From 968e3a09ee51b673f6d94dc60557f6a8156bbc1e Mon Sep 17 00:00:00 2001 From: "glm-5.2" Date: Tue, 23 Jun 2026 13:39:37 +0000 Subject: [PATCH] tasks: mark vault/key-versioning-rotation completed --- tasks/vault/key-versioning-rotation.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tasks/vault/key-versioning-rotation.md b/tasks/vault/key-versioning-rotation.md index e2ccd32..ce506f6 100644 --- a/tasks/vault/key-versioning-rotation.md +++ b/tasks/vault/key-versioning-rotation.md @@ -1,7 +1,7 @@ --- id: vault/key-versioning-rotation name: Implement version-indexed encryption key paths, bump CURRENT_KEY_VERSION to 2, and add rotate method -status: pending +status: completed depends_on: [vault/irpc-removal] scope: moderate risk: medium @@ -124,4 +124,11 @@ decrypt, rotate, derive_encryption_key_for_version), and possibly `derivation.rs ## Summary -> To be filled on completion \ No newline at end of file +Bumped `CURRENT_KEY_VERSION` to 2 (HD-derived per ADR-020). Added +`encryption_path_for_version` in derivation.rs (v2 → `m/74'/2'/0'/0'`, v3 → +`m/74'/2'/0'/1'`, rejects version < 2). Added `derive_encryption_key_for_version` ++ version-aware `encrypt`/`decrypt` + `rotate` method on `VaultServiceHandle` +(ADR-021). Each version maps to a distinct derivation path; the blob carries +its own version. 68 lib + 14 integration tests pass; clippy clean. Merged to +develop (resolved conflicts with remove-password-derivation and +poisoned-lock-recovery). \ No newline at end of file