feat: muse auth rotate — HD key rotation to next index (HIGH-4)

New subcommand: muse auth rotate --hub <url> [--passphrase P] [--json]

Reads the current identity's hd_path to find the active rotation index (the 6th path component: m/purpose'/domain'/entity'/id'/role'/N'). Derives a new Ed25519 identity key at index N+1, overwrites the PEM, and updates identity.toml. The operator then re-registers the new fingerprint with 'muse auth register'.

Supporting changes: muse/core/keypair.py — generate_hd_keypair gains rotation_index param (default 0, fully backward compatible) muse/cli/commands/auth.py — _parse_rotation_index() helper, run_rotate(), rotate subparser registered in register()

Tests (tests/test_auth_rotate.py — 10 tests): I1-I4 basic rotation: different fingerprint, index increments, deterministic II1-3 --json fields, --passphrase and MUSE_BIP39_PASSPHRASE flow through III1-3 guard rails: no identity → fails; PEM is valid Ed25519; toml updated

sha256:16d36a7fd82056419e2f4ffa62fcc0ebcf4fde11429f7a9d69a48a27ef014a45 sha

sha256:421d52c5f90eae755ac6ffa6250f2f0975125c4347065e7daf79e974d8d55b04 parent

sha256:d6083425940cea7ee03196d18c02488783a246cd35a7254482d4292468e3a8e9 snapshot

← Older Oldest on task/high4-key-rotation

All commits

Newer → Latest on task/high4-key-rotation

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:16d36a7fd82056419e2f4ffa62fcc0ebcf4fde11429f7a9d69a48a27ef014a45 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/core/keypair.py::generate_hd_keypair

Signature Cryptographically verified

Snapshot

ID sha256:d6083425940cea7ee03196d18c02488783a246cd35a7254482d4292468e3a8e9

Files 0

Browse tree at this commit →

Commit

SHA sha256:16d36a7fd82056419e2f4ffa62fcc0ebcf4fde11429f7a9d69a48a27ef014a45

Parent

sha256:421d52c5f90eae755ac6ffa6250f2f0975125c4347065e7daf79e974d8d55b04

Branch task/high4-key-rotation