# generate-keys.ps1
# Generates RSA 2048 key pair for JWT RS256 signing
# Requires: PowerShell 7+ (pwsh)
# Usage: pwsh -File scripts/generate-keys.ps1
# Keys are written to src/api/SIGCM2.Api/keys/ (gitignored)

$keysDir = Join-Path $PSScriptRoot "..\src\api\SIGCM2.Api\keys"
$keysDir = [System.IO.Path]::GetFullPath($keysDir)

if (-not (Test-Path $keysDir)) {
    New-Item -ItemType Directory -Path $keysDir | Out-Null
}

$privatePath = Join-Path $keysDir "private.pem"
$publicPath  = Join-Path $keysDir "public.pem"

$rsa  = [System.Security.Cryptography.RSA]::Create(2048)
$priv = $rsa.ExportRSAPrivateKeyPem()
$pub  = $rsa.ExportRSAPublicKeyPem()
$rsa.Dispose()

Set-Content -Path $privatePath -Value $priv -Encoding UTF8 -NoNewline
Set-Content -Path $publicPath  -Value $pub  -Encoding UTF8 -NoNewline

Write-Host "RSA 2048 key pair generated:"
Write-Host "  Private: $privatePath"
Write-Host "  Public:  $publicPath"
Write-Host ""
Write-Host "IMPORTANT: These files are gitignored. Regenerate on each dev machine."
Write-Host "For production: set env vars JWT__PrivateKey and JWT__PublicKey (PEM content)."