{
  "key_type": "Ed25519",
  "purpose": "CCAP Witness of Last Resort attestation ONLY",
  "non_purposes": [
    "Agent passport JWT signing (see rankigi-passport-key.json)",
    "Server-attested closure event signing (see rankigi-closure-key.json)"
  ],
  "status": "active",
  "status_note": "Witness key is active. Only the public half is published. The private half is held in the RANKIGI_WITNESS_PRIVATE_KEY Railway environment variable and is never committed to the repository. Rotation generates a fresh keypair and publishes the new public PEM here while archiving the prior fingerprint.",
  "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAKyxZz7WkojokBZa0Tl/Kd4q75fTrqPmDoFM/Kk25h1k=\n-----END PUBLIC KEY-----\n",
  "public_key_b64_spki": "MCowBQYDK2VwAyEAKyxZz7WkojokBZa0Tl/Kd4q75fTrqPmDoFM/Kk25h1k=",
  "fingerprint": "sha256:98c40e09b788b9ee1618c4117a0cf0c9ad250773a47f49997e0c0b61f5920752",
  "issued_at": "2026-05-24T00:30:00Z",
  "private_key_storage": "RANKIGI_WITNESS_PRIVATE_KEY env var",
  "verify_with": "python3 verify.py bundle.json --ccap",
  "contact": "security@rankigi.com",
  "archived_fingerprints": [
    "sha256:46c0fbf82cb03dc53f5180c006b86f4a45f938d5102c65b33355357c9e46c36d (issued 2026-05-24, rotated same day -- private half disclosed in build transcript before deploy, never used to sign a receipt)"
  ]
}