Add call out to separate testnet and mainnet keys

src/pages/guide/node/security.mdx

@@ -13,6 +13,7 @@ Your signing key is the most sensitive asset on your validator. Anyone with acce
 
 - **Restrict file permissions** — set `chmod 600` on key files so only the node process user can read them.
 - **Never share your private key** — the Tempo team will never ask for it.
+- **Use different keys for testnet and mainnet** — do not reuse signing keys or operator keys across networks; a testnet compromise should never put your mainnet validator at risk.
 - **Rotate keys periodically** — use [key rotation](/guide/node/validator-lifecycle#rotate-validator-identity) to swap to a new ed25519 key without leaving the committee.
 - **Separate the operator address** — the Ethereum address that controls on-chain operations (IP updates, rotation, ownership transfer) should be a dedicated address, not a general-purpose hot wallet.
 

src/pages/guide/node/validator-keys.mdx

@@ -9,6 +9,8 @@ Tempo validators use several keys and addresses. This page explains what each on
 
 :::warning
 Never share your private signing key. Anyone with access to it can impersonate your validator. The Tempo team will never ask for your private key. Store keys securely and restrict file permissions.
+
+Use different signing keys and operator keys for testnet and mainnet. A testnet compromise should never put your mainnet validator at risk.
 :::
 
 ## Key and address overview
@@ -24,6 +26,8 @@ Never share your private signing key. Anyone with access to it can impersonate y
 
 :::warning
 Never share your private signing key. Anyone with access to it can impersonate your validator. The Tempo team will never ask for your private key.
+
+Use a different key for each network rather than reusing the same validator identity on testnet and mainnet.
 :::
 
 Generate an ed25519 keypair: