Per ADR-104 §Part C, infra/master secret rotation has no safe path today and is deferred to a dedicated auth-domain ADR.
Immediate safety (small, do first):
Design (auth ADR): per-secret rotation orchestration —
Application-key rotation is already solved (ADR-031). Refs ADR-104, ADR-031.
Per ADR-104 §Part C, infra/master secret rotation has no safe path today and is deferred to a dedicated
auth-domain ADR.Immediate safety (small, do first):
init-secrets.sh --reset-key ENCRYPTION_KEY: refuse to regenerate the Fernet master without an explicit acknowledgement flag — today it silently orphans every stored API key (the script only warns). This is the "rake": regeneration ≠ rotation.Design (auth ADR): per-secret rotation orchestration —
ENCRYPTION_KEY: MultiFernet re-encryption (decrypt-old/encrypt-new) — a data migration.OAUTH_SIGNING_KEY:kid/keyset overlap (avoid forced re-login).POSTGRES_PASSWORD:ALTER USER+ coordinated reconnect.GARAGE_RPC_SECRET: coordinated restart (multi-node in a federated future, ADR-088).INTERNAL_KEY_SERVICE_SECRET: coordinated service-token refresh.Application-key rotation is already solved (ADR-031). Refs ADR-104, ADR-031.