fix(dashboard): attach Keycloak token on agent API calls (#90)

compliance-agent/src/api/handlers/dto.rs

@@ -180,6 +180,27 @@ pub struct SbomVersionDiff {
 pub(crate) type AgentExt = axum::extract::Extension<std::sync::Arc<crate::agent::ComplianceAgent>>;
 pub(crate) type ApiResult<T> = Result<axum::Json<ApiResponse<T>>, axum::http::StatusCode>;
 
+/// Resolve a tenant-scoped [`Database`] from the request's
+/// [`TenantContext`] (inserted by the M7.1 JWT middleware, or by the
+/// dev fallback in unsecured environments). The pool ensures the
+/// tenant's indexes idempotently.
+///
+/// Returns 500 on the rare path where Mongo refuses the database
+/// handle — the M7.1 auth/status middleware already rejects every
+/// other failure mode with 4xx before we get here.
+pub(crate) async fn tenant_db(
+    agent: &crate::agent::ComplianceAgent,
+    tenant: &compliance_core::tenant_ctx::TenantCtx,
+) -> Result<crate::database::Database, axum::http::StatusCode> {
+    agent.db_pool.for_tenant(&tenant.0).await.map_err(|e| {
+        tracing::error!(
+            tenant_id = %tenant.0.tenant_id,
+            "Failed to acquire tenant database: {e}"
+        );
+        axum::http::StatusCode::INTERNAL_SERVER_ERROR
+    })
+}
+
 pub(crate) async fn collect_cursor_async<T: serde::de::DeserializeOwned + Unpin + Send>(
     mut cursor: mongodb::Cursor<T>,
 ) -> Vec<T> {