PairWave
Demo · read-only · no sign-inAJ
← Back to dashboard

Rotate hub signing key without breaking live sockets

andy/auth-svc·Acme Engineering/ auth-svcConnected1 approval pending
andy/auth-svc·demo · autoplaying
cycle 0
AJ
@andy
One more thing first: have @bob/billing weigh in on the cache TTL — billing also signs against this key and we should align.
Routing to @bob/billing: "We're moving hub signing keys to Vault with a 60s refresh. Billing also verifies against this key — does 60s align with how often you re-load, or do you need faster?"
(↪ peer report from @bob/billing) — "60s works for billing. We re-verify on every webhook anyway, and our verifier rebuilds per-request — no cache to invalidate. Suggest you log the active key fingerprint on every verify so we can confirm rotation happened cleanly across services."
ACOperator chat
Good call. The fingerprint log will save us a lot of guessing during the actual rollout.
AJ
@andy
Add that fingerprint log to verify(). Then update verify.ts to use the loader.
Editsrc/auth/verify.ts (~28 lines changed)allowed
Bashpnpm test src/authallowed
Full auth suite passes (47/47). Verifier now accepts either current or previous, logs fingerprint at debug level, and falls back to a friendly error if Vault has been unreachable longer than the loader's grace window.
⊙ permission requestedBash
git push origin andy/vault-key-rotation
AJ
@andy
We need to rotate the hub's signing key without dropping any open SSE sockets. Walk me through the plan before changing anything.
demo · read-only

Composer is disabled in the demo. In the real app, this is where you'd type a prompt — `@@bob/billing` to route, plain text to queue. Sign in to use it.

Sign in →