1. Security Flaw: TokenValidationConfig.require_https Flag is Dead Code, Misleading Users on HTTP Support
A critical security configuration flag in the token validation system is non-functional, creating a dangerous mismatch between user expectations and system behavior. The `require_https` boolean field on the `TokenValidationConfig` model is never read by the underlying validation pipeline. Users who explicitly set `requ...