fix: relocate server runtime secrets

Data/Server/Modules/crypto/certificates.py

@@ -19,7 +19,9 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.x509.oid import NameOID
 
-_CERT_DIR = Path(__file__).resolve().parent.parent / "certs"
+from Modules.runtime import ensure_runtime_dir, runtime_path
+
+_CERT_DIR = runtime_path("certs")
 _CERT_FILE = _CERT_DIR / "borealis-server-cert.pem"
 _KEY_FILE = _CERT_DIR / "borealis-server-key.pem"
 _BUNDLE_FILE = _CERT_DIR / "borealis-server-bundle.pem"
@@ -35,7 +37,7 @@ def ensure_certificate(common_name: str = "Borealis Server") -> Tuple[Path, Path
     Returns (cert_path, key_path, bundle_path).
     """
 
-    _CERT_DIR.mkdir(parents=True, exist_ok=True)
+    ensure_runtime_dir("certs")
 
     regenerate = not (_CERT_FILE.exists() and _KEY_FILE.exists())
     if not regenerate:

Data/Server/Modules/crypto/signing.py

@@ -10,9 +10,11 @@ from typing import Tuple
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ed25519
 
+from Modules.runtime import ensure_runtime_dir, runtime_path
+
 from .keys import base64_from_spki_der
 
-_KEY_DIR = Path(__file__).resolve().parent.parent / "keys"
+_KEY_DIR = runtime_path("keys")
 _SIGNING_KEY_FILE = _KEY_DIR / "borealis-script-ed25519.key"
 _SIGNING_PUB_FILE = _KEY_DIR / "borealis-script-ed25519.pub"
 
@@ -41,7 +43,7 @@ def load_signer() -> ScriptSigner:
 
 
 def _load_or_create() -> ed25519.Ed25519PrivateKey:
-    _KEY_DIR.mkdir(parents=True, exist_ok=True)
+    ensure_runtime_dir("keys")
     if _SIGNING_KEY_FILE.exists():
         with _SIGNING_KEY_FILE.open("rb") as fh:
             return serialization.load_pem_private_key(fh.read(), password=None)