Build location
Work primarily in oracle/src/keys. Keep related tests/docs beside that package unless this issue explicitly calls for a cross-package update.
Why this matters
The oracle supports local/HSM/KMS-like key management and should report health and rotation readiness without exposing secrets.
What to build
- Add health checks for configured key provider.
- Expose active key ID/fingerprint safely.
- Document rotation workflow and failure states.
Acceptance criteria
- Tests cover healthy provider, unavailable provider, and permission failure.
- Health output never includes private key material.
Suggested verification
cd oracle && npm run lint && npm run test && npm run build
Build location
Work primarily in
oracle/src/keys. Keep related tests/docs beside that package unless this issue explicitly calls for a cross-package update.Why this matters
The oracle supports local/HSM/KMS-like key management and should report health and rotation readiness without exposing secrets.
What to build
Acceptance criteria
Suggested verification
cd oracle && npm run lint && npm run test && npm run build