Fix binding token extraction and harden startup concurrency

app/proxy/handler.py

@@ -9,7 +9,7 @@ from fastapi.responses import JSONResponse, StreamingResponse
 
 from app.config import Settings
 from app.core.ip_utils import extract_client_ip
-from app.core.security import extract_bearer_token
+from app.core.security import extract_request_token
 from app.dependencies import get_alert_service, get_binding_service, get_settings
 from app.services.alert_service import AlertService
 from app.services.binding_service import BindingService
@@ -56,7 +56,7 @@ async def reverse_proxy(
     alert_service: AlertService = Depends(get_alert_service),
 ):
     client_ip = extract_client_ip(request, settings)
-    token = extract_bearer_token(request.headers.get("authorization"))
+    token, token_source = extract_request_token(request.headers)
 
     if token:
         binding_result = await binding_service.evaluate_token_binding(token, client_ip)
@@ -75,6 +75,7 @@ async def reverse_proxy(
                 status_code=binding_result.status_code,
                 content={"detail": binding_result.detail},
             )
+        logger.debug("Token binding check passed.", extra={"client_ip": client_ip, "token_source": token_source})
     else:
         await binding_service.increment_request_metric("allowed")