Child of #438 (tracked under #434).
The #438 test suite landed on branch rotation-refresh-security-tests (commit b52b141) covering the happy-path and core security properties of rotate_password, rotate_data_key, and FROST share refresh. Two #438 scope items remain unimplemented; this issue covers the first.
Scope
Validate that a rotation interrupted partway through never corrupts the vault:
- Kill / abort
rotate_password and rotate_data_key at each durability point: after the header backup copy, after write_header_atomically's temp write but before rename, after the DB backup copy, mid reencrypt_database, and after the new header is written but before verify_rotation_integrity.
- After each simulated crash, reopen the vault and assert it is fully usable with EITHER the old or new credential (never a half-rotated state), and that no
.backup/.tmp artifacts leave the vault unopenable.
- Cover concurrent/interleaved rotation attempts: confirm
acquire_rotation_lock serializes them and the loser fails cleanly without touching state.
Notes
- The rollback paths already exist in
keep-core/src/rotation.rs (header + db backup restore on error); these tests should exercise them via injected failure points rather than real process kills where possible.
- Relevant code:
rotate_password / rotate_data_key / write_header_atomically / acquire_rotation_lock in keep-core/src/rotation.rs.
Child of #438 (tracked under #434).
The #438 test suite landed on branch
rotation-refresh-security-tests(commit b52b141) covering the happy-path and core security properties ofrotate_password,rotate_data_key, and FROST share refresh. Two #438 scope items remain unimplemented; this issue covers the first.Scope
Validate that a rotation interrupted partway through never corrupts the vault:
rotate_passwordandrotate_data_keyat each durability point: after the header backup copy, afterwrite_header_atomically's temp write but before rename, after the DB backup copy, midreencrypt_database, and after the new header is written but beforeverify_rotation_integrity..backup/.tmpartifacts leave the vault unopenable.acquire_rotation_lockserializes them and the loser fails cleanly without touching state.Notes
keep-core/src/rotation.rs(header + db backup restore on error); these tests should exercise them via injected failure points rather than real process kills where possible.rotate_password/rotate_data_key/write_header_atomically/acquire_rotation_lockinkeep-core/src/rotation.rs.