JWT key rotation: version-based private key selection

[fupelaqu]

Context

The client-side infrastructure for key rotation is already in place (Story 5.2):

• ApiKeyClient sends version in every token request
• JwtLicenseManager resolves public keys via kid from the JWT header → keys/{kid}.jwk on classpath
• Multiple .jwk files can coexist on the classpath

However, the server side only supports a single key pair:

• JwtSignerConfig loads one private key from LICENSING_JWT_PRIVATE_KEY env var
• TokenEndpoints receives the version field but ignores it
• No key registry or version → key mapping

Requirements (v2)

1. Multi-key server support: store multiple private keys, keyed by kid
2. Version-to-key mapping: configuration mapping client version ranges to kid (e.g., < 0.20 → softclient4es-v1, >= 0.20 → softclient4es-v2)
3. Graceful rotation: old keys continue to work for older clients; new keys are used for new versions
4. Key lifecycle: ability to deprecate/revoke old keys after a transition period
5. Public key distribution: new public keys shipped in each community-extensions release

Non-goals (v2)

• Automatic key generation (keys are generated offline and configured via env vars)
• JWKS endpoint (public keys are embedded in the JAR, not fetched at runtime)

Current workaround (v1)

Single key pair with kid: "softclient4es". All versions use the same key. Rotation requires a coordinated release of both server and client.