Configure OpenBao file audit declaratively

workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md

@@ -244,6 +244,17 @@ Authenticated checks for audit devices, auth methods, and mounts still require
 the OIDC-backed or temporary platform-admin path and remain part of the
 production-readiness closeout.
 
+**2026-06-01:** Added the source-side declarative file-audit configuration
+required by `NET-WP-0017-T02`: `helm/openbao-values.yaml` now includes an
+OpenBao `audit "file" "file"` stanza writing to
+`/openbao/audit/openbao-audit.log`, and
+`scripts/openbao-apply-initial-config.sh` now verifies audit visibility with
+`bao audit list` instead of attempting API-managed audit creation. The
+post-unseal verifier now warns when the audit log file is missing or empty.
+Live verification still reports the pod unsealed and healthy, but also reports
+the audit log file missing because this Helm change has not yet been rolled
+out. Roll out only in an attended window with unseal shares available.
+
 ### T07 - Cross-Repo Transition Tasks
 
 ```task