| """ |
| infra.auth.admin β platform-level admin credential (Stage 5b). |
| |
| A single secret read from the ``ORGSTATE_ADMIN_KEY`` environment variable. |
| When set, it gates ``POST /tenants`` (so randoms can't enumerate the |
| platform) and acts as an override for the tenant-key check on any |
| tenant-scoped endpoint (so operators can manage all tenants without |
| holding every per-tenant key). |
| |
| When **not** set, admin enforcement is a no-op β that keeps the v1 |
| bootstrap experience working locally (``docker compose up`` then |
| ``curl POST /tenants``) without surprising operators with 401s. |
| |
| A future slice can replace this with an ``admin_keys`` table for rotation, |
| multi-admin, and audit β keeping the same helper surface. |
| """ |
| from __future__ import annotations |
|
|
| import os |
| from typing import Optional |
|
|
| ADMIN_ENV_VAR = "ORGSTATE_ADMIN_KEY" |
|
|
|
|
| def get_admin_key() -> Optional[str]: |
| """The configured admin key, or None if admin auth is not configured. |
| |
| Empty string is treated as not-configured (so ``ORGSTATE_ADMIN_KEY=`` |
| in a .env file does not