diff --git a/apps/playground/app/components/xid-tutorial/StepBackupInception.vue b/apps/playground/app/components/xid-tutorial/StepBackupInception.vue
new file mode 100644
index 00000000..7cf75b9a
--- /dev/null
+++ b/apps/playground/app/components/xid-tutorial/StepBackupInception.vue
@@ -0,0 +1,137 @@
+<script setup lang="ts">
+import { sskrSplitEnvelope, trySskrJoin } from '@/utils/xid-tutorial/backup'
+
+const {
+  activeDoc, activeIdentity, setActive, getPrivateEnvelope, setArtifact, completeAndAdvance,
+} = useXidTutorial()
+
+const splitting = ref(false)
+const shares = ref<string[]>([])
+const originalDigest = ref('')
+
+const recover1 = ref('')
+const recover2 = ref('')
+const recover3 = ref('')
+const recoveryResult = ref<{ ok: boolean, message: string } | null>(null)
+
+async function handleSplit() {
+  const env = getPrivateEnvelope()
+  if (!env) return
+  splitting.value = true
+  recoveryResult.value = null
+  // Yield a frame so the spinner paints before the (possibly Argon2id-backed)
+  // private-envelope build + split runs synchronously.
+  await nextTick()
+  try {
+    originalDigest.value = env.digest().hex()
+    const result = sskrSplitEnvelope(env, 1, [[2, 3]])
+    shares.value = result
+    recover1.value = result[0] ?? ''
+    recover2.value = result[1] ?? ''
+    recover3.value = ''
+    // Hand the shares to §5.5 so the compromise-recovery step can pre-fill them.
+    setArtifact('inception-backup-shares', JSON.stringify(result))
+  } finally {
+    splitting.value = false
+  }
+}
+
+function handleRecover() {
+  const provided = [recover1.value, recover2.value, recover3.value].map(s => s.trim()).filter(Boolean)
+  if (provided.length < 2) {
+    recoveryResult.value = { ok: false, message: 'Provide at least 2 shares.' }
+    return
+  }
+  const res = trySskrJoin(provided)
+  if (!res.ok) {
+    recoveryResult.value = { ok: false, message: `Recovery failed: ${res.reason}` }
+    return
+  }
+  const match = res.env.digest().hex() === originalDigest.value
+  recoveryResult.value = match
+    ? { ok: true, message: 'Recovered XID digest matches the original — backup verified.' }
+    : { ok: false, message: 'Recovered, but digest does NOT match the original.' }
+}
+
+function shortShare(s: string): string {
+  return s.length > 56 ? `${s.slice(0, 56)}…` : s
+}
+
+onMounted(() => {
+  if (activeIdentity.value !== 'amira') setActive('amira')
+})
+
+const canContinue = computed(() => recoveryResult.value?.ok === true)
+</script>
+
+<template>
+  <div class="space-y-6">
+    <section class="space-y-2">
+      <div class="flex items-center gap-3">
+        <span class="text-2xl">🧩</span>
+        <h2 class="text-xl font-semibold text-gray-900 dark:text-white">Backing Up Your Inception Key</h2>
+      </div>
+      <p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed">
+        The operational XID protects daily use, but the master is only as safe as its backup.
+        <strong>SSKR</strong> (Sharded Secret Key Reconstruction — Shamir's Secret Sharing) splits
+        the XID into shares, any <em>threshold</em> of which can reconstruct it. A single lost or
+        stolen share reveals nothing.
+      </p>
+    </section>
+
+    <UAlert v-if="!activeDoc" color="warning" icon="i-heroicons-exclamation-triangle" title="Need a XID first" description="Go back to §1.3." />
+
+    <template v-if="activeDoc">
+      <UAlert
+        color="info" variant="subtle" icon="i-heroicons-book-open"
+        title="Amira's story"
+        description="Amira splits her master XID 2-of-3: one share in a safe, one with a trusted friend, one in a bank box. She must prove recovery works BEFORE relying on it — never distribute shares you haven't tested."
+      />
+
+      <!-- Card A: split -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">1. Create backup shares (2-of-3)</h3>
+        <UButton
+          label="Split XID into 3 shares" icon="i-heroicons-scissors" color="primary"
+          :loading="splitting" :disabled="splitting"
+          @click="handleSplit"
+        />
+        <div v-if="shares.length" class="space-y-2">
+          <p class="text-xs text-gray-500">3 shares created — any 2 can recover:</p>
+          <div v-for="(s, i) in shares" :key="i" class="space-y-1">
+            <p class="text-xs font-medium text-gray-600 dark:text-gray-400">Share {{ i + 1 }}</p>
+            <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-2 rounded-md overflow-auto">{{ shortShare(s) }}</pre>
+          </div>
+        </div>
+      </div>
+
+      <!-- Card B: recover -->
+      <div v-if="shares.length" class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">2. Test recovery before distribution</h3>
+        <p class="text-sm text-gray-600 dark:text-gray-400">
+          Shares 1 &amp; 2 are pre-filled. Clear one and paste share 3 instead to prove any 2 work.
+        </p>
+        <UFormField label="Share A"><UTextarea v-model="recover1" :rows="2" class="w-full font-mono text-xs" /></UFormField>
+        <UFormField label="Share B"><UTextarea v-model="recover2" :rows="2" class="w-full font-mono text-xs" /></UFormField>
+        <UFormField label="Share C (optional)"><UTextarea v-model="recover3" :rows="2" class="w-full font-mono text-xs" /></UFormField>
+        <UButton label="Reconstruct & verify" icon="i-heroicons-puzzle-piece" color="primary" @click="handleRecover" />
+        <UAlert
+          v-if="recoveryResult" :color="recoveryResult.ok ? 'success' : 'error'"
+          :icon="recoveryResult.ok ? 'i-heroicons-check-circle' : 'i-heroicons-x-circle'"
+          :title="recoveryResult.ok ? 'Recovery test passed' : 'Recovery test failed'"
+          :description="recoveryResult.message"
+        />
+      </div>
+
+      <div class="flex justify-end">
+        <UButton
+          label="Continue to §5.4"
+          trailing-icon="i-heroicons-arrow-right"
+          color="primary" size="lg"
+          :disabled="!canContinue"
+          @click="completeAndAdvance(16)"
+        />
+      </div>
+    </template>
+  </div>
+</template>
diff --git a/apps/playground/app/components/xid-tutorial/StepBackupSshKey.vue b/apps/playground/app/components/xid-tutorial/StepBackupSshKey.vue
new file mode 100644
index 00000000..a4974196
--- /dev/null
+++ b/apps/playground/app/components/xid-tutorial/StepBackupSshKey.vue
@@ -0,0 +1,171 @@
+<script setup lang="ts">
+import { Envelope } from '@bcts/envelope'
+import { CONFORMS_TO, VERIFIABLE_AT } from '@bcts/known-values'
+import { passwordEncrypt, sskrSplitEnvelope, trySskrJoin } from '@/utils/xid-tutorial/backup'
+
+const {
+  activeSlot, activeDoc, activeIdentity, setActive, generateSshKey, sshPublicKeyText,
+  completeAndAdvance,
+} = useXidTutorial()
+
+const githubName = ref('BRadvoc8')
+const password = ref('amira')
+
+const wrappedTree = ref('')
+const wrappedEnv = shallowRef<Envelope | null>(null)
+
+const encryptedTree = ref('')
+const encryptedEnv = shallowRef<Envelope | null>(null)
+const encrypting = ref(false)
+
+const shares = ref<string[]>([])
+const recoveryResult = ref<{ ok: boolean, message: string } | null>(null)
+
+const hasSshKey = computed(() => activeSlot.value.sshKey !== null)
+const sshKeyText = computed(() => {
+  const ssh = activeSlot.value.sshKey
+  return ssh ? sshPublicKeyText(ssh.pubKeys) : ''
+})
+
+function handleGenerateSsh() {
+  generateSshKey('amira')
+}
+
+function handleWrap() {
+  const ssh = activeSlot.value.sshKey
+  if (!ssh) return
+  const name = githubName.value.trim()
+  // Mirror upstream §5.4: subject = the SSH PrivateKeys (a tagged-CBOR leaf),
+  // then metadata assertions. `subject type ur $SSH_PRVKEYS` == newLeaf(taggedCbor).
+  const env = Envelope.newLeaf(ssh.prvKeys.taggedCbor())
+    .addAssertion('keyType', 'signingKey')
+    .addAssertion(CONFORMS_TO, 'https://github.com')
+    .addAssertion(VERIFIABLE_AT, `https://api.github.com/users/${name}`)
+    .addAssertion('accountName', name)
+  wrappedEnv.value = env
+  wrappedTree.value = env.format()
+}
+
+async function handleEncrypt() {
+  if (!wrappedEnv.value) return
+  encrypting.value = true
+  recoveryResult.value = null
+  await nextTick()
+  try {
+    const enc = passwordEncrypt(wrappedEnv.value, password.value)
+    encryptedEnv.value = enc
+    encryptedTree.value = enc.format()
+  } finally {
+    encrypting.value = false
+  }
+}
+
+function handleSplit() {
+  if (!encryptedEnv.value) return
+  const result = sskrSplitEnvelope(encryptedEnv.value, 1, [[2, 3]])
+  shares.value = result
+  // Verify all three pairwise combinations recover the same digest.
