Problem
drs keygen must not teach developers to paste private keys into terminals, logs, shell history, or README snippets. The first key-management step should make the safe path the default.
What to do
Change the CLI default flow so it does not print secret material:
- write private key material to an encrypted local keystore
- print the DID and public key only by default
- keep raw private-key output behind an explicit
--stdout or similarly loud escape hatch
- document when the unsafe path is acceptable
Acceptance criteria
- default key generation never prints the private key
- local key material is encrypted at rest
- keystore file permissions are restrictive where the platform supports it
- tests cover default behavior and explicit raw-output behavior
- docs show the safe path first
Out of scope
- KMS or HSM support
- organisation-wide key rotation
- wallet integrations
Problem
drs keygenmust not teach developers to paste private keys into terminals, logs, shell history, or README snippets. The first key-management step should make the safe path the default.What to do
Change the CLI default flow so it does not print secret material:
--stdoutor similarly loud escape hatchAcceptance criteria
Out of scope