Key registry: hosted service with revocation and rotation

## Summary
Implement the public key registry for attestation verification.

## Phases
1. **Now**: JSON file in this repo (`keys/` directory) — maintainer-managed
2. **Soon**: Hosted at keys.forge-alloy.dev with API
3. **Later**: Certificate-based registration (auditor must sign key)

## Registry entry schema
```json
{
  "keyId": "continuum-ai/forge-runner-001",
  "algorithm": "ES256",
  "publicKey": "base64url...",
  "owner": "continuum-ai",
  "registeredAt": "2026-03-01T00:00:00Z",
  "expiresAt": "2027-03-01T00:00:00Z",
  "revokedAt": null,
  "supersededBy": null,
  "registrationAuthority": "forge-alloy-maintainers"
}
```

## Verification semantics
- Superseded (not revoked): old attestations still valid if signed before supersession
- Revoked: ALL attestations suspect regardless of timestamp
- Short-lived keys (90-day default) + registry polling for revocation propagation

## References
- docs/ATTESTATION.md — Key Registry section

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Key registry: hosted service with revocation and rotation #2

Summary

Phases

Registry entry schema

Verification semantics

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Key registry: hosted service with revocation and rotation #2

Description

Summary

Phases

Registry entry schema

Verification semantics

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions