#!/usr/bin/env bash
# Generate RSA key pair for JWT RS256 (v0.9.1)
# Usage: ./scripts/generate-jwt-keys.sh [output_dir]
# Output: jwt-private.pem, jwt-public.pem (2048-bit RSA)
# NEVER commit these files to Git.

set -e

OUTPUT_DIR="${1:-.}"
PRIVATE="${OUTPUT_DIR}/jwt-private.pem"
PUBLIC="${OUTPUT_DIR}/jwt-public.pem"

echo "Generating RSA 2048-bit key pair for JWT RS256..."
openssl genrsa -out "$PRIVATE" 2048
openssl rsa -in "$PRIVATE" -pubout -out "$PUBLIC"

echo "Keys generated:"
echo "  Private: $PRIVATE"
echo "  Public:  $PUBLIC"
echo ""
echo "Set in .env:"
echo "  JWT_PRIVATE_KEY_PATH=$PRIVATE"
echo "  JWT_PUBLIC_KEY_PATH=$PUBLIC"
echo ""
echo "WARNING: Never commit .pem files to Git!"