feat(oracle-worker): keeper key rotation without submission gap

[IbrahimIjai]

Context

Rotating the keeper ed25519 key currently requires a full redeployment of the Cloudflare Worker with a new KEEPER_PRIVATE_KEY secret, which creates a submission gap while Cloudflare propagates the secret. During that window, on-chain oracle prices go stale.

This issue covers a zero-downtime rotation procedure supported by both the worker and the on-chain oracle contract.

Design

The on-chain oracle contract already supports multiple keeper public keys via keeper_public_key_prefix. Use this to run two keys concurrently during rotation:

1. Register new key in data_store (admin tx)
2. Configure KEEPER_PRIVATE_KEY_NEXT in Cloudflare Worker secrets
3. Worker signs and submits prices with BOTH keys for one full epoch (N cron ticks)
4. Deregister old key from data_store
5. Remove KEEPER_PRIVATE_KEY (old) and rename KEEPER_PRIVATE_KEY_NEXT -> KEEPER_PRIVATE_KEY

Worker changes:

• Read optional KEEPER_PRIVATE_KEY_NEXT in addition to KEEPER_PRIVATE_KEY
• When KEEPER_PRIVATE_KEY_NEXT is set, produce two SignedPrice sets (one per key) and submit both in a single set_prices call
• Log clearly when dual-key mode is active

Operational runbook:

• Document the exact sequence of admin txs and wrangler secret commands in docs/KEY_ROTATION.md

Acceptance criteria

• Worker reads KEEPER_PRIVATE_KEY_NEXT when present
• Both keys sign the same prices and both signatures submitted in one set_prices call
• Single-key mode unaffected when KEEPER_PRIVATE_KEY_NEXT is absent
• docs/KEY_ROTATION.md documents the full rotation sequence step by step
• Unit test: dual-key signing produces two valid signatures for the same price message
• No submission gap in practice: test by running wrangler dev with both keys active