docs: commit all Phase 6 documentation updates and OpenSpec archives
- devops docs: 8 files updated for Phase 6 state; field-trial.md added (946-line runbook) - developer docs: api-reference (50+ endpoints), quick-start, 5 existing guides updated, 5 new guides added - engineering docs: all 12 files updated (services, architecture, SDK guide, testing, overview) - OpenSpec archives: phase-7-devops-field-trial, developer-docs-phase6-update, engineering-docs-phase6-update - VALIDATOR.md + scripts/start-validator.sh: V&V Architect tooling added - .gitignore: exclude session artifacts, build artifacts, and agent workspaces Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
@@ -87,6 +87,12 @@ Rotating the JWT keys invalidates all currently active tokens — every authenti
|
||||
|
||||
**Important:** There is no grace period or dual-key support in Phase 1. All tokens issued with the old private key are immediately rejected after rotation. If zero-downtime key rotation is required, it is a Phase 2 feature.
|
||||
|
||||
> **OIDC keys** are separate from the main JWT keys. OIDC signing keys are stored in the
|
||||
> `oidc_keys` PostgreSQL table (created by migration `014_create_oidc_keys_table.sql`), encrypted
|
||||
> at rest using pgcrypto (enabled by migration `018_enable_pgcrypto.sql`). The `OIDCKeyService`
|
||||
> manages rotation. OIDC keys do not need to be set as environment variables — they are
|
||||
> provisioned automatically on first startup.
|
||||
|
||||
---
|
||||
|
||||
## CORS Configuration
|
||||
|
||||
Reference in New Issue
Block a user