Ajuste nas migrations

backend/internal/services/credentials_service.go

@@ -300,6 +300,11 @@ func getRawPrivateKeyBytes() ([]byte, error) {
 
 // BootstrapCredentials checks if credentials are in DB, if not, migrates from Env
 func (s *CredentialsService) BootstrapCredentials(ctx context.Context) error {
+	// If RSA private key is not available, skip migrating env credentials to DB.
+	if _, err := getRawPrivateKeyBytes(); err != nil {
+		fmt.Printf("[CredentialsBootstrap] RSA_PRIVATE_KEY_BASE64 missing or invalid: %v. Skipping ENV->DB credentials migration.\n", err)
+		return nil
+	}
 	// List of services and their env mapping
 	services := map[string]func() interface{}{
 		"stripe": func() interface{} {

backend/scripts/validate_rsa_key.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z "${RSA_PRIVATE_KEY_BASE64:-}" ]; then
+  echo "RSA_PRIVATE_KEY_BASE64 is not set"
+  exit 2
+fi
+
+# Try decode base64
+if echo "$RSA_PRIVATE_KEY_BASE64" | base64 -d > /tmp/rsa_key.pem 2>/dev/null; then
+  :
+else
+  # Try replacing literal \n
+  echo "Attempting to replace literal \n and write PEM"
+  printf '%b' "$RSA_PRIVATE_KEY_BASE64" > /tmp/rsa_key.pem
+fi
+
+# Validate with openssl
+if openssl pkey -in /tmp/rsa_key.pem -noout -text >/dev/null 2>&1; then
+  echo "RSA private key is valid PEM"
+  exit 0
+else
+  echo "RSA private key is invalid"
+  echo "Preview (first 20 lines):"
+  sed -n '1,20p' /tmp/rsa_key.pem
+  exit 1
+fi