+  const original = encryptedEnv.value.digest().hex()
+  const combos: [number, number][] = [[0, 1], [1, 2], [0, 2]]
+  const allMatch = combos.every(([a, b]) => {
+    const res = trySskrJoin([result[a] ?? '', result[b] ?? ''])
+    return res.ok && res.env.digest().hex() === original
+  })
+  recoveryResult.value = allMatch
+    ? { ok: true, message: 'All three 2-of-3 combinations recover the encrypted key.' }
+    : { ok: false, message: 'One or more share combinations failed to recover.' }
+}
+
+function shortShare(s: string): string {
+  return s.length > 56 ? `${s.slice(0, 56)}…` : s
+}
+
+onMounted(() => {
+  if (activeIdentity.value !== 'amira') setActive('amira')
+})
+
+const canContinue = computed(() => recoveryResult.value?.ok === true)
+</script>
+
+<template>
+  <div class="space-y-6">
+    <section class="space-y-2">
+      <div class="flex items-center gap-3">
+        <span class="text-2xl">🔐</span>
+        <h2 class="text-xl font-semibold text-gray-900 dark:text-white">Backing Up Your SSH Key</h2>
+      </div>
+      <p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed">
+        Your XID isn't the only key worth protecting. Amira's SSH signing key (the one GitHub has
+        on file, from §3.1) deserves the same treatment: wrap it in an annotated envelope,
+        password-encrypt it, then SSKR-shard it for resilient backup.
+      </p>
+    </section>
+
+    <UAlert v-if="!activeDoc" color="warning" icon="i-heroicons-exclamation-triangle" title="Need a XID first" description="Go back to §1.3." />
+
+    <template v-if="activeDoc">
+      <!-- SSH key -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">SSH signing key</h3>
+        <div v-if="hasSshKey" class="space-y-1">
+          <div class="flex items-center gap-2 text-sm">
+            <UIcon name="i-heroicons-check-circle" class="w-5 h-5 text-green-500" />
+            <span>SSH signing key ready.</span>
+          </div>
+          <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-2 rounded-md overflow-auto">{{ sshKeyText }}</pre>
+        </div>
+        <UButton v-else label="Generate SSH signing key" icon="i-heroicons-key" color="primary" @click="handleGenerateSsh" />
+      </div>
+
+      <template v-if="hasSshKey">
+        <!-- Card A: wrap + annotate -->
+        <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+          <h3 class="text-sm font-semibold">1. Wrap the key + add metadata</h3>
+          <UFormField label="GitHub account">
+            <UInput v-model="githubName" class="w-full" />
+          </UFormField>
+          <UButton label="Build key envelope" icon="i-heroicons-document-text" color="primary" @click="handleWrap" />
+          <pre v-if="wrappedTree" class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-72">{{ wrappedTree }}</pre>
+        </div>
+
+        <!-- Card B: encrypt -->
+        <div v-if="wrappedEnv" class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+          <h3 class="text-sm font-semibold">2. Encrypt with a password</h3>
+          <UFormField label="Password (Argon2id)">
+            <UInput v-model="password" class="w-full" />
+          </UFormField>
+          <UButton label="Encrypt key envelope" icon="i-heroicons-lock-closed" color="primary" :loading="encrypting" :disabled="encrypting" @click="handleEncrypt" />
+          <pre v-if="encryptedTree" class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-48">{{ encryptedTree }}</pre>
+        </div>
+
+        <!-- Card C: shard -->
+        <div v-if="encryptedEnv" class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+          <h3 class="text-sm font-semibold">3. Shard the encrypted key (2-of-3)</h3>
+          <UButton label="Split into 3 shares" icon="i-heroicons-scissors" color="primary" @click="handleSplit" />
+          <div v-if="shares.length" class="space-y-2">
+            <div v-for="(s, i) in shares" :key="i" class="space-y-1">
+              <p class="text-xs font-medium text-gray-600 dark:text-gray-400">Share {{ i + 1 }}</p>
+              <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-2 rounded-md overflow-auto">{{ shortShare(s) }}</pre>
+            </div>
+          </div>
+          <UAlert
+            v-if="recoveryResult" :color="recoveryResult.ok ? 'success' : 'error'"
+            :icon="recoveryResult.ok ? 'i-heroicons-check-circle' : 'i-heroicons-x-circle'"
+            :title="recoveryResult.ok ? 'All combinations verified' : 'Recovery failed'"
+            :description="recoveryResult.message"
+          />
+        </div>
+      </template>
+
+      <div class="flex justify-end">
+        <UButton
+          label="Continue to §5.5"
+          trailing-icon="i-heroicons-arrow-right"
+          color="primary" size="lg"
+          :disabled="!canContinue"
+          @click="completeAndAdvance(17)"
+        />
+      </div>
+    </template>
+  </div>
+</template>
diff --git a/apps/playground/app/components/xid-tutorial/StepEditions.vue b/apps/playground/app/components/xid-tutorial/StepEditions.vue
index e6f63ee9..35773b56 100644
--- a/apps/playground/app/components/xid-tutorial/StepEditions.vue
+++ b/apps/playground/app/components/xid-tutorial/StepEditions.vue
@@ -164,9 +164,9 @@ function useCurrent(slot: 'paste1' | 'paste2') {
 
       <div class="flex justify-end">
         <UButton
-          label="Finish tutorial"
-          trailing-icon="i-heroicons-check-circle"
-          color="success" size="lg"
+          label="Continue to Chapter 5 · Managing Your Keys"
+          trailing-icon="i-heroicons-arrow-right"
+          color="primary" size="lg"
           @click="completeAndAdvance(13)"
         />
       </div>
diff --git a/apps/playground/app/components/xid-tutorial/StepKeyCompromise.vue b/apps/playground/app/components/xid-tutorial/StepKeyCompromise.vue
new file mode 100644
index 00000000..850a0f15
--- /dev/null
+++ b/apps/playground/app/components/xid-tutorial/StepKeyCompromise.vue
@@ -0,0 +1,274 @@
+<script setup lang="ts">
+import { Privilege } from '@bcts/xid'
+import type { Envelope } from '@bcts/envelope'
+import { trySskrJoin } from '@/utils/xid-tutorial/backup'
+import { loadXidFromUr } from '@/utils/xid-tutorial/identity'
+import { keyDisavowalInfo, type DisavowedKey } from '@/utils/xid-tutorial/keys'
+import { buildSignedDisavowal } from '@/utils/xid-tutorial/disavowal'
+import type { SideKey } from '@/utils/xid-tutorial/types'
+
+const {
+  activeDoc, activeSlot, activeIdentity, setActive, keyInventory, getArtifact,
+  removeActiveKeyByNickname, addOperationalKeyToActive, advanceProvenance,
+  buildOperationalEnvelope, completeAndAdvance,
+} = useXidTutorial()
+
+// Step A — reconstruct authority from §5.3 shares
+const recover1 = ref('')
+const recover2 = ref('')
+const reconstructResult = ref<{ ok: boolean, message: string } | null>(null)
+
+// Step B — revoke + re-key
+const revokeNickname = ref('')
+const revokeDone = ref(false)
+const rekeyDone = ref(false)
+const provenanceAdvanced = ref(false)
+// Captured at revoke time so Step D can name the keys in a signed disavowal,
+// and the replacement key (the signer of that disavowal).
+// shallowRef so Vue's UnwrapRef doesn't mangle the PublicKeys/Digest class types.
+const disavowedKeys = shallowRef<DisavowedKey[]>([])
+const replacementKey = shallowRef<SideKey | null>(null)
+
+// Step C — rebuild operational view
+const operationalTree = ref('')
+const operationalBuilt = ref(false)
+
+// Step D — disavowal statement
+const disavowalTree = ref('')
+const disavowalVerified = ref<boolean | null>(null)
+const disavowalBuilt = ref(false)
+
+const operationalNicknames = computed(() =>
+  keyInventory.value.filter(k => !k.isInception).map(k => ({ label: k.nickname, value: k.nickname })),
+)
+
+function handleReconstruct() {
+  const provided = [recover1.value, recover2.value].map(s => s.trim()).filter(Boolean)
+  if (provided.length < 2) {
+    reconstructResult.value = { ok: false, message: 'Paste at least 2 shares from §5.3.' }
+    return
+  }
+  const res = trySskrJoin(provided)
+  if (!res.ok) {
+    reconstructResult.value = { ok: false, message: `Reconstruction failed: ${res.reason}` }
+    return
+  }
+  try {
+    const doc = loadXidFromUr(res.env.urString(), activeSlot.value.password || undefined)
+    const seq = doc.provenance()?.seq()
+    reconstructResult.value = {
+      ok: true,
+      message: seq !== undefined
+        ? `Recovered the master XID — provenance sequence ${seq}, chain intact.`
+        : 'Recovered the master XID.',
+    }
+  } catch (e) {
+    reconstructResult.value = { ok: false, message: e instanceof Error ? e.message : 'Could not load recovered XID' }
+  }
+}
+
+function handleRevoke() {
+  const name = revokeNickname.value
+  const doc = activeDoc.value
+  if (!name || !doc) return
+  // Capture the key's identity BEFORE removing it (mirrors upstream: run
+  // `xid key find name` + `digest` ahead of `key remove`).
