Audit HMAC: Auto-Load Signing Key from Secrets Manager

2026-03-17

audit-signer

What We Built

Audit entry signing now auto-loads the HMAC key from AWS Secrets Manager with 15-minute caching. The gateway pre-warms the key cache at boot, so the first request incurs zero additional latency. Falls back to LOCAL_KEK_SECRET env var, then unsigned with a warning.

Lockstep Checklist

[x] API Routes: No changes.
[x] TS SDK: No changes needed.
[x] Python SDK: No changes needed.
[x] MCP Schemas: No changes needed.
[x] Master Record: N/A — security infrastructure change.