✅ Completed Tasks

• Unit tests: RbacReactiveJwtAuthenticationConverterTest — 10 cases covering role lists, comma-separated strings, username matching, sub fallback, empty groups, regex subjects
• Integration tests: JwtResourceServerRbacTest — 6 cases using WireMock JWKS + RSA-signed JWTs verifying end-to-end decode → role extraction → principal creation
• All existing OAuth/RBAC tests pass (no regressions)
• Checkstyle passes
• Deployed internally with the following environment, non-admin folks can no longer see message viewing