chore(udt-001): RSA key generation script

scripts/generate-keys.ps1

@@ -0,0 +1,30 @@
+# generate-keys.ps1
+# Generates RSA 2048 key pair for JWT RS256 signing
+# Requires: PowerShell 7+ (pwsh)
+# Usage: pwsh -File scripts/generate-keys.ps1
+# Keys are written to src/api/SIGCM2.Api/keys/ (gitignored)
+
+$keysDir = Join-Path $PSScriptRoot "..\src\api\SIGCM2.Api\keys"
+$keysDir = [System.IO.Path]::GetFullPath($keysDir)
+
+if (-not (Test-Path $keysDir)) {
+    New-Item -ItemType Directory -Path $keysDir | Out-Null
+}
+
+$privatePath = Join-Path $keysDir "private.pem"
+$publicPath  = Join-Path $keysDir "public.pem"
+
+$rsa  = [System.Security.Cryptography.RSA]::Create(2048)
+$priv = $rsa.ExportRSAPrivateKeyPem()
+$pub  = $rsa.ExportRSAPublicKeyPem()
+$rsa.Dispose()
+
+Set-Content -Path $privatePath -Value $priv -Encoding UTF8 -NoNewline
+Set-Content -Path $publicPath  -Value $pub  -Encoding UTF8 -NoNewline
+
+Write-Host "RSA 2048 key pair generated:"
+Write-Host "  Private: $privatePath"
+Write-Host "  Public:  $publicPath"
+Write-Host ""
+Write-Host "IMPORTANT: These files are gitignored. Regenerate on each dev machine."
+Write-Host "For production: set env vars JWT__PrivateKey and JWT__PublicKey (PEM content)."