chore(udt-001): RSA key generation script

scripts/generate-keys.ps1

@@ -0,0 +1,30 @@
+# generate-keys.ps1
+# Generates RSA 2048 key pair for JWT RS256 signing
+# Requires: PowerShell 7+ (pwsh)
+# Usage: pwsh -File scripts/generate-keys.ps1
+# Keys are written to src/api/SIGCM2.Api/keys/ (gitignored)
+
+$keysDir = Join-Path $PSScriptRoot "..\src\api\SIGCM2.Api\keys"
+$keysDir = [System.IO.Path]::GetFullPath($keysDir)
+
+if (-not (Test-Path $keysDir)) {
+    New-Item -ItemType Directory -Path $keysDir | Out-Null
+}
+
+$privatePath = Join-Path $keysDir "private.pem"
+$publicPath  = Join-Path $keysDir "public.pem"
+
+$rsa  = [System.Security.Cryptography.RSA]::Create(2048)
+$priv = $rsa.ExportRSAPrivateKeyPem()
+$pub  = $rsa.ExportRSAPublicKeyPem()
+$rsa.Dispose()
+
+Set-Content -Path $privatePath -Value $priv -Encoding UTF8 -NoNewline
+Set-Content -Path $publicPath  -Value $pub  -Encoding UTF8 -NoNewline
+
+Write-Host "RSA 2048 key pair generated:"
+Write-Host "  Private: $privatePath"
+Write-Host "  Public:  $publicPath"
+Write-Host ""
+Write-Host "IMPORTANT: These files are gitignored. Regenerate on each dev machine."
+Write-Host "For production: set env vars JWT__PrivateKey and JWT__PublicKey (PEM content)."

src/api/SIGCM2.Api/keys/README.md

@@ -0,0 +1,28 @@
+# JWT RSA Keys
+
+This directory holds the RSA 2048 key pair used for JWT RS256 signing.
+
+## Files (gitignored)
+
+- `private.pem` — RSA private key (NEVER commit this)
+- `public.pem`  — RSA public key (NEVER commit this)
+- `.gitkeep`    — keeps this directory tracked in git
+
+## Regenerate keys
+
+Run from the repo root (requires PowerShell 7 / pwsh):
+
+```powershell
+pwsh -File scripts/generate-keys.ps1
+```
+
+## Production
+
+In production, set these environment variables instead of files:
+
+```
+JWT__PrivateKey=<base64-encoded PEM content>
+JWT__PublicKey=<base64-encoded PEM content>
+```
+
+The API's `RsaKeyLoader` checks environment variables first, falls back to files.