SC-12 Ed25519 key bootstrap
System: SC-12 subsystem signing (parent: #515, bootstrap card: #2129) Owner: operator (Kristerpher) Bootstrapped: 2026-06-23 UTC by sre-agent Last reviewed: 2026-06-23
Purpose
Records the vault paths and public-key fingerprints for the three subsystem
Ed25519 signing keys used by SC-12. Verifier-side code pins these fingerprints
to authenticate that a sys_* event signature was produced by an authorized
subsystem — not injected.
Vault paths (private keys, prod)
All three private keys live at environment=prod in the Infisical vault
(vault.raxx.app). The vault folder /MooseQuest/raxx/ was created during
bootstrap (2026-06-23 UTC).
| Subsystem | Vault path |
|---|---|
| MQ-A scheduler | /MooseQuest/raxx/SC12_ED25519_PRIVKEY_MQA |
| Raptor order-router | /MooseQuest/raxx/SC12_ED25519_PRIVKEY_RAPTOR_ORDER_ROUTER |
| Raptor paper-gate | /MooseQuest/raxx/SC12_ED25519_PRIVKEY_RAPTOR_PAPER_GATE |
Public key fingerprints (SHA-256, bootstrapped 2026-06-23 UTC)
These are the fingerprints generated during the initial key bootstrap. Record new fingerprints here on every rotation (see Rotation procedure below).
| Subsystem | Key version | SHA-256 fingerprint |
|---|---|---|
| MQ-A scheduler | v1 (2026-06-23) | SHA256:FePI+ShqLQUySwgjgxj3Gy/2MGmtk9GE5zMlVQVGZAU |
| Raptor order-router | v1 (2026-06-23) | SHA256:T6xjRMhQjKZlrCYobcyZZsT1fJvV4hq2Ll0LsB0eD/M |
| Raptor paper-gate | v1 (2026-06-23) | SHA256:Ut4rXFxLeQsbdDUOTxHEkwvq7rNHnNhxJS8zQsNqhZs |
Verify fingerprints with:
ssh-keygen -l -f <pubkey_file>
Key generation procedure (for future rotations)
# Generate a new Ed25519 keypair (example: MQ-A)
TMPDIR=$(mktemp -d /tmp/sc12-keys-XXXXXX)
ssh-keygen -t ed25519 -N "" -f "${TMPDIR}/mqa_key" -C "SC12-MQ-A-v2" -q
# Record the public fingerprint (safe to log)
ssh-keygen -l -f "${TMPDIR}/mqa_key.pub"
# Write the PRIVATE key to vault (do NOT print to terminal)
# Use the Infisical v3 REST API or infisical CLI:
# infisical secrets set SC12_ED25519_PRIVKEY_MQA="$(cat ${TMPDIR}/mqa_key)" \
# --env=prod --path=/MooseQuest/raxx/
# Remove temp files immediately
rm -rf "${TMPDIR}"
Rules: - Never print private key values to any terminal or log. - Remove temp key files immediately after vault write. - Retain old public key fingerprints in this doc (for verifying historical events). - New key version does not require service redeploy — subsystems read private key from vault at startup or via live secret injection.
Rotation procedure
Per SC-12 acceptance criteria (#515): rotating to a new key version does not require a service redeploy. Steps:
- Generate a new keypair (see above).
- Add the new private key to vault under the same key name. Infisical retains version history for rollback.
- Record the new public fingerprint in this doc under a new version row.
- Notify the subsystems to reload (a dyno restart is sufficient for the current implementation — they read vault at startup).
- Verify: fire a test
sys_*event and confirm the SC-6 integrity checker verifies the signature with the new key version. - For breach-pipeline response: see
docs/ops/trace-signing-key-rotation.mdwhen that runbook is created (tracked in #515 AC).
Acceptance criteria status (from #2129)
- [x] Three Infisical vault entries exist at
/MooseQuest/raxx/(prod) - [x] Public-key fingerprints (SHA-256) recorded in this doc
- [x] Key-generation command + rotation procedure documented here
- [ ] Vault entries readable by Raptor + MQ-A service tokens — verify when those service tokens are provisioned (separate card)
References
- Parent card: #515 (SC-12 Ed25519 subsystem signing)
- Bootstrap card: #2129
- PR #2115 (security review batch — action item 4)
- Runbook (future):
docs/ops/trace-signing-key-rotation.md - Memory:
feedback_vault_folder_must_exist.md