# Multi-Chain Execution — Key Rotation

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Scope:** Hot keys (execution), warm keys (MirrorRegistry publisher), cold keys (contract admin).

## Key tiers

- **Hot:** Transaction execution per lane; high turnover; segment by chain/wallet/lane.
- **Warm:** Commitment publishing to MirrorRegistry on public mainnets; one per chain or shared.
- **Cold:** Contract admin (MirrorRegistry, TransactionMirror, etc.); multisig + timelock preferred.

## Rotation procedure

### Hot keys

1. Generate new key; add to wallet lane config (env or secrets manager).
2. Sync nonce: set next nonce for (chainId, newWallet, lane) from on-chain getTransactionCount.
3. Route new intents to new wallet; drain or retire old wallet once pending txs finalize.
4. Update EO/config to use new wallet for that lane; remove old key from config.

### Warm keys (MirrorRegistry publisher)

1. Deploy or use existing MirrorRegistry; add new address as publisher via `setPublisher(newAddress, true)` (admin).
2. Configure Mirroring Service to use new warm key for submitCommit.
3. After confirming new key can submit: call `setPublisher(oldAddress, false)` (admin).
4. Rotate secret in KMS/env; restart Mirroring Service.

### Cold keys (contract admin)

1. Use multisig/timelock to propose new admin (e.g. MirrorRegistry.setAdmin(newAdmin)).
2. Execute after timelock; verify new admin on-chain.
3. Revoke old admin if applicable (contract-dependent).

## Verification

- Hot: Submit a test intent and confirm execution from new wallet.
- Warm: Trigger a commit and confirm CommitSubmitted event from new publisher.
- Cold: Perform a single admin action (e.g. setPublisher) and confirm it succeeds.