Right now we have two distinct implementations for caching signing keys: 1 for callers with access to the DB (control plane) and workspace proxies. There's a decent amount of logic that is shared between the two and they're complex enough that they could be a source for bugs down the line.

Right now the priority is to get the key rotation feature into our internal dogfooding cluster to shake out any issues. The refactor can start immediately after while we wait to see if problems arise.