Add OpenBao emergency drill evidence validator

This commit is contained in:
2026-06-02 00:08:17 +02:00
parent 123b9aafce
commit 606a5f3e1e
5 changed files with 152 additions and 1 deletions

View File

@@ -301,6 +301,14 @@ restore completion, unseal/status/test-secret verification, isolated
environment destruction, and a `no_secret_material_recorded` assertion. This
keeps `NET-WP-0017-T02` from relying on a bare UI checkbox for restore proof.
**2026-06-01:** Added the matching non-secret emergency seal/unseal drill
evidence template and `make openbao-validate-emergency-evidence`. The validator
requires an attended seal/unseal evidence file with timing, sealed-state proof,
unseal quorum availability, post-unseal verification, availability-window
duration, and `no_secret_material_recorded`. The validator does not run the
disruptive drill; it only checks the evidence captured after the attended
operation.
### T07 - Cross-Repo Transition Tasks
```task