A minimal Axum binary that mounts compliance-core's M7.1 middleware on
three endpoints (public health, protected GET echo, protected POST echo)
so we can prove the tenant-gating contract end-to-end against a live KC
before any auth-path PR merges.
scripts/smoke.sh drives the binary against the five test users defined
in the certifai realm (admin/user → active, trial/frozen/archived) and
asserts the exact response code per (user × method × endpoint). Run it
once before touching auth, tenant_status, or org_roles code.
Validated locally — 15/15 assertions pass:
* anon/bogus → 401 on protected, 200 on /health
* active/trial → 200 on read + write
* frozen → 200 read, 402 write (read-after-cancel gate)
* archived → 410 read + 410 write (retention window closed)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Moves the tenant-aware HTTP infrastructure into compliance-core so every
future product (compliance-agent, compliance-dast, compliance-mcp, the
upcoming smoke harness) shares one source of truth instead of each crate
re-implementing claims extraction and the status gate.
* tenant.rs — TenantStatus / OrgRole / TenantContext (unconditional)
* db.rs — tenant_filter + tenant_filter_merge for query scoping
* auth.rs — require_jwt_auth + require_tenant_status + JwksState
* tenant_ctx.rs — Axum TenantCtx extractor
* `axum` cargo feature gates the HTTP-dependent modules so wasm
consumers (the dashboard frontend) don't pull axum/jsonwebtoken/reqwest
40 unit tests across the moved modules — all green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sharang Parnerkar