Fix agent keystore initialization order

Data/Server/Modules/auth/jwt_service.py

@@ -7,15 +7,17 @@ from __future__ import annotations
 import hashlib
 import time
 from datetime import datetime, timezone
-from pathlib import Path
 from typing import Any, Dict, Optional
 
 import jwt
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ed25519
 
-_KEY_DIR = Path(__file__).resolve().parent.parent / "keys"
+from Modules.runtime import ensure_runtime_dir, runtime_path
+
+_KEY_DIR = runtime_path("auth_keys")
 _KEY_FILE = _KEY_DIR / "borealis-jwt-ed25519.key"
+_LEGACY_KEY_FILE = runtime_path("keys") / "borealis-jwt-ed25519.key"
 
 
 class JWTService:
@@ -96,11 +98,17 @@ def load_service() -> JWTService:
 
 
 def _load_or_create_private_key() -> ed25519.Ed25519PrivateKey:
-    _KEY_DIR.mkdir(parents=True, exist_ok=True)
+    ensure_runtime_dir("auth_keys")
+    _migrate_legacy_key_if_present()
+
     if _KEY_FILE.exists():
         with _KEY_FILE.open("rb") as fh:
             return serialization.load_pem_private_key(fh.read(), password=None)
 
+    if _LEGACY_KEY_FILE.exists():
+        with _LEGACY_KEY_FILE.open("rb") as fh:
+            return serialization.load_pem_private_key(fh.read(), password=None)
+
     private_key = ed25519.Ed25519PrivateKey.generate()
     pem = private_key.private_bytes(
         encoding=serialization.Encoding.PEM,
@@ -116,3 +124,17 @@ def _load_or_create_private_key() -> ed25519.Ed25519PrivateKey:
         pass
     return private_key
 
+
+def _migrate_legacy_key_if_present() -> None:
+    if not _LEGACY_KEY_FILE.exists() or _KEY_FILE.exists():
+        return
+
+    try:
+        ensure_runtime_dir("auth_keys")
+        try:
+            _LEGACY_KEY_FILE.replace(_KEY_FILE)
+        except Exception:
+            _KEY_FILE.write_bytes(_LEGACY_KEY_FILE.read_bytes())
+    except Exception:
+        return
+