2d5047cc63
The official-bots rollout never mounted the ncs-jwt-keys secret nor set JWT_PUBLIC_KEY_PATH, so the service fell back to the image-baked public.pem, which does not match the deployed signing key. Every token failed RS256 verification -> 401. Mount ncs-jwt-keys at /secrets/jwt and point JWT_PUBLIC_KEY_PATH there, mirroring account/core/tournament. Verify-only, no private key. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Reviewed-on: #413