EqualifyEverything / equalify-reflow

Fills three real gaps caught during pre-merge review: 1. APIKeyAuthMiddleware short-circuit on identity. Real Identity short-circuits; None and MagicMock and a duck-typed lookalike all correctly do NOT. Locks in the isinstance guard against future regressions to a truthy check (which would silently disable api-key auth in mock-based tests). Plus a full-stack integration test of both middlewares composed in production order with a protected /api/v1/test/ping route — covers anonymous → 401, api-key alone → 200, session alone → 200, both → 200, same-origin shortcut disabled when auth is on, invalid api-key → 401. 2. Cookie attribute shape. Direct unit tests on set_session_cookies and clear_session_cookies pin the security flags: HttpOnly only on the session cookie (not the CSRF companion), SameSite=Lax (load- bearing for OIDC redirect-back; Strict would silently break SSO), Secure flag tracks auth_cookie_secure, Max-Age matches TTL, Path=/, X-Auth-Cookie-Set sentinel always present. Catches future hardening passes that would flip Lax→Strict or drop HttpOnly. 3. Sliding-window re-issue in SessionAuthMiddleware. Fresh session → no Set-Cookie. Backdated session past half-life → fresh cookie minted. Sentinel header on the response (login/logout pattern) → middleware does NOT re-issue, preventing the double-write race that would resurrect a logged-out session. Plus invalid cookie → no Set-Cookie (anonymous request must not cause minting). Also fixes a fixture latent bug: with `from __future__ import annotations`, FastAPI looks up route-parameter type hints in ``__globals__`` at registration time. ``Request`` and ``Identity`` had been imported inside the fixture function, so the closure-defined route got 422 missing-field for ``request`` instead of injection. Hoisted to module scope. 23 new tests; full unit suite: 566 → 553 + 13. No regressions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>