Close backup handoff task

SCOPE.md

@@ -163,7 +163,8 @@ lessons into reusable S5 app release patterns.
   the app-side workflow behavior still needs explicit S5 readiness docs.
 - App-level backup and restore responsibilities need clearer handoff contracts
   with `railiance-platform`, especially for shared CNPG databases consumed by
-  S5 apps.
+  S5 apps. Forge artifact restore and secret-custody evidence is defined in
+  `/home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md`.
 
 ---
 

workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md

@@ -273,7 +273,7 @@ now point at that contract from their scope/intent docs.
 
 ```task
 id: RAILIANCE-WP-0006-T07
-status: todo
+status: done
 priority: high
 state_hub_task_id: "da8bfbab-4bc3-48f0-9837-acf43fec9f0c"
 ```
@@ -293,6 +293,14 @@ Cover:
 Done when the forge repo can state exactly what it owns, what S3 implements,
 and what evidence consumers can rely on.
 
+Completed 2026-06-05: the detailed handoff contract now lives in
+`/home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md`. It
+defines forge asset inventory, database/package blob restore gates,
+railiance-platform handoffs for CNPG, object storage, OpenBao, and runtime
+secret delivery, allowed versus forbidden operator references, SOPS/age
+bootstrap boundaries, and how S5 apps cite forge artifact restore evidence
+without owning registry credentials or package backup procedures.
+
 ---
 
 ## T08 - Add forge observability and operating evidence requirements