Add OpenBao restore evidence validator

docs/openbao-restore-drill-evidence.example.json

@@ -0,0 +1,22 @@
+{
+  "drill_date": "2026-06-01",
+  "operator": "platform-root",
+  "source_cluster": "railiance01",
+  "source_namespace": "openbao",
+  "source_pod": "openbao-0",
+  "snapshot_created": true,
+  "snapshot_sha256": "sha256:0000000000000000000000000000000000000000000000000000000000000000",
+  "snapshot_encrypted": true,
+  "encrypted_snapshot_sha256": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
+  "encrypted_snapshot_location": "operator-local encrypted restore drill workspace or approved encrypted custody location",
+  "isolated_environment": "disposable cluster, VM, or namespace reference",
+  "isolated_restore_completed": true,
+  "unseal_verified_in_isolation": true,
+  "test_secret_read_verified": true,
+  "post_restore_status_verified": true,
+  "post_restore_verification": "bao status, mount/auth/policy checks, and a non-production test secret read succeeded in the isolated environment",
+  "isolated_environment_destroyed": true,
+  "destroyed_environment_evidence": "operator note, VM deletion id, namespace deletion timestamp, or equivalent non-secret proof",
+  "no_secret_material_recorded": true,
+  "notes": "Do not record OpenBao tokens, root tokens, unseal shares, decrypted snapshots, private keys, passwords, OTP seeds, or recovery codes."
+}