# 008 — Security: Key Rotation and Access Policies

- Area: `pkg/crypto/*`, `pkg/config/config.go`, `pkg/dht/encrypted_storage.go`
- Priority: Medium

## Background
Age/Shamir tests run at startup, but SecurityConfig (key rotation, audit logging) is not enforced. Role-based access beyond encryption is not audited/policy-gated.

## Scope / Deliverables
- Enforce `SecurityConfig`:
  - Key rotation interval respected; emit warnings/events when due.
  - Audit log writes for Store/Retrieve/Announce with role and node id.
- Role-based access policy hook prior to store/retrieve; deny or log violations.

## Acceptance Criteria / Tests
- Rotations generate audit entries and update keys per policy (mocked acceptable).
- Audit log contains append-only entries for sensitive operations.

## Notes
- Coordinate with SHHH/keys component when available for centralized policy.