Key rotation is done manually still - you need the threshold of shares within that keyset (2/3 for example) locally in order to recover the nsec, this does not happen over nostr in some fancy protocol manner (only signing does)
shares are only valid within a keyset meaning that if you have a 2/3 and you lose a share IF you destroy the other 2 shares than the third stolen share is ORPHANED.
So to rotate at this time the steps are:
- Recover nsec with threshold of shares
- Use that nsec to generate a new keyset (can be any threshold)
- DESTROY the shares in the old keyset
TLDR; DESTROY AND OPRHAN 