+  const info = keyDisavowalInfo(doc, name)
+  if (info) disavowedKeys.value = [...disavowedKeys.value, info]
+  if (removeActiveKeyByNickname(name)) revokeDone.value = true
+}
+
+function handleRekey() {
+  const base = revokeNickname.value || 'operational-key'
+  const side = addOperationalKeyToActive(`${base}-may2026`, 'Ed25519', [
+    Privilege.Auth, Privilege.Sign, Privilege.Elide, Privilege.Access,
+  ])
+  if (side) {
+    replacementKey.value = side
+    rekeyDone.value = true
+  }
+}
+
+function handleBuildDisavowal() {
+  const doc = activeDoc.value
+  const signer = replacementKey.value
+  if (!doc || !signer || disavowedKeys.value.length === 0) return
+  const today = new Date()
+  const stamp = today.toISOString().slice(0, 10).replace(/-/g, '')
+  const n = disavowedKeys.value.length
+  const signed = buildSignedDisavowal({
+    disavowerXidUr: doc.xid().urString(),
+    subject: `disavowal-statement-${stamp}`,
+    statement: `Disavowing signatures from ${n} key${n === 1 ? '' : 's'} during the compromise window`,
+    reason: 'Key compromise: unauthorized access',
+    date: today,
+    keys: disavowedKeys.value,
+  }, signer.prvKeys)
+  disavowalTree.value = signed.format()
+  disavowalVerified.value = signed.hasSignatureFrom(signer.pubKeys)
+  disavowalBuilt.value = true
+}
+
+function handleAdvance() {
+  advanceProvenance()
+  provenanceAdvanced.value = true
+}
+
+function handleRebuild() {
+  const env: Envelope | null = buildOperationalEnvelope()
+  if (env) {
+    operationalTree.value = env.treeFormat()
+    operationalBuilt.value = true
+  }
+}
+
+onMounted(() => {
+  if (activeIdentity.value !== 'amira') setActive('amira')
+  // Pre-fill from the shares §5.3 stashed.
+  const stashed = getArtifact('inception-backup-shares')
+  if (stashed) {
+    try {
+      const arr = JSON.parse(stashed) as string[]
+      recover1.value = arr[0] ?? ''
+      recover2.value = arr[1] ?? ''
+    } catch { /* */ }
+  }
+  // Default the revoke target to the first operational key.
+  const first = operationalNicknames.value[0]
+  if (first) revokeNickname.value = first.value
+})
+
+const canFinish = computed(() => operationalBuilt.value)
+</script>
+
+<template>
+  <div class="space-y-6">
+    <section class="space-y-2">
+      <div class="flex items-center gap-3">
+        <span class="text-2xl">🚨</span>
+        <h2 class="text-xl font-semibold text-gray-900 dark:text-white">Responding to Key Compromise</h2>
+      </div>
+      <p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed">
+        The worst case: an operational key is compromised. Because Amira kept her master key
+        offline and SSKR-backed (§5.3), she can recover her full authority, revoke the bad keys,
+        rotate in replacements, advance provenance, and rebuild a clean operational XID — all
+        while keeping the same identifier.
+      </p>
+    </section>
+
+    <UAlert v-if="!activeDoc" color="warning" icon="i-heroicons-exclamation-triangle" title="Need a XID first" description="Go back to §1.3." />
+
+    <template v-if="activeDoc">
+      <UAlert
+        color="error" variant="subtle" icon="i-heroicons-exclamation-triangle"
+        title="Scenario: compromise"
+        description="Amira discovers one of her operational keys was exposed. Any signatures it made are now suspect. Time to recover authority and re-key."
+      />
+
+      <!-- Step A: reconstruct -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">1. Reconstruct your authority (from §5.3 shares)</h3>
+        <UAlert
+          v-if="!recover1 && !recover2" color="warning" variant="subtle"
+          title="No backup shares found"
+          description="Run §5.3 first to generate and stash your 2-of-3 shares, or paste any two shares below."
+        />
+        <UFormField label="Share A"><UTextarea v-model="recover1" :rows="2" class="w-full font-mono text-xs" /></UFormField>
+        <UFormField label="Share B"><UTextarea v-model="recover2" :rows="2" class="w-full font-mono text-xs" /></UFormField>
+        <UButton label="Reconstruct master XID" icon="i-heroicons-puzzle-piece" color="primary" @click="handleReconstruct" />
+        <UAlert
+          v-if="reconstructResult" :color="reconstructResult.ok ? 'success' : 'error'"
+          :icon="reconstructResult.ok ? 'i-heroicons-check-circle' : 'i-heroicons-x-circle'"
+          :title="reconstructResult.ok ? 'Authority recovered' : 'Reconstruction failed'"
+          :description="reconstructResult.message"
+        />
+      </div>
+
+      <!-- Step B: revoke + re-key -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">2. Revoke the compromised key &amp; re-key</h3>
+        <div class="flex flex-wrap gap-2 items-end">
+          <UFormField label="Compromised key" class="flex-1 min-w-40">
+            <USelect v-model="revokeNickname" :items="operationalNicknames" class="w-full" />
+          </UFormField>
+          <UButton label="Revoke key" icon="i-heroicons-trash" color="error" :disabled="!revokeNickname || revokeDone" @click="handleRevoke" />
+        </div>
+        <UAlert v-if="revokeDone" color="success" variant="subtle" icon="i-heroicons-check-circle" title="Compromised key removed" />
+        <template v-if="revokeDone">
+          <UButton label="Add replacement key (…-may2026)" icon="i-heroicons-key" color="primary" :disabled="rekeyDone" @click="handleRekey" />
+          <UAlert v-if="rekeyDone" color="success" variant="subtle" icon="i-heroicons-check-circle" title="Replacement key added" />
+        </template>
+        <template v-if="rekeyDone">
+          <UButton label="Advance provenance & re-publish" icon="i-heroicons-arrow-path" variant="outline" color="neutral" :disabled="provenanceAdvanced" @click="handleAdvance" />
+          <UAlert v-if="provenanceAdvanced" color="success" variant="subtle" icon="i-heroicons-check-circle" title="Provenance advanced" />
+        </template>
+      </div>
+
+      <!-- live inventory -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-2">
+        <h3 class="text-sm font-semibold">Key inventory ({{ keyInventory.length }})</h3>
+        <div
+          v-for="k in keyInventory"
+          :key="k.referenceHex"
+          class="flex flex-wrap items-center gap-2 text-xs border-b border-gray-100 dark:border-gray-800/60 pb-2 last:border-0"
+        >
+          <UIcon :name="k.isInception ? 'i-heroicons-star' : 'i-heroicons-key'" class="w-4 h-4 shrink-0" :class="k.isInception ? 'text-amber-500' : 'text-gray-400'" />
+          <span class="font-medium">{{ k.nickname }}</span>
+          <span class="flex-1" />
+          <UBadge v-for="perm in k.permissions" :key="perm" size="xs" color="primary" variant="soft">{{ perm }}</UBadge>
+        </div>
+      </div>
+
+      <!-- Step C: rebuild operational view -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">3. Rebuild the operational XID</h3>
+        <p class="text-sm text-gray-600 dark:text-gray-400">
+          With the bad keys gone and replacements in place, regenerate the operational XID
+          (inception key elided) for daily use.
+        </p>
+        <UButton label="Rebuild operational XID" icon="i-heroicons-cube" color="primary" @click="handleRebuild" />
+        <pre v-if="operationalBuilt" class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-72">{{ operationalTree }}</pre>
+      </div>
+
+      <!-- Step D: disavowal statement -->
+      <div v-if="rekeyDone && disavowedKeys.length > 0" class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">4. Create a signed disavowal statement</h3>
+        <p class="text-sm text-gray-600 dark:text-gray-400">
+          Revoking a key doesn't retroactively invalidate signatures it already made. Amira
+          publishes a signed statement — structured as a standard edge (§3.1) and signed by her
+          new key — naming the compromised keys so verifiers can distrust signatures from the
+          compromise window. She can publish it alongside her XID without adding it as an edge.
+        </p>
+        <UButton label="Build &amp; sign disavowal" icon="i-heroicons-megaphone" color="primary" @click="handleBuildDisavowal" />
+        <div v-if="disavowalBuilt" class="space-y-2">
+          <UAlert
+            :color="disavowalVerified ? 'success' : 'error'"
+            :icon="disavowalVerified ? 'i-heroicons-check-circle' : 'i-heroicons-x-circle'"
+            :title="disavowalVerified ? 'Disavowal signed & verified' : 'Disavowal signature did not verify'"
+            :description="`Disavows ${disavowedKeys.length} key(s) — a signature-disavowal edge signed by the new replacement key.`"
+          />
+          <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-72">{{ disavowalTree }}</pre>
+        </div>
+      </div>
+
+      <div v-if="canFinish" class="rounded-lg border border-green-200 dark:border-green-900 p-4 bg-green-50/30 dark:bg-green-950/10">
+        <h3 class="text-sm font-semibold text-green-700 dark:text-green-300">Chapter 5 complete 🎉</h3>
+        <p class="text-sm text-gray-700 dark:text-gray-300 mt-1">
+          You've generated operational keys, updated and rotated them, backed up your inception and
+          SSH keys with SSKR, recovered from a compromise, and published a signed disavowal — all
+          without changing your XID.
+        </p>
+      </div>
+
+      <div class="flex justify-end">
+        <UButton
+          label="Finish tutorial"
+          trailing-icon="i-heroicons-check-circle"
+          color="success" size="lg"
+          :disabled="!canFinish"
+          @click="completeAndAdvance(18)"
+        />
+      </div>
+    </template>
+  </div>
+</template>
diff --git a/apps/playground/app/components/xid-tutorial/StepOperationalKeys.vue b/apps/playground/app/components/xid-tutorial/StepOperationalKeys.vue
new file mode 100644
index 00000000..1f1845b7
--- /dev/null
+++ b/apps/playground/app/components/xid-tutorial/StepOperationalKeys.vue
@@ -0,0 +1,187 @@
+<script setup lang="ts">
+import { Privilege } from '@bcts/xid'
+import type { Envelope } from '@bcts/envelope'
+
+const {
+  activeDoc, activeIdentity, setActive, keyInventory,
+  addOperationalKeyToActive, buildOperationalEnvelope, advanceProvenance,
+  completeAndAdvance,
+} = useXidTutorial()
+
+// Operational privileges Amira can grant a day-to-day key. Management
+// privileges (delegate/verify/update/transfer/elect/burn/revoke) deliberately
+// stay with the inception key — least-necessary design.
+const OPERATIONAL_PRIVILEGES: { value: Privilege, label: string }[] = [
+  { value: Privilege.Auth, label: 'auth' },
+  { value: Privilege.Sign, label: 'sign' },
+  { value: Privilege.Encrypt, label: 'encrypt' },
+  { value: Privilege.Elide, label: 'elide' },
+  { value: Privilege.Issue, label: 'issue' },
+  { value: Privilege.Access, label: 'access' },
+]
+
+const LAPTOP_PRESET: Privilege[] = [
+  Privilege.Auth, Privilege.Sign, Privilege.Encrypt, Privilege.Elide, Privilege.Issue, Privilege.Access,
+]
+const PORTABLE_PRESET: Privilege[] = [Privilege.Auth, Privilege.Sign, Privilege.Elide, Privilege.Access]
+
+const nickname = ref('laptop-key')
+const selected = ref<Privilege[]>([...LAPTOP_PRESET])
+const lastAddedUr = ref('')
+const addedCount = ref(0)
+
+const operationalTree = ref('')
+const operationalBuilt = ref(false)
+
+function applyPreset(preset: 'laptop' | 'portable') {
+  if (preset === 'laptop') {
+    nickname.value = 'laptop-key'
+    selected.value = [...LAPTOP_PRESET]
+  } else {
+    nickname.value = 'portable-key'
+    selected.value = [...PORTABLE_PRESET]
+  }
+}
+
+function toggle(p: Privilege) {
+  selected.value = selected.value.includes(p)
+    ? selected.value.filter(x => x !== p)
+    : [...selected.value, p]
+}
+
+function handleAddKey() {
+  const name = nickname.value.trim()
+  if (!name || selected.value.length === 0) return
+  const side = addOperationalKeyToActive(name, 'Ed25519', selected.value)
+  if (side) {
+    lastAddedUr.value = side.pubKeys.urString()
+    addedCount.value++
+  }
+}
+
+function handleBuildOperational() {
+  const env: Envelope | null = buildOperationalEnvelope()
+  if (env) {
+    operationalTree.value = env.treeFormat()
+    operationalBuilt.value = true
+  }
+}
+
+function handleAdvance() { advanceProvenance() }
+
+onMounted(() => {
+  // Chapter 5 is Amira's key-management through-line.
+  if (activeIdentity.value !== 'amira') setActive('amira')
+})
+
+const canContinue = computed(() => addedCount.value > 0)
+</script>
+
+<template>
+  <div class="space-y-6">
+    <section class="space-y-2">
+      <div class="flex items-center gap-3">
+        <span class="text-2xl">🔑</span>
+        <h2 class="text-xl font-semibold text-gray-900 dark:text-white">Generating Operational Keys</h2>
+      </div>
+      <p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed">
+        Until now a single <em>inception key</em> has controlled BRadvoc8's entire XID — if it's
+        lost or stolen, the identity is gone. Following the
+        <a href="https://www.blockchaincommons.com/musings/Least-Necessary/" target="_blank" class="text-primary-500 underline">least-necessary</a>
+        pattern, Amira adds day-to-day <em>operational keys</em> with only the permissions each
+        device needs, then derives an operational XID that omits the master key entirely.
+      </p>
+    </section>
+
+    <UAlert v-if="!activeDoc" color="warning" icon="i-heroicons-exclamation-triangle" title="Need a XID first" description="Go back to §1.3." />
+
+    <template v-if="activeDoc">
+      <UAlert
+        color="info" variant="subtle" icon="i-heroicons-book-open"
+        title="Amira's story"
+        description="Now that Amira is working on SisterSpaces, losing BRadvoc8 would mean losing four chapters of reputation. She keeps her powerful inception key offline and works with scoped operational keys: a laptop key for everyday use and a portable key for her drive."
+      />
+
+      <!-- Card A: add operational key -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">Add an operational key</h3>
+        <div class="flex gap-2">
+          <UButton size="xs" variant="outline" color="neutral" label="Laptop preset" @click="applyPreset('laptop')" />
+          <UButton size="xs" variant="outline" color="neutral" label="Portable preset" @click="applyPreset('portable')" />
+        </div>
+        <UFormField label="Nickname">
+          <UInput v-model="nickname" class="w-full" placeholder="laptop-key" />
+        </UFormField>
+        <UFormField label="Permissions (--allow)">
+          <div class="flex flex-wrap gap-2">
+            <button
+              v-for="p in OPERATIONAL_PRIVILEGES"
+              :key="p.label"
+              type="button"
+              class="px-2.5 py-1 rounded-md text-xs font-medium border transition-colors"
+              :class="selected.includes(p.value)
+                ? 'bg-primary-50 dark:bg-primary-900/30 border-primary-300 dark:border-primary-700 text-primary-700 dark:text-primary-300'
+                : 'border-gray-200 dark:border-gray-700 text-gray-500 hover:bg-gray-50 dark:hover:bg-gray-800/60'"
+              @click="toggle(p.value)"
+            >
+              {{ p.label }}
+            </button>
+          </div>
+        </UFormField>
+        <UButton
+          label="Add operational key" icon="i-heroicons-key" color="primary"
+          :disabled="!nickname.trim() || selected.length === 0"
+          @click="handleAddKey"
+        />
+        <div v-if="lastAddedUr" class="space-y-1">
+          <p class="text-xs text-gray-500">Public keys (ur:crypto-pubkeys):</p>
+          <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-24">{{ lastAddedUr }}</pre>
+        </div>
+      </div>
+
+      <!-- Card B: key inventory -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">Key inventory ({{ keyInventory.length }})</h3>
+        <div class="space-y-2">
+          <div
+            v-for="k in keyInventory"
+            :key="k.referenceHex"
+            class="flex flex-wrap items-center gap-2 text-xs border-b border-gray-100 dark:border-gray-800/60 pb-2 last:border-0"
+          >
+            <UIcon :name="k.isInception ? 'i-heroicons-star' : 'i-heroicons-key'" class="w-4 h-4 shrink-0" :class="k.isInception ? 'text-amber-500' : 'text-gray-400'" />
+            <span class="font-medium">{{ k.nickname }}</span>
+            <UBadge v-if="k.isInception" size="xs" color="warning" variant="subtle">inception</UBadge>
+            <UBadge size="xs" color="neutral" variant="subtle">{{ k.scheme }}</UBadge>
+            <span class="flex-1" />
+            <UBadge v-for="perm in k.permissions" :key="perm" size="xs" color="primary" variant="soft">{{ perm }}</UBadge>
+          </div>
+        </div>
+      </div>
+
+      <!-- Card C: operational XID -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">Create the operational XID</h3>
+        <p class="text-sm text-gray-600 dark:text-gray-400">
+          The operational XID is an elided-private copy with the inception (master) key removed,
+          so a compromised laptop can't rotate keys or revoke the identity. Your full master stays
+          intact here — you'll back it up in §5.3 and use it to recover in §5.5.
+        </p>
+        <UButton label="Build operational XID" icon="i-heroicons-cube" color="primary" @click="handleBuildOperational" />
+        <div v-if="operationalBuilt" class="space-y-2">
+          <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-72">{{ operationalTree }}</pre>
+          <UButton label="Advance provenance" icon="i-heroicons-arrow-path" variant="outline" color="neutral" @click="handleAdvance" />
+        </div>
+      </div>
+
+      <div class="flex justify-end">
+        <UButton
+          label="Continue to §5.2"
+          trailing-icon="i-heroicons-arrow-right"
+          color="primary" size="lg"
+          :disabled="!canContinue"
+          @click="completeAndAdvance(14)"
+        />
+      </div>
+    </template>
+  </div>
+</template>
diff --git a/apps/playground/app/components/xid-tutorial/StepUpdatingKeys.vue b/apps/playground/app/components/xid-tutorial/StepUpdatingKeys.vue
new file mode 100644
index 00000000..e00d7075
--- /dev/null
+++ b/apps/playground/app/components/xid-tutorial/StepUpdatingKeys.vue
@@ -0,0 +1,178 @@
+<script setup lang="ts">
+import { Privilege } from '@bcts/xid'
+import { PublicKeys } from '@bcts/components'
+
+const {
+  activeDoc, activeIdentity, setActive, keyInventory,
+  updateActiveKeyPermissions, rotateActiveKey, advanceProvenance, completeAndAdvance,
+} = useXidTutorial()
+
+const findName = ref('laptop-key')
+const findResult = ref<{ found: boolean, permissions: Privilege[] } | null>(null)
+
+const selectedNickname = ref('laptop-key')
+const permToDrop = ref<Privilege | undefined>(Privilege.Access)
+const dropDone = ref(false)
+
+const rotateNickname = ref('laptop-key-v2')
+const rotatedUr = ref('')
+const rotateDone = ref(false)
+
+const operationalNicknames = computed(() =>
+  keyInventory.value.filter(k => !k.isInception).map(k => ({ label: k.nickname, value: k.nickname })),
+)
+const selectedEntry = computed(() => keyInventory.value.find(k => k.nickname === selectedNickname.value) ?? null)
+const droppablePermissions = computed(() =>
+  (selectedEntry.value?.permissions ?? []).map(p => ({ label: String(p), value: p })),
+)
+
+function handleFind() {
+  const entry = keyInventory.value.find(k => k.nickname === findName.value.trim())
+  findResult.value = entry
+    ? { found: true, permissions: entry.permissions }
+    : { found: false, permissions: [] }
+}
+
+function handleDrop() {
+  const entry = selectedEntry.value
+  if (!entry || permToDrop.value === undefined) return
+  const pub = PublicKeys.fromURString(entry.pubKeysUr)
+  const newAllow = entry.permissions.filter(p => p !== permToDrop.value)
+  if (updateActiveKeyPermissions(pub, newAllow)) dropDone.value = true
+}
+
+function handleRotate() {
+  const entry = selectedEntry.value
+  if (!entry) return
+  const pub = PublicKeys.fromURString(entry.pubKeysUr)
+  const newNick = rotateNickname.value.trim() || `${entry.nickname}-v2`
+  const side = rotateActiveKey(pub, newNick, 'Ed25519', entry.permissions)
+  if (side) {
+    rotatedUr.value = side.pubKeys.urString()
+    rotateDone.value = true
+    selectedNickname.value = newNick
+  }
+}
+
+function handleAdvance() { advanceProvenance() }
+
+onMounted(() => {
+  if (activeIdentity.value !== 'amira') setActive('amira')
+})
+
+const canContinue = computed(() => dropDone.value || rotateDone.value)
+</script>
+
+<template>
+  <div class="space-y-6">
+    <section class="space-y-2">
+      <div class="flex items-center gap-3">
+        <span class="text-2xl">♻️</span>
+        <h2 class="text-xl font-semibold text-gray-900 dark:text-white">Updating Keys</h2>
+      </div>
+      <p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed">
+        Keys aren't forever — they get over-provisioned, or need rotating after loss. XIDs let you
+        change a key's <em>permissions</em> and <em>rotate</em> a key (add the new, remove the old)
+        while the identifier itself stays constant.
+      </p>
+    </section>
+
+    <UAlert v-if="!activeDoc" color="warning" icon="i-heroicons-exclamation-triangle" title="Need a XID first" description="Go back to §1.3." />
+    <UAlert v-else-if="operationalNicknames.length === 0" color="warning" icon="i-heroicons-exclamation-triangle" title="No operational keys" description="Add a laptop/portable key in §5.1 first." />
+
+    <template v-if="activeDoc && operationalNicknames.length > 0">
+      <UAlert
+        color="info" variant="subtle" icon="i-heroicons-book-open"
+        title="Amira's story"
+        description="Amira realises she over-powered her laptop key with 'access' — she's never put any resources under her XID's control. Least-necessary says: drop it. Later she'll rotate the laptop key entirely."
+      />
+
+      <!-- Card A: find by name -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">1. Find a key by name</h3>
+        <div class="flex gap-2 items-end">
+          <UFormField label="Nickname" class="flex-1">
+            <UInput v-model="findName" class="w-full" />
+          </UFormField>
+          <UButton label="Find" icon="i-heroicons-magnifying-glass" color="neutral" variant="outline" @click="handleFind" />
+        </div>
+        <div v-if="findResult" class="text-sm">
+          <template v-if="findResult.found">
+            <span class="text-gray-500">Permissions:</span>
+            <UBadge v-for="p in findResult.permissions" :key="String(p)" size="xs" color="primary" variant="soft" class="ml-1">{{ p }}</UBadge>
+          </template>
+          <UAlert v-else color="warning" variant="subtle" title="No key with that nickname" />
+        </div>
+      </div>
+
+      <!-- Card B: drop a permission -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">2. Change key permissions</h3>
+        <div class="flex flex-wrap gap-2 items-end">
+          <UFormField label="Key" class="flex-1 min-w-40">
+            <USelect v-model="selectedNickname" :items="operationalNicknames" class="w-full" />
+          </UFormField>
+          <UFormField label="Permission to drop" class="flex-1 min-w-40">
+            <USelect v-model="permToDrop" :items="droppablePermissions" class="w-full" />
+          </UFormField>
+          <UButton label="Drop permission" icon="i-heroicons-minus-circle" color="warning" @click="handleDrop" />
+        </div>
+        <div v-if="dropDone" class="text-sm">
+          <UAlert color="success" variant="subtle" icon="i-heroicons-check-circle" title="Permission updated" />
+          <div class="mt-1">
+            <span class="text-gray-500">{{ selectedEntry?.nickname }} now allows:</span>
+            <UBadge v-for="p in selectedEntry?.permissions ?? []" :key="String(p)" size="xs" color="primary" variant="soft" class="ml-1">{{ p }}</UBadge>
+          </div>
+        </div>
+      </div>
+
+      <!-- Card C: rotate -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-3">
+        <h3 class="text-sm font-semibold">3. Rotate a key</h3>
+        <p class="text-sm text-gray-600 dark:text-gray-400">
+          Rotation = add the replacement, then remove the old key. The new key inherits the
+          (now-trimmed) permission set.
+        </p>
+        <div class="flex flex-wrap gap-2 items-end">
+          <UFormField label="Replace key" class="flex-1 min-w-40">
+            <USelect v-model="selectedNickname" :items="operationalNicknames" class="w-full" />
+          </UFormField>
+          <UFormField label="New nickname" class="flex-1 min-w-40">
+            <UInput v-model="rotateNickname" class="w-full" />
+          </UFormField>
+          <UButton label="Rotate key" icon="i-heroicons-arrow-path-rounded-square" color="primary" @click="handleRotate" />
+        </div>
+        <div v-if="rotateDone" class="space-y-1">
+          <UAlert color="success" variant="subtle" icon="i-heroicons-check-circle" title="Key rotated — old key removed" />
+          <pre class="font-mono text-xs bg-gray-950 text-gray-200 p-3 rounded-md overflow-auto max-h-24">{{ rotatedUr }}</pre>
+          <UButton label="Advance provenance & re-publish" icon="i-heroicons-arrow-path" variant="outline" color="neutral" @click="handleAdvance" />
+        </div>
+      </div>
+
+      <!-- live inventory -->
+      <div class="rounded-lg border border-gray-200 dark:border-gray-800 p-4 space-y-2">
+        <h3 class="text-sm font-semibold">Key inventory ({{ keyInventory.length }})</h3>
+        <div
+          v-for="k in keyInventory"
+          :key="k.referenceHex"
+          class="flex flex-wrap items-center gap-2 text-xs border-b border-gray-100 dark:border-gray-800/60 pb-2 last:border-0"
+        >
+          <UIcon :name="k.isInception ? 'i-heroicons-star' : 'i-heroicons-key'" class="w-4 h-4 shrink-0" :class="k.isInception ? 'text-amber-500' : 'text-gray-400'" />
+          <span class="font-medium">{{ k.nickname }}</span>
+          <span class="flex-1" />
+          <UBadge v-for="perm in k.permissions" :key="perm" size="xs" color="primary" variant="soft">{{ perm }}</UBadge>
+        </div>
+      </div>
+
+      <div class="flex justify-end">
+        <UButton
+          label="Continue to §5.3"
+          trailing-icon="i-heroicons-arrow-right"
+          color="primary" size="lg"
+          :disabled="!canContinue"
+          @click="completeAndAdvance(15)"
+        />
+      </div>
+    </template>
+  </div>
+</template>
diff --git a/apps/playground/app/composables/useXidTutorial.ts b/apps/playground/app/composables/useXidTutorial.ts
index c687ee47..d1c49803 100644
--- a/apps/playground/app/composables/useXidTutorial.ts
+++ b/apps/playground/app/composables/useXidTutorial.ts
@@ -1,5 +1,6 @@
 import { XIDPrivateKeyOptions, XIDGeneratorOptions, Service, Privilege, type Key } from "@bcts/xid";
 import type { Envelope } from "@bcts/envelope";
+import type { PublicKeys } from "@bcts/components";
 import type { IdentityName, IdentitySlot } from "@/utils/xid-tutorial/types";
 import { TUTORIAL_SECTIONS } from "@/utils/xid-tutorial/sections";
 import {
@@ -14,6 +15,13 @@ import {
   sshPublicKeyText,
   type TutorialScheme,
 } from "@/utils/xid-tutorial/identity";
+import {
+  addOperationalKey,
+  setKeyPermissions,
+  rotateKey,
+  removeKeyByNickname,
+  keyInventory as buildKeyInventory,
+} from "@/utils/xid-tutorial/keys";
 
 type AttachmentEnvelope = Envelope & {
   attachmentVendor(): string;
@@ -21,7 +29,8 @@ type AttachmentEnvelope = Envelope & {
   attachmentPayload(): Envelope;
 };
 
-const STORAGE_KEY = "xid-tutorial-state-v2";
+const STORAGE_KEY = "xid-tutorial-state-v3";
+const LEGACY_STORAGE_KEY_V2 = "xid-tutorial-state-v2";
 const LEGACY_STORAGE_KEY = "xid-tutorial-state";
 
 /** Each identity is a full workspace slot — active identity is the one step components operate on. */
@@ -155,6 +164,11 @@ export function useXidTutorial() {
     void docVersion.value;
     return activeDoc.value?.provenance() ?? null;
   });
+  const keyInventory = computed(() => {
+    void docVersion.value;
+    const doc = activeDoc.value;
+    return doc ? buildKeyInventory(doc) : [];
+  });
   const currentSectionMeta = computed(() => TUTORIAL_SECTIONS[currentSection.value] ?? null);
   const progress = computed(() => {
     const done = sectionsCompleted.value.filter(Boolean).length;
@@ -342,6 +356,106 @@ export function useXidTutorial() {
     }
   }
 
+  // ---- Operational keys, rotation & revocation (Chapter 5) ----
+  /** §5.1 — add an operational key (laptop/portable) with scoped permissions. */
+  function addOperationalKeyToActive(nickname: string, scheme: TutorialScheme, allow: Privilege[]) {
+    const doc = activeDoc.value;
+    if (!doc) return null;
+    try {
+      error.value = null;
+      const side = addOperationalKey(doc, nickname, scheme, allow);
+      invalidatePrivateEnvelope(activeIdentity.value);
+      bumpDoc();
+      saveState();
+      return side;
+    } catch (e) {
+      error.value = e instanceof Error ? e.message : "Failed to add operational key";
+      return null;
+    }
+  }
+
+  /** §5.2 — replace a key's allowed-permission set (e.g. drop `access`). */
+  function updateActiveKeyPermissions(pubKeys: PublicKeys, allow: Privilege[]): boolean {
+    const doc = activeDoc.value;
+    if (!doc) return false;
+    try {
+      error.value = null;
+      const ok = setKeyPermissions(doc, pubKeys, allow);
+      invalidatePrivateEnvelope(activeIdentity.value);
+      bumpDoc();
+      saveState();
+      return ok;
+    } catch (e) {
+      error.value = e instanceof Error ? e.message : "Failed to update key permissions";
+      return false;
+    }
+  }
+
+  /** §5.2 — rotate a key: add a new one, remove the old. */
+  function rotateActiveKey(
+    oldPubKeys: PublicKeys,
+    nickname: string,
+    scheme: TutorialScheme,
+    allow: Privilege[],
+  ) {
+    const doc = activeDoc.value;
+    if (!doc) return null;
+    try {
+      error.value = null;
+      const side = rotateKey(doc, oldPubKeys, nickname, scheme, allow);
+      invalidatePrivateEnvelope(activeIdentity.value);
+      bumpDoc();
+      saveState();
+      return side;
+    } catch (e) {
+      error.value = e instanceof Error ? e.message : "Failed to rotate key";
+      return null;
+    }
+  }
+
+  /** §5.5 — revoke (remove) a key by nickname; returns its public keys. */
+  function removeActiveKeyByNickname(name: string): PublicKeys | undefined {
+    const doc = activeDoc.value;
+    if (!doc) return undefined;
+    try {
+      error.value = null;
+      const removed = removeKeyByNickname(doc, name);
+      invalidatePrivateEnvelope(activeIdentity.value);
+      bumpDoc();
+      saveState();
+      return removed;
+    } catch (e) {
+      error.value = e instanceof Error ? e.message : "Failed to remove key";
+      return undefined;
+    }
+  }
+
+  /**
+   * §5.1 / §5.5 — derive an "operational XID": an elided-private copy of the
+   * master with the inception (master) key — and optionally other named keys —
+   * removed. Built from a reloaded copy so the active slot keeps its full
+   * master (§5.3/§5.5 still need the inception key). Returns the envelope; does
+   * NOT mutate the active document.
+   */
+  function buildOperationalEnvelope(alsoRemoveNicknames: string[] = []): Envelope | null {
+    const slot = activeSlot.value;
+    if (!slot.document) return null;
+    try {
+      error.value = null;
+      const persist = getPersistEnvelope();
+      if (!persist) return null;
+      const copy = loadXidFromUr(persist.urString(), slot.password || undefined);
+      copy.removeInceptionKey();
+      for (const name of alsoRemoveNicknames) removeKeyByNickname(copy, name);
+      return copy.toEnvelope(XIDPrivateKeyOptions.Elide, XIDGeneratorOptions.Elide, {
+        type: "none",
+      });
+    } catch (e) {
+      error.value = e instanceof Error ? e.message : "Failed to build operational XID";
+      return null;
+    }
+  }
+
   // ---- Resolution ----
   function addResolutionMethod(uri: string) {
     const doc = activeDoc.value;
@@ -528,6 +642,7 @@ export function useXidTutorial() {
         saveTimer = null;
       }
       localStorage.removeItem(STORAGE_KEY);
+      localStorage.removeItem(LEGACY_STORAGE_KEY_V2);
       localStorage.removeItem(LEGACY_STORAGE_KEY);
     }
     bumpDoc();
@@ -536,7 +651,7 @@ export function useXidTutorial() {
   // ---- Persistence ----
   type PersistedSlot = { ur?: string; password?: string };
   type Persisted = {
-    version: 2;
+    version: 2 | 3;
     currentSection: number;
     sectionsCompleted: boolean[];
     activeIdentity: IdentityName;
@@ -544,6 +659,17 @@ export function useXidTutorial() {
     artifacts?: Record<string, string>;
   };
 
+  /** Pad/truncate a stored completion array to the current section count.
+   *  Chapter 5 grew the registry from 14 → 19 sections; a v2 array of length
+   *  14 must be widened so indices 14–18 default to `false`. */
+  function normalizeCompleted(arr?: boolean[]): boolean[] {
+    const out = new Array<boolean>(TUTORIAL_SECTIONS.length).fill(false);
+    if (Array.isArray(arr)) {
+      for (let i = 0; i < Math.min(arr.length, out.length); i++) out[i] = !!arr[i];
+    }
+    return out;
+  }
+
   function saveState() {
     if (!import.meta.client) return;
     if (saveTimer) clearTimeout(saveTimer);
@@ -556,7 +682,7 @@ export function useXidTutorial() {
   function persistNow() {
     try {
       const persisted: Persisted = {
-        version: 2,
+        version: 3,
         currentSection: currentSection.value,
         sectionsCompleted: sectionsCompleted.value,
         activeIdentity: activeIdentity.value,
@@ -582,13 +708,17 @@ export function useXidTutorial() {
   function restoreState() {
     if (!import.meta.client) return;
     try {
-      const raw = localStorage.getItem(STORAGE_KEY);
+      // v3 (current) and v2 share an identical on-disk shape — Chapter 5 only
+      // appended sections. Read either; a v2 payload is migrated forward (its
+      // shorter `sectionsCompleted` is padded) and re-persisted under v3.
+      const rawV3 = localStorage.getItem(STORAGE_KEY);
+      const rawV2 = rawV3 ? null : localStorage.getItem(LEGACY_STORAGE_KEY_V2);
+      const raw = rawV3 ?? rawV2;
       if (raw) {
         const p = JSON.parse(raw) as Persisted;
-        if (p.version !== 2) return;
+        if (p.version !== 2 && p.version !== 3) return;
         currentSection.value = p.currentSection ?? 0;
-        sectionsCompleted.value =
-          p.sectionsCompleted ?? new Array(TUTORIAL_SECTIONS.length).fill(false);
+        sectionsCompleted.value = normalizeCompleted(p.sectionsCompleted);
         activeIdentity.value = p.activeIdentity ?? "amira";
         artifacts.value = p.artifacts ?? {};
         for (const [name, data] of Object.entries(p.identities)) {
@@ -602,6 +732,11 @@ export function useXidTutorial() {
           }
         }
         bumpDoc();
+        if (rawV2) {
+          // Migrate forward: write under v3 and drop the v2 key.
