Owner-only. Retires the current signing secret and inserts a new one, with a 24-hour grace window
so in-flight tokens keep validating. The signing secret is stored in the database, never the config
file.List signing-secret metadata (never the bytes) with:
