Without this, every Keycloak signing-key rotation produces a silent
401 storm against every request until the agent restarts — the cached
JWKS is held forever and never reconciled against KC.
Now: when `kid` isn't in the cached JWKS or the matching key fails
signature verification, we classify the failure as Stale, force a JWKS
refresh, and retry once. Anything else (expired, malformed, missing
tenant_id) is Permanent and short-circuits straight to 401.
* Splits the path into a pure `try_validate(token, header, kid, jwks)`
helper returning a `ValidationError { Stale | Permanent }` enum.
* `fetch_or_get_jwks(state, force)` takes a force flag and holds the
write lock across the network fetch so concurrent refreshers don't
all hammer Keycloak when keys rotate (the second writer reuses what
the first put in cache).
* Adds a unit test for the kid-not-found Stale classification.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sharang Parnerkar