+          persistNow();
+          localStorage.removeItem(LEGACY_STORAGE_KEY_V2);
+        }
         return;
       }
       // Legacy v1 migration
@@ -666,6 +801,7 @@ export function useXidTutorial() {
     serviceList,
     edgeList,
     provenanceMark,
+    keyInventory,
     // identity lifecycle
     setActive,
     createIdentity,
@@ -674,6 +810,12 @@ export function useXidTutorial() {
     // keys
     addSideKey,
     generateSshKey,
+    // operational keys / rotation / revocation (Chapter 5)
+    addOperationalKeyToActive,
+    updateActiveKeyPermissions,
+    rotateActiveKey,
+    removeActiveKeyByNickname,
+    buildOperationalEnvelope,
     // resolution
     addResolutionMethod,
     removeResolutionMethodUri,
diff --git a/apps/playground/app/layouts/default.vue b/apps/playground/app/layouts/default.vue
index 2d6339cf..e8377826 100644
--- a/apps/playground/app/layouts/default.vue
+++ b/apps/playground/app/layouts/default.vue
@@ -51,8 +51,7 @@ const navigationItems: NavigationMenuItem[] = [
   {
     label: 'XID Tutorial',
     icon: 'i-heroicons-academic-cap',
-    to: '/xid',
-    badge: 'WIP'
+    to: '/xid'
   },
   {
     type: 'label',
diff --git a/apps/playground/app/pages/xid.vue b/apps/playground/app/pages/xid.vue
index 1f144d72..9c01cb7a 100644
--- a/apps/playground/app/pages/xid.vue
+++ b/apps/playground/app/pages/xid.vue
@@ -373,6 +373,11 @@ function globalIndex(sectionId: string): number {
               <XidTutorialStepPrivacy v-else-if="currentSectionMeta?.id === '4.2'" />
               <XidTutorialStepViews v-else-if="currentSectionMeta?.id === '4.3'" />
               <XidTutorialStepEditions v-else-if="currentSectionMeta?.id === '4.4'" />
+              <XidTutorialStepOperationalKeys v-else-if="currentSectionMeta?.id === '5.1'" />
+              <XidTutorialStepUpdatingKeys v-else-if="currentSectionMeta?.id === '5.2'" />
+              <XidTutorialStepBackupInception v-else-if="currentSectionMeta?.id === '5.3'" />
+              <XidTutorialStepBackupSshKey v-else-if="currentSectionMeta?.id === '5.4'" />
+              <XidTutorialStepKeyCompromise v-else-if="currentSectionMeta?.id === '5.5'" />
             </div>
           </div>
 
diff --git a/apps/playground/app/utils/xid-tutorial/backup.ts b/apps/playground/app/utils/xid-tutorial/backup.ts
new file mode 100644
index 00000000..cb32a090
--- /dev/null
+++ b/apps/playground/app/utils/xid-tutorial/backup.ts
@@ -0,0 +1,73 @@
+import { Envelope } from "@bcts/envelope";
+import { SymmetricKey, SSKRGroupSpec, SSKRSpec, KeyDerivationMethod } from "@bcts/components";
+
+const textEncoder = new TextEncoder();
+
+// `sskrJoin` is a *static* extension method and `fromURString` a static
+// constructor; neither carries its type across the package boundary, so we
+// reach them through a narrow cast (the same pattern the CLI `join` command
+// and `identity.ts` use). Instance methods (`wrap`, `encryptSubject`,
+// `sskrSplitFlattened`, `unwrap`, `addSecret`) are typed on `Envelope`.
+const EnvelopeStatic = Envelope as unknown as {
+  sskrJoin(envelopes: Envelope[]): Envelope;
+  fromURString(s: string): Envelope;
+};
+
+/**
+ * SSKR-split an envelope into flat share UR strings. Byte-for-byte mirror of
+ * `envelope sskr split` (`tools/envelope-cli/src/cmd/sskr/split.ts`): wrap the
+ * envelope, encrypt its subject under a fresh random content key, then split
+ * that key across the requested groups. Default tutorial spec is `(1, [[2,3]])`
+ * → a single 2-of-3 group. (§5.3 / §5.4 / §5.5)
+ */
+export function sskrSplitEnvelope(
+  env: Envelope,
+  groupThreshold: number,
+  groups: [number, number][],
+): string[] {
+  const contentKey = SymmetricKey.new();
+  const wrapped = env.wrap();
+  const encrypted = wrapped.encryptSubject(contentKey);
+  const groupSpecs = groups.map(([m, n]) => SSKRGroupSpec.new(m, n));
+  const spec = SSKRSpec.new(groupThreshold, groupSpecs);
+  const shares = encrypted.sskrSplitFlattened(spec, contentKey);
+  return shares.map((s) => s.urString());
+}
+
+/**
+ * Recombine SSKR shares back into the original envelope. Mirror of
+ * `envelope sskr join`: combine the shares to recover the wrapped envelope,
+ * then unwrap it. (§5.3 / §5.5)
+ */
+export function sskrJoinShares(shareUrs: string[]): Envelope {
+  const envs = shareUrs.map((ur) => EnvelopeStatic.fromURString(ur.trim()));
+  const wrapped = EnvelopeStatic.sskrJoin(envs);
+  return wrapped.unwrap();
+}
+
+/** Safe wrapper around {@link sskrJoinShares}. */
+export function trySskrJoin(
+  shareUrs: string[],
+): { ok: true; env: Envelope } | { ok: false; reason: string } {
+  try {
+    return { ok: true, env: sskrJoinShares(shareUrs) };
+  } catch (e) {
+    return { ok: false, reason: e instanceof Error ? e.message : "recovery failed" };
+  }
+}
+
+/**
+ * Password-encrypt an envelope's subject (Argon2id). Mirror of
+ * `envelope encrypt --password` (`tools/envelope-cli/src/cmd/encrypt.ts`):
+ * encrypt the subject under a fresh content key, then lock that content key
+ * with the password via `addSecret`. (§5.4)
+ */
+export function passwordEncrypt(env: Envelope, password: string): Envelope {
+  const contentKey = SymmetricKey.new();
+  const encrypted = env.encryptSubject(contentKey);
+  return encrypted.addSecret(
+    KeyDerivationMethod.Argon2id,
+    textEncoder.encode(password),
+    contentKey,
+  );
+}
diff --git a/apps/playground/app/utils/xid-tutorial/disavowal.ts b/apps/playground/app/utils/xid-tutorial/disavowal.ts
new file mode 100644
index 00000000..b1234411
--- /dev/null
+++ b/apps/playground/app/utils/xid-tutorial/disavowal.ts
@@ -0,0 +1,52 @@
+import { Envelope } from "@bcts/envelope";
+import { IS_A, SOURCE, TARGET, DATE, NICKNAME } from "@bcts/known-values";
+import { XID, type PrivateKeys, type SigningOptions } from "@bcts/components";
+import type { DisavowedKey } from "./keys";
+
+export interface DisavowalInput {
+  /** UR of the disavowing party's XID identifier (becomes subject + edge source). */
+  disavowerXidUr: string;
+  /** Unique edge subject, e.g. `disavowal-statement-20260505`. */
+  subject: string;
+  statement: string;
+  reason: string;
+  date?: Date;
+  keys: DisavowedKey[];
+}
+
+/**
+ * Build + wrap + sign a disavowal statement. Byte-for-byte structural mirror of
+ * upstream XID-Quickstart §5.5 Step 9: a standard edge (`isA` / `source` /
+ * `target`, per §3.1) whose `target` is an attestation listing each disavowed
+ * key (its public keys, `nickname`, and `xidKeyDigest`). Signed by a current,
+ * non-compromised key (the new attestation key).
+ */
+export function buildSignedDisavowal(input: DisavowalInput, signer: PrivateKeys): Envelope {
+  const xid = XID.fromURString(input.disavowerXidUr);
+
+  // The disavowal attestation — this becomes the edge `target`.
+  let disavowal = Envelope.new(xid)
+    .addAssertion("disavowalStatement", input.statement)
+    .addAssertion("disavowalReason", input.reason)
+    .addAssertion(DATE, (input.date ?? new Date()).toISOString());
+
+  // Recursively embed each disavowed key as a `disavowedKey` sub-envelope.
+  for (const k of input.keys) {
+    const keyEnv = Envelope.new(k.pubKeys)
+      .addAssertion(NICKNAME, k.nickname)
+      .addAssertion("xidKeyDigest", k.assertionDigest);
+    disavowal = disavowal.addAssertionEnvelope(Envelope.newAssertion("disavowedKey", keyEnv));
+  }
+
+  // Wrap it in a standard edge with a unique subject + isA/source/target.
+  const edge = Envelope.new(input.subject)
+    .addAssertion(IS_A, "signature-disavowal")
+    .addAssertion(SOURCE, xid)
+    .addAssertionEnvelope(Envelope.newAssertion(TARGET, disavowal));
+
+  // The signer is a freshly-rotated key, so it's never SSH-backed here.
+  const options: SigningOptions | undefined = signer.signingPrivateKey().isSsh()
+    ? { type: "Ssh", namespace: "envelope", hashAlg: "sha256" }
+    : undefined;
+  return edge.signOpt(signer, options);
+}
diff --git a/apps/playground/app/utils/xid-tutorial/edge.ts b/apps/playground/app/utils/xid-tutorial/edge.ts
index 6ba09636..60de9036 100644
--- a/apps/playground/app/utils/xid-tutorial/edge.ts
+++ b/apps/playground/app/utils/xid-tutorial/edge.ts
@@ -50,17 +50,22 @@ function buildSubEnvelope(input: EdgeTargetInput): Envelope {
  */
 export function buildSignedEdge(input: EdgeBuildInput, signer: PrivateKeys): Envelope {
   const src = buildSubEnvelope(input.source);
-  const tgt = buildSubEnvelope(input.target);
+  let tgt = buildSubEnvelope(input.target);
 
-  let edge = Envelope.new(input.subject)
+  // BCR-2026-003 (synced in @bcts/envelope v0.43.0): an edge subject may carry
+  // *only* `isA`, `source`, and `target`. Any additional claim detail
+  // (`conformsTo`, `date`, `verifiableAt`) belongs on the target sub-envelope —
+  // exactly as upstream XID-Quickstart §3.1 builds it. Placing them here keeps
+  // `Envelope.validateEdge()` happy and matches the Rust reference structure.
+  if (input.conformsTo) tgt = tgt.addAssertion(CONFORMS_TO, input.conformsTo);
+  if (input.date) tgt = tgt.addAssertion(DATE, input.date.toISOString());
+  if (input.verifiableAt) tgt = tgt.addAssertion(VERIFIABLE_AT, input.verifiableAt);
+
+  const edge = Envelope.new(input.subject)
     .addAssertion(IS_A, input.isA)
     .addAssertionEnvelope(Envelope.newAssertion(SOURCE, src))
     .addAssertionEnvelope(Envelope.newAssertion(TARGET, tgt));
 
-  if (input.conformsTo) edge = edge.addAssertion(CONFORMS_TO, input.conformsTo);
-  if (input.date) edge = edge.addAssertion(DATE, input.date.toISOString());
-  if (input.verifiableAt) edge = edge.addAssertion(VERIFIABLE_AT, input.verifiableAt);
-
   const options: SigningOptions | undefined = signer.signingPrivateKey().isSsh()
     ? { type: "Ssh", namespace: "envelope", hashAlg: "sha256" }
     : undefined;
diff --git a/apps/playground/app/utils/xid-tutorial/keys.ts b/apps/playground/app/utils/xid-tutorial/keys.ts
new file mode 100644
index 00000000..f694ecf7
--- /dev/null
+++ b/apps/playground/app/utils/xid-tutorial/keys.ts
@@ -0,0 +1,138 @@
+import { Key, type Privilege, type XIDDocument } from "@bcts/xid";
+import type { PublicKeys, Digest } from "@bcts/components";
+import { generateSideKey, type TutorialScheme } from "./identity";
+import type { SideKey } from "./types";
+
+/** Identifying material for a key being disavowed (§5.5 Step 9). The
+ *  `assertionDigest` is the digest of the key's envelope as it appeared in the
+ *  XID — mirrors upstream `envelope digest $(envelope xid key find name …)`. */
+export interface DisavowedKey {
+  nickname: string;
+  pubKeys: PublicKeys;
+  assertionDigest: Digest;
+}
+
+/** Read-model for the key-inventory panel (§5.1). */
+export interface KeyInventoryEntry {
+  nickname: string;
+  scheme: string;
+  permissions: Privilege[];
+  isInception: boolean;
+  pubKeysUr: string;
+  referenceHex: string;
+}
+
+/**
+ * Add an operational key (laptop / portable / …) with a nickname and a scoped
+ * permission set. Mirrors the upstream §5.1 `envelope xid key add --nickname …
+ * --allow …` flow — generate a fresh keypair, wrap it in a `Key`, grant the
+ * requested privileges, and register it on the document.
+ */
+export function addOperationalKey(
+  doc: XIDDocument,
+  nickname: string,
+  scheme: TutorialScheme,
+  allow: Privilege[],
+): SideKey {
+  const side = generateSideKey(nickname, scheme);
+  const key = Key.newWithPrivateKeys(side.prvKeys, side.pubKeys);
+  for (const p of allow) key.addPermission(p);
+  key.setNickname(nickname);
+  doc.addKey(key);
+  return side;
+}
+
+/** Find a key on the document by its nickname (§5.2 / §5.5 `key find name`). */
+export function findKeyByNickname(doc: XIDDocument, name: string): Key | undefined {
+  return doc.keys().find((k) => k.nickname() === name);
+}
+
+/**
+ * Replace a key's allowed-permission set. Uses the Rust-style take → mutate →
+ * re-add pattern so the change is unambiguously persisted on the document
+ * (§5.2 `key update`).
+ */
+export function setKeyPermissions(
+  doc: XIDDocument,
+  pubKeys: PublicKeys,
+  allow: Privilege[],
+): boolean {
+  const key = doc.takeKey(pubKeys);
+  if (!key) return false;
+  const perms = key.permissionsMut();
+  perms.allow.clear();
+  for (const p of allow) perms.allow.add(p);
+  doc.addKey(key);
+  return true;
+}
+
+/**
+ * Rotate a key: add a fresh key with a new nickname, then remove the old one
+ * (§5.2 Steps 4–6). Returns the new side key so the caller can surface its UR.
+ */
+export function rotateKey(
+  doc: XIDDocument,
+  oldPubKeys: PublicKeys,
+  newNickname: string,
+  scheme: TutorialScheme,
+  allow: Privilege[],
+): SideKey {
+  const side = addOperationalKey(doc, newNickname, scheme, allow);
+  doc.removeKey(oldPubKeys);
+  return side;
+}
+
+/**
+ * Capture a key's disavowal info (nickname + public keys + the digest of its
+ * envelope in the XID) BEFORE it's revoked, so §5.5 can name it in a signed
+ * disavowal statement. Mirrors the upstream pattern of running
+ * `xid key find name` + `digest` ahead of `key remove`.
+ */
+export function keyDisavowalInfo(doc: XIDDocument, nickname: string): DisavowedKey | undefined {
+  const key = findKeyByNickname(doc, nickname);
+  if (!key) return undefined;
+  return {
+    nickname,
+    pubKeys: key.publicKeys(),
+    assertionDigest: key.intoEnvelope().digest(),
+  };
+}
+
+/** Remove a key by nickname; returns its public keys if it existed (§5.5). */
+export function removeKeyByNickname(doc: XIDDocument, name: string): PublicKeys | undefined {
+  const key = findKeyByNickname(doc, name);
+  if (!key) return undefined;
+  const pub = key.publicKeys();
+  doc.removeKey(pub);
+  return pub;
+}
+
+/** Build a read-model of every key on the document for the inventory panel. */
+export function keyInventory(doc: XIDDocument): KeyInventoryEntry[] {
+  return doc.keys().map((k) => {
+    const pub = k.publicKeys();
+    let scheme = "Unknown";
+    let isInception = false;
+    try {
+      const signing = pub.signingPublicKey();
+      scheme = signing.keyType();
+      isInception = doc.isInceptionSigningKey(signing);
+    } catch {
+      /* non-signing or malformed key */
+    }
+    let pubKeysUr = "";
+    try {
+      pubKeysUr = pub.urString();
+    } catch {
+      /* */
+    }
+    return {
+      nickname: k.nickname() || "(unnamed)",
+      scheme,
+      permissions: [...k.permissions().allow],
+      isInception,
+      pubKeysUr,
+      referenceHex: k.reference().toHex(),
+    };
+  });
+}
diff --git a/apps/playground/app/utils/xid-tutorial/sections.ts b/apps/playground/app/utils/xid-tutorial/sections.ts
index 15dbbd79..c4996557 100644
--- a/apps/playground/app/utils/xid-tutorial/sections.ts
+++ b/apps/playground/app/utils/xid-tutorial/sections.ts
@@ -130,6 +130,51 @@ export const TUTORIAL_SECTIONS: SectionMeta[] = [
     component: "StepEditions",
     needsIdentity: true,
   },
+  {
+    id: "5.1",
+    chapter: 5,
+    section: 1,
+    title: "Operational Keys",
+    subtitle: "Scoped keys + operational XID",
+    component: "StepOperationalKeys",
+    needsIdentity: true,
+  },
+  {
+    id: "5.2",
+    chapter: 5,
+    section: 2,
+    title: "Updating Keys",
+    subtitle: "Permissions & rotation",
+    component: "StepUpdatingKeys",
+    needsIdentity: true,
+  },
+  {
+    id: "5.3",
+    chapter: 5,
+    section: 3,
+    title: "Backup Inception",
+    subtitle: "SSKR 2-of-3 split & recover",
+    component: "StepBackupInception",
+    needsIdentity: true,
+  },
+  {
+    id: "5.4",
+    chapter: 5,
+    section: 4,
+    title: "Backup SSH Key",
+    subtitle: "Wrap, encrypt, shard",
+    component: "StepBackupSshKey",
+    needsIdentity: true,
+  },
+  {
+    id: "5.5",
+    chapter: 5,
+    section: 5,
+    title: "Key Compromise",
+    subtitle: "Recover, revoke, re-key",
+    component: "StepKeyCompromise",
+    needsIdentity: true,
+  },
 ];
 
 export const CHAPTERS = [
@@ -137,6 +182,7 @@ export const CHAPTERS = [
   { number: 2, title: "Making Claims" },
   { number: 3, title: "Attesting with Edges" },
   { number: 4, title: "Managing Your XIDs" },
+  { number: 5, title: "Managing Your Keys" },
 ];
 
 export function sectionIndex(id: string): number {