v0.1.3 — Key Rotation in --force Reinit

What's New

Key Rotation Support (--force reinit)

Previously, amp-init --force immediately overwrote the private key before attempting provider registration. If the provider returned a 409 (name already taken with a different fingerprint), the old private key was gone — making it impossible to create the rotation proof required by POST /auth/rotate-keys. This silently broke all provider registrations.

Now, --force follows a safe rotation flow:

1. Generates new keys to a temp directory (old keys preserved)
2. Creates a rotation proof — signs the new public key with the old private key (Ed25519 -rawin)
3. Calls POST /auth/rotate-keys on each registered provider independently
4. Updates registration files with new fingerprint (and new API key if returned)
5. Swaps keys into place only after rotation attempts complete
6. Falls through to fresh POST /v1/register if no registrations exist

If some providers are unreachable or fail rotation, the keys still swap locally (user asked --force) and a warning directs to amp-register.sh for re-registration.

New Helper

• generate_keypair_to(target_dir) — generates Ed25519 keypair to a caller-specified directory instead of $AMP_KEYS_DIR

Files Changed

• scripts/amp-helper.sh — added generate_keypair_to()
• scripts/amp-init.sh — restructured --force flow with rotation support

Full Changelog: v0.1.2...v0.1.3