Treat sealed OpenBao preflight as expected

docs/openbao.md

@@ -82,6 +82,8 @@ Expected immediately after install:
 - `bao status` reports `Initialized: false` and `Sealed: true`.
 
 That state is intentional until the bootstrap ceremony is completed.
+`bao status` may return exit code `2` while sealed; this is expected for the
+pre-init state and does not by itself indicate a deployment failure.
 
 ## Bootstrap Ceremony
 

scripts/openbao-verify.sh

@@ -75,8 +75,28 @@ run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
 ok "PVC query succeeded"
 
 step "OpenBao seal/init status"
-if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status; then
+status_output=""
+status_code=0
+if status_output="$(run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status 2>&1)"; then
+  status_code=0
+else
+  status_code=$?
+fi
+printf '%s\n' "$status_output"
+
+status_initialized="$(printf '%s\n' "$status_output" | awk '$1 == "Initialized" {print $2; exit}')"
+status_sealed="$(printf '%s\n' "$status_output" | awk '$1 == "Sealed" {print $2; exit}')"
+
+if [ "$status_code" -eq 0 ]; then
   ok "bao status command succeeded"
+elif [ "$status_code" -eq 2 ] && [ "$status_initialized" = "false" ] && [ "$status_sealed" = "true" ]; then
+  ok "OpenBao is reachable and waiting for first init/unseal ceremony"
+elif [ "$status_code" -eq 2 ] && [ "$status_sealed" = "true" ]; then
+  if [ "$MODE" = "basic" ]; then
+    ok "OpenBao is reachable and sealed"
+  else
+    warn "OpenBao is still sealed; post-unseal verification is not complete"
+  fi
 else
   warn "bao status failed. Check pod logs and command availability."
 fi