Add OpenBao emergency drill evidence validator

docs/openbao-emergency-drill-evidence.example.json

@@ -0,0 +1,21 @@
+{
+  "drill_date": "2026-06-01",
+  "operator": "platform-root",
+  "source_cluster": "railiance01",
+  "source_namespace": "openbao",
+  "source_pod": "openbao-0",
+  "seal_started_at": "2026-06-01T22:00:00Z",
+  "seal_command_issued": true,
+  "sealed_status_confirmed": true,
+  "sealed_status_observed_at": "2026-06-01T22:00:30Z",
+  "unseal_quorum_available": true,
+  "unseal_started_at": "2026-06-01T22:01:00Z",
+  "unseal_completed": true,
+  "unseal_completed_at": "2026-06-01T22:02:30Z",
+  "post_unseal_status_verified": true,
+  "post_unseal_readiness_verified": true,
+  "post_unseal_verification": "bao status reported Sealed false and make openbao-verify-post-unseal passed after the drill",
+  "availability_window_minutes": 3,
+  "no_secret_material_recorded": true,
+  "notes": "Do not record OpenBao tokens, root tokens, unseal shares, private keys, passwords, OTP seeds, or recovery codes."
+}

docs/openbao.md

@@ -322,6 +322,16 @@ Audit Core backend that writes JSONL records under
 days. Use it only to wire interfaces and setup validation before the durable
 Audit Core archive exists.
 
+Emergency seal/unseal drills are disruptive and must only run in an attended
+window with threshold unseal shares available. Record non-secret drill evidence
+using `docs/openbao-emergency-drill-evidence.example.json` as a template, then
+validate it with:
+
+```bash
+make openbao-validate-emergency-evidence \
+  OPENBAO_EMERGENCY_EVIDENCE=/path/to/evidence.json
+```
+
 Monitoring baseline:
 
 - pod readiness and liveness from Kubernetes probes