Key management: integrate AWS KMS (or HSM) for hot signing with minimal blast radius
## Description
If StreamPay still holds **keys** in env vars, plan migration to **KMS**-backed
signing, HSM for material keys, and split of control plane from data
plane so an API RCE cannot directly exfil raw seeds. This is a Soroban and
Stellar best practice for escrow operators.
## Requirements and context
- **Threat** model: what attacks KMS blocks vs not.
-
No long-lived unencrypted private keys in container image or disk.
-
IAM least privilege; audit logs in cloud provider.
-
Key rotation link to earlier dual-sign issue; rotation without downtime.
-
Tests in dev with local-kms or similar mock; not live prod keys in CI.
## Suggested execution
1. `git checkout -b feature/kms-stellar-signing`
-
Prototype one signing path; feature flag; measure latency.
-
PR with architecture diagram, security sign-off block.
-
If multi-month program, break into child issues; this issue is planning + first slice in 96h.
-
Compliance note in PR for fintech.
- Run the full test suite; add or update tests until the agreed coverage bar is met.
- Cover edge cases listed in this issue; document any intentional exclusions with brief rationale in the PR.
- Include relevant test output (e.g. test runner summary) or a link to a passing CI run in the pull request.
- Add security notes for auth, keys, PII, chain settlement, or money movement (assumptions verified, out-of-scope items).
Example commit message
feat(security): integrate KMS for Stellar and Soroban signing; remove raw in-process keys
Guidelines
- Target: at least 95% coverage on new or meaningfully changed code (per the repo’s standard tooling).
- Documentation: update contributor-facing or API documentation where a reviewer would be blocked without it.
- Timeframe: 96 hours to ready-for-review (surface blockers early).
Key management: integrate AWS KMS (or HSM) for hot signing with minimal blast radius
signing, HSM for material keys, and split of control plane from data
plane so an API RCE cannot directly exfil raw seeds. This is a Soroban and
Stellar best practice for escrow operators.
No long-lived unencrypted private keys in container image or disk.
IAM least privilege; audit logs in cloud provider.
Key rotation link to earlier dual-sign issue; rotation without downtime.
Tests in dev with
local-kmsor similar mock; not live prod keys in CI.Prototype one signing path; feature flag; measure latency.
PR with architecture diagram, security sign-off block.
If multi-month program, break into child issues; this issue is planning + first slice in 96h.
Compliance note in PR for fintech.
Example commit message
feat(security): integrate KMS for Stellar and Soroban signing; remove raw in-process keysGuidelines