feat: JWT token generation API + auto-inject TORI_JWT in executor

- POST /tori/api/token — sign ES256 JWT with configurable private key
- exec.rs auto-generates and injects TORI_JWT env var for all commands
- Config: jwt_private_key field for PEM file path

src/main.rs

@@ -31,6 +31,9 @@ pub struct Config {
     pub database: DatabaseConfig,
     #[serde(default)]
     pub template_repo: Option<TemplateRepoConfig>,
+    /// Path to EC private key PEM file for JWT signing
+    #[serde(default)]
+    pub jwt_private_key: Option<String>,
 }
 
 #[derive(Debug, Clone, serde::Deserialize)]
@@ -104,6 +107,7 @@ async fn main() -> anyhow::Result<()> {
         config.llm.clone(),
         config.template_repo.clone(),
         kb_arc.clone(),
+        config.jwt_private_key.clone(),
     );
 
     timer::start_timer_runner(database.pool.clone(), agent_mgr.clone());