{
  "$comment": "Trusted public keys for verifying Athena Systems North Star Decision Records. Published for transparency + key rotation. The verifier hardcodes these keys as its trust anchor (see verifier.js TRUSTED_KEYS) — this file is the human-readable source of truth, NOT the thing the verifier trusts at runtime. Public keys are public by definition: they are embedded in every signed record. The corresponding private keys live in AWS KMS (HSM-backed) and never leave it.",
  "keys": [
    {
      "id": "northstar-prod-2026-Q3",
      "algorithm": "ECDSA_P256_SHA256",
      "public_key_hex": "044fe307510da9764d7750237700588ced5eedb626d1b6157700bf41171f8291404c5a1845b9dd7225e127da84dcf1e4f92efdf164d6bcebbfbd8a35f39045088a",
      "key_format": "sec1-uncompressed",
      "effective_from": "2026-06-15T00:00:00Z",
      "effective_until": null,
      "compromise": null,
      "notes": "Production audit-record signing key. ECC NIST P-256, hardware-backed in AWS KMS (us-west-2)."
    }
  ]
}