# `tools/local-dev/keys/`

DEV-ONLY cryptographic material used by the `tools/local-dev/` stack.

**Never use any key in this directory in a non-local environment.**

## Files

- `gateway-response.pem` — gateway response-signing private key, PKCS#8
  PEM, Ed25519. Mounted into the gateway container at
  `/run/secrets/gateway-response.pem` and pointed to via
  `GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH`.
- `gateway-response.pub` — matching raw 32-byte public key, standard
  base64. Copied verbatim into `ui/frontend/.env.development` as
  `VITE_GATEWAY_RESPONSE_PUBLIC_KEY`.

## Regenerating

The keypair is committed because it must be deterministic across
developer checkouts (the UI's `.env.development` ships the exact
base64 of the public half). Rotate only when a leak is suspected; the
keys never reach a non-local environment in normal operation.

To regenerate from a Go one-shot:

```sh
cd tools/local-dev/keys
go run ./regenerate.go
```

The helper writes a fresh PEM, prints the matching public-key base64,
and updates `gateway-response.pub`. After regeneration, copy the new
`VITE_GATEWAY_RESPONSE_PUBLIC_KEY` value from `gateway-response.pub`
into `ui/frontend/.env.development` and commit both changes together.