Add OpenBao restore evidence validator

This commit is contained in:
2026-06-01 23:57:00 +02:00
parent c0d4ec9037
commit 123b9aafce
5 changed files with 156 additions and 1 deletions

View File

@@ -294,6 +294,13 @@ days; it is suitable for interface wiring and setup validation only. Railiance
still owns the OpenBao file audit device and PVC, while production retention,
tenant policy, and tamper-evident archive belong to Audit Core.
**2026-06-01:** Added a non-secret OpenBao restore-drill evidence template and
`make openbao-validate-restore-evidence`. The validator requires concrete
review evidence such as snapshot hashes, encrypted snapshot location, isolated
restore completion, unseal/status/test-secret verification, isolated
environment destruction, and a `no_secret_material_recorded` assertion. This
keeps `NET-WP-0017-T02` from relying on a bare UI checkbox for restore proof.
### T07 - Cross-Repo Transition Tasks
```task