This release adds cryptographic key validation to the platform startup sequence. RSA keys below the minimum acceptable length and JWT signing keys that do not meet algorithm-appropriate strength requirements cause startup to abort with a descriptive diagnostic. Previously, a misconfigured key would be accepted silently and surface as a runtime error only when the key was first used in a signing or verification operation.
What is validated
- RSA key minimum length. All configured RSA keys are checked against the minimum key size; a key below the threshold is rejected with a message that identifies the key and states the required minimum.
- JWT signing key strength. JWT keys are validated against the requirements of their declared algorithm — minimum byte length for HMAC keys, modulus or curve size for RSA and EC keys. A key that would produce a valid-looking but cryptographically weak signature is rejected before any token is issued.
- Descriptive abort diagnostics. Each failed check produces a message that names the key, states why it failed, and describes the corrective action, so operators can resolve the issue without consulting documentation.
No action is required for deployments already using keys that meet current security standards. Environments that provisioned short RSA keys from earlier scripts will encounter a startup failure with a clear remediation message on first upgrade to this release.