Both handlers extracted RemoteUser then immediately discarded it; the
require_auth middleware already enforces the Remote-User header. Drop
the extractor and its parameter; the type can come back when a handler
actually needs the username.

Assisted-by: Claude Opus 4.7 via Claude Code

diff --git a/src/quire/web/auth.rs b/src/quire/web/auth.rs
index 930d33f..66d171e 100644
--- a/src/quire/web/auth.rs
+++ b/src/quire/web/auth.rs
@@ -1,43 +1,9 @@
-//! Auth middleware and identity extractor.
+//! Auth middleware for the web view.
 
-use axum::extract::FromRequestParts;
 use axum::http::StatusCode;
-use axum::http::request::Parts;
 use axum::middleware::Next;
 use axum::response::{IntoResponse, Response};
 
-/// Identity extracted from the `Remote-User` header injected by the
-/// reverse proxy. Present means authenticated; absent means
-/// unauthenticated. Both are valid — individual handlers (or future
-/// middleware) decide whether to require auth.
-#[derive(Clone, Debug)]
-pub struct RemoteUser(pub Option<String>);
-
-impl RemoteUser {
-    /// Whether the request carries an authenticated identity.
-    pub fn is_authenticated(&self) -> bool {
-        self.0.is_some()
-    }
-
-    /// The username, if authenticated.
-    pub fn username(&self) -> Option<&str> {
-        self.0.as_deref()
-    }
-}
-
-impl<S: Send + Sync> FromRequestParts<S> for RemoteUser {
-    type Rejection = std::convert::Infallible;
-
-    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
-        let user = parts
-            .headers
-            .get("Remote-User")
-            .and_then(|v| v.to_str().ok())
-            .map(|s| s.to_string());
-        Ok(RemoteUser(user))
-    }
-}
-
 /// Middleware that rejects unauthenticated requests.
 ///
 /// CI routes require auth per the access matrix in PLAN.md.
diff --git a/src/quire/web/handlers.rs b/src/quire/web/handlers.rs
index 38db969..cbd2c15 100644
--- a/src/quire/web/handlers.rs
+++ b/src/quire/web/handlers.rs
@@ -5,7 +5,6 @@ use axum::extract::{Path as AxumPath, State};
 use axum::http::StatusCode;
 use axum::response::{Html, IntoResponse, Response};
 
-use super::auth::RemoteUser;
 use super::db;
 use super::templates::*;
 use crate::Quire;
@@ -39,12 +38,7 @@ fn render_error(repo: String, status: StatusCode, title: &str, detail: String) -
     }
 }
 
-pub async fn run_list(
-    State(quire): State<Quire>,
-    AxumPath(repo): AxumPath<String>,
-    user: RemoteUser,
-) -> Response {
-    let _user = user;
+pub async fn run_list(State(quire): State<Quire>, AxumPath(repo): AxumPath<String>) -> Response {
     let repo_display = repo.trim_end_matches(".git").to_string();
     let repo_name = db::resolve_repo_name(&repo);
     if quire.repo(&repo_name).is_err() {
@@ -88,9 +82,7 @@ pub async fn run_list(
 pub async fn run_detail(
     State(quire): State<Quire>,
     AxumPath((repo, run_id)): AxumPath<(String, String)>,
-    user: RemoteUser,
 ) -> Response {
-    let _user = user;
     let repo_display = repo.trim_end_matches(".git").to_string();
     let repo_name = db::resolve_repo_name(&repo);
     if quire.repo(&repo_name).is_err() || !db::is_valid_run_id(&run_id) {