pub async fn rotate_private_key(
creds: &AppCredentials,
sink_cfg: &SinkConfig,
) -> Result<()>Expand description
Rotate the App’s private key. Creates a new key, writes the new credentials to the sink, then deletes the old key. Idempotent: if the second or third step fails, re-running the rotate command picks up where it left off (the API tracks both keys until one is explicitly deleted).
Order of operations matters: the new key MUST be persisted to the sink BEFORE the old one is deleted, otherwise a partial failure could leave the operator with no working credentials.