[Epic] Cross-cutting / Hardening

[iret77]

Epic — Cross-cutting / Hardening (spans phases). Collects the cross-cutting requirements from the Codex review that belong to no single phase but must land in the owning phase. No own milestone — each item is implemented in its owner phase and tracked here.

Items

• Key rotation / revocation / disaster recovery + operator runbook (R1/R11) — backup/restore, compromised-key revocation, DID-doc update, old-signature verification, recovery. Owner: Phase 1/4.
• anp_version migration (R7/R14b) — schema version registry, migration policy, backward verification, fixture versioning, compatibility tests. Owner: Phase 0 + Schema-backflow matrix + ANP PR process #2.
• GDPR / right to erasure vs. immutable anchors (R13b) — what is deletable (off-chain body/keys), what stays (hash/anchor), how the residue is explained, does deletion break verification? Owner: before productive PII processing.
• Multi-tenant isolation (R17) — tenant scoping across proof.identity/proof.store/proof.anchor/verify-link/auditor rights. Owner: Phase 1+.
• Clock / timestamp trust (R18) — ledger vs. local timestamp, skew, ordering. Owner: Phase 2.
• Observability baseline (R14) — metrics, alerts, degraded states, anchor-retry visibility. Owner: Phase 2.
• CI breadth beyond canonicalization — packaging/signing, Privacy-Shield boundary tests, UI e2e, cross-instance co-signing, migration tests. Owner: Phase 0, ongoing.
• IOTA tooling maturity (R19) — IOTA Identity/Gas Station/Notarization are pre-GA; pin versions, plan for pre-GA API breaks, keep anchor-mock carrying Phases 0–1. Owner: Phase 2.

Done

Each item implemented in its owner phase and linked; runbooks exist.

Refs: plan.md §6 (R9–R19), §11 (Codex IMPORTANT findings).