data["openbao_unseal_custody_model"] = model
+        gate = console.openbao_unseal_custody_model_gate(data)
+        assert gate.status == "blocked"
+        assert "not yet implemented" in gate.reason.lower()
+        init_gate = console.openbao_init_ceremony_gate(data)
+        assert init_gate.status == "blocked"
 
 def test_onboarding_dry_run_template_has_required_fields():
     tmpl = console.onboarding_dry_run_template()