Use Azure Blob Storage for Data Protection keys on non-local deployments

When Storage:ConnectionString is configured (dev/staging servers), store
Data Protection keys in Azure Blob Storage (dataprotection-dev/keys.xml)
instead of the local filesystem. Local developer workstations without a
storage connection string continue to use the filesystem fallback.

Fixes UnauthorizedAccessException on the dev IIS server caused by the app
pool identity not having permission to create the DataProtection-Keys
directory after it was wiped during a deploy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Program.cs

@@ -147,10 +147,22 @@ if (builder.Environment.IsProduction())
 }
 else
 {
-    var keysPath = Path.Combine(builder.Environment.ContentRootPath, "DataProtection-Keys");
-    builder.Services.AddDataProtection()
-        .PersistKeysToFileSystem(new DirectoryInfo(keysPath))
-        .SetApplicationName("PowderCoatingApp");
+    // Use Azure Blob Storage when the connection string is available (dev/staging servers).
+    // Fall back to local filesystem for developer workstations where storage isn't configured.
+    var devStorageConnStr = builder.Configuration["Storage:ConnectionString"];
+    if (!string.IsNullOrEmpty(devStorageConnStr))
+    {
+        builder.Services.AddDataProtection()
+            .PersistKeysToAzureBlobStorage(devStorageConnStr, "dataprotection-dev", "keys.xml")
+            .SetApplicationName("PowderCoatingApp");
+    }
+    else
+    {
+        var keysPath = Path.Combine(builder.Environment.ContentRootPath, "DataProtection-Keys");
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(new DirectoryInfo(keysPath))
+            .SetApplicationName("PowderCoatingApp");
+    }
 }
 
 // Configure Identity