Sharang Parnerkar
cb7b1b86f5
CI / Check (pull_request) Successful in 11m31s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Axum applies layers outermost-first. With the previous ordering (`Extension(jwks_state)` first, `require_jwt_auth` last), the JWT middleware ran before the Extension layer attached `JwksState` to the request, so `request.extensions().get::<JwksState>()` always returned None and the middleware silently passed through every request as if Keycloak weren't configured. Verified end-to-end against the local CERTifAI Keycloak realm: - no token / bad token -> 401 - active / trial -> 200 read, write reaches handler - frozen -> 200 read, 402 on writes - archived -> 410 on every method The bug was invisible to the unit + integration tests because they construct the layer stack manually; only the live wiring exhibited it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>