diff --git a/docs/deploy.md b/docs/deploy.md index d41d832..1afad69 100644 --- a/docs/deploy.md +++ b/docs/deploy.md @@ -100,17 +100,22 @@ docker compose -f /srv/mnemosyne/docker-compose.yaml \ --username daedalus-service \ --password "{{ vault_mnemosyne_daedalus_service_password }}" -# Seed the MCP signing key (for Phase 2 per-turn JWT auth) -# --retire-other deactivates any previously-active key. -# Print the secret_hex and store in vault as vault_mnemosyne_signing_secret. +# Seed the MCPSigningKey used to sign long-lived Pallas team JWTs. +# --retire-other deactivates any previously-active key. The hex +# emitted to stdout is persisted in Mnemosyne's database and is +# not re-injected from the vault — no operator action required +# beyond running this command once per fresh deployment. docker compose -f /srv/mnemosyne/docker-compose.yaml \ run --rm app \ python manage.py seed_signing_key --kid daedalus-1 --retire-other ``` -The `seed_signing_key` command prints the generated secret once to stdout — -capture it and store in the vault. The Daedalus role reads this secret from the -same vault variable to mint per-turn tokens (Phase 2). +The `seed_signing_key` command prints the generated secret once to stdout — it +is safe to discard that output after the command succeeds. Mnemosyne persists +the active key inside ``MCPSigningKey`` and reads it directly when minting each +team JWT; Daedalus never sees this value. To rotate, re-run the command with +``--retire-other`` and then rotate every Pallas team JWT via the Daedalus admin +UI so consumers pick up bearers signed with the new key. --- @@ -372,4 +377,3 @@ will report as a failure. | `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` | | `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` | | `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` | -| `vault_mnemosyne_signing_secret` | (Phase 2) printed by `seed_signing_key`, stored here, consumed by Daedalus role |