Post-onboarding nudge to back up pre-rotation key #82
Description
Problem
KERI pre-rotation is one of the strongest features of the identity model — the next rotation key is committed to at inception, so key compromise doesn't mean identity loss. But currently, users are never prompted to back up or even know about their pre-rotation key.
We shouldn't surface this during onboarding. The auths init flow should stay fast and frictionless — like how ssh-keygen lets you skip the passphrase and most tutorials tell you to. Security-conscious users set one later. Same principle: don't front-load complexity that blocks adoption.
Proposed behavior
1. auths doctor — gentle nudge
After identity creation, auths doctor should include a check:
"You have a pre-rotation key but haven't backed it up. Run
auths key backupto export it."
Low severity, informational — not a blocker.
2. auths key backup / auths recovery export — explicit command
A dedicated command to export the pre-rotation key material when the user is ready. Clear warnings about what it is and how to store it safely.
3. Post-rotation prompt
After a user performs their first key rotation (auths key rotate), prompt them:
"You just rotated keys. Your new pre-rotation commitment is set. Run
auths key backupto save your recovery key."
This is the natural moment where pre-rotation becomes concrete and meaningful.
4. Enterprise/team docs
For organizations that need formal key ceremony procedures, document the pre-rotation backup as part of team onboarding — but keep it out of the individual developer fast path.
Non-goals
- Don't require backup during
auths init - Don't block any workflow on missing backup
- Don't make the user think about key management before they've signed their first commit