feat(auth): migrate JWT from HS256 to RS256

- Add services/auth/app/config.py with JWT_PRIVATE_KEY and JWT_PUBLIC_KEY
  (Auth Service local config - private key never leaves this service)
- Update routes.py: sign tokens with RS256 private key
- Update deps.py + verify.py: verify tokens with RS256 public key
- Update shared/config.py: replace JWT_SECRET/JWT_ALGORITHM with
  JWT_PUBLIC_KEY (for optional local verification by other services)
- Add sys.path fix in main.py for local dev without PYTHONPATH

services/auth/app/routes.py

@@ -23,6 +23,7 @@ from shared.db import get_session
 from shared.models import RefreshToken, Subscription, User
 from shared.schemas import AuthTokens, UserProfile
 
+from app.config import auth_settings
 from app.deps import get_current_user
 
 router = APIRouter(prefix="/auth", tags=["auth"])
@@ -45,7 +46,7 @@ def _hash_token(plain_token: str) -> str:
 
 
 def _make_access_token(user_id: str, email: str, tier: str) -> tuple[str, int]:
-    """Return (signed JWT, expires_at_ms)."""
+    """Return (RS256-signed JWT, expires_at_ms)."""
     now = int(time.time())
     exp = now + settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES * 60
     payload = {
@@ -55,7 +56,7 @@ def _make_access_token(user_id: str, email: str, tier: str) -> tuple[str, int]:
         "exp": exp,
         "iat": now,
     }
-    token = jwt.encode(payload, settings.JWT_SECRET, algorithm=settings.JWT_ALGORITHM)
+    token = jwt.encode(payload, auth_settings.JWT_PRIVATE_KEY, algorithm="RS256")
     return token, exp * 1000  # ms for client