The epoch key is generated from the root key offline. The client never sees the root and has no visibility into the derivation process. All the client needs is the lineage event you publish that proves “this new pubkey descends from my root.” Once the client sees that lineage event, it just switches over automatically. Users shouldn’t need to understand HKDF or manage subkeys manually. Clients can handle rotation entirely. Right now the reference code is just a simple Python prototype that generates and rotates keys offline. (see below) It’s proof of concept. The end state is a small app or built in client feature that handles all of this behind the scenes with one click while your root stays cold.