I checked every repo. The architecture has scaffolding for it: the DID cell uses a TYPE_ID type script (can be consumed and recreated in the same transaction), and Molecule schemas for PlcAuthorization witnesses exist in both the frontend (molecules.ts:84-155) and CCC’s unmerged feat/did-ckb branch, which goes further: it implements transferDidCkb to consume and recreate a DID cell with new data (key rotation, PDS endpoint change).
But none of it is wired up. createAccount.ts only creates DID cells, never updates them. No endpoint in the PDS or app_view accepts an updated DID document. PlcAuthorization is defined but unused.
Currently a lost or compromised signing key cannot be rotated. The DID must be abandoned, along with its handle, proposals, comments, and app-level voting history. On-chain vote cells and address bindings are tied to the CKB wallet address and survive.
Key rotation is one of several gaps between the proposal’s vision and the current implementation. I reviewed the full identity layer here: DAO V1.1 Web5 Identity Layer: A Community Review.
Phroi