fix: PEM newline parsing + shared config extra=ignore

- Add field_validator to expand literal \n in PEM keys (auth config + shared config)
- Set extra='ignore' on shared Settings so service-specific .env vars don't cause ValidationError
- Add *.pem to .gitignore

services/auth/app/config.py

@@ -4,6 +4,7 @@ Contains secrets that ONLY the Auth Service needs (e.g., JWT private key).
 These are NOT in shared/config.py to prevent other services from accessing them.
 """
 
+from pydantic import field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -20,6 +21,13 @@ class AuthSettings(BaseSettings):
     #   openssl rsa -in private.pem -pubout -out public.pem
     JWT_PUBLIC_KEY: str = ""
 
+    @field_validator("JWT_PRIVATE_KEY", "JWT_PUBLIC_KEY", mode="before")
+    @classmethod
+    def _expand_pem_newlines(cls, v: str) -> str:
+        if isinstance(v, str) and r"\n" in v:
+            return v.replace(r"\n", "\n")
+        return v
+
     model_config = SettingsConfigDict(env_file=".env", env_file_encoding="utf-8")