0ded5ee07a
Temporary diagnostic for triaging token-verification 401s. On verify failure (signature mismatch / expired / kid not in JWKS / wrong aud), log the underlying error plus a whitelisted decode of the JWT header (kid, alg, typ) and payload (iss, aud, azp, sub, exp, iat) so the cause is distinguishable from the log alone. Only fires on failure — successful requests stay unlogged. The decodeJWTPart helper whitelists safe metadata fields and never returns the signature segment. Remove once the current realm-config drift is settled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>