Server keys in etc/, bind in docker compose

- bin/gen-server-keys.sh: generate Ed25519 keypair to etc/server-service.{pub,key,env}
- main.go: read keys from file (ADMIN_PUBLIC_KEY_FILE) when env empty
- docker-compose: env_file etc/server-service.env, mount etc/
- bin/up.sh: auto-run gen-server-keys if etc/server-service.env missing
- ErrRegistrationNotConfigured for clearer 503 when keys not set
- etc/README.md, etc/.gitignore
- bin/gen-admin-key.sh for one-off key gen
- .env.example

Made-with: Cursor

AGENTS.md

@@ -13,6 +13,7 @@ This file gives future coding agents a fast path map for this repository.
 - TypeScript API client: `libs/geo-api-client/`
 - CI workflow: `.gitea/workflows/ci.yml`
 - Architecture/planning docs: `docs/`
+- Server keys: `etc/` (generated by `./bin/gen-server-keys.sh`)
 
 ## Most common commands
 
@@ -21,7 +22,8 @@ From repo root:
 ```bash
 go test ./...
 go run ./cmd/api
-docker compose up --build -d
+./bin/gen-server-keys.sh   # before first docker up (creates etc/server-service.*)
+./bin/up.sh                # or: docker compose up --build -d
 docker compose down
 docker compose --profile test run --rm test   # run tests as root (avoids var/ permission issues)
 ```