Treat sealed OpenBao preflight as expected

scripts/openbao-verify.sh

@@ -75,8 +75,28 @@ run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
 ok "PVC query succeeded"
 
 step "OpenBao seal/init status"
-if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status; then
+status_output=""
+status_code=0
+if status_output="$(run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status 2>&1)"; then
+  status_code=0
+else
+  status_code=$?
+fi
+printf '%s\n' "$status_output"
+
+status_initialized="$(printf '%s\n' "$status_output" | awk '$1 == "Initialized" {print $2; exit}')"
+status_sealed="$(printf '%s\n' "$status_output" | awk '$1 == "Sealed" {print $2; exit}')"
+
+if [ "$status_code" -eq 0 ]; then
   ok "bao status command succeeded"
+elif [ "$status_code" -eq 2 ] && [ "$status_initialized" = "false" ] && [ "$status_sealed" = "true" ]; then
+  ok "OpenBao is reachable and waiting for first init/unseal ceremony"
+elif [ "$status_code" -eq 2 ] && [ "$status_sealed" = "true" ]; then
+  if [ "$MODE" = "basic" ]; then
+    ok "OpenBao is reachable and sealed"
+  else
+    warn "OpenBao is still sealed; post-unseal verification is not complete"
+  fi
 else
   warn "bao status failed. Check pod logs and command availability."
 fi