P1-key-ops: signer key lifecycle drills (rotation, revocation, incident runbooks)

[omarespejel]

Summary

Operationalize key management beyond implementation code: rotation, revocation, and incident drills.

Problem

Even with signer isolation, production risk remains high without repeatable lifecycle operations.

Scope

• Define key lifecycle policy for owner/session/signer keys:
  • rotation cadence
  • revocation triggers
  • emergency disable path
• Add drill scripts and checklist for:
  1. normal rotation
  2. compromised signer credential incident
  3. forced session mass-revocation
• Ensure logs are tamper-evident and correlated to drill IDs.
• Document minimal required controls for DFNS/HSM-backed profiles.

Acceptance Criteria

• Rotation drill runnable on Sepolia and documented
• Incident drill produces auditable artifacts and tx references
• Runbooks include rollback and recovery steps
• Maintainer checklist added for pre-release readiness

Related

• P0-proxy: HMAC + mTLS + nonce replay protection (Redis TTL) #219 proxy auth/replay
• P1-observability: correlated audit logs across MCP, signer, and tx execution #224 observability
• P2-auth: implement SISNA (Starknet Sign-In With Agent) nonce/verify/receipt package #225 SISNA auth
• P0 Release Gate (No-Backend): ERC-8004 + Agent Account production readiness #273 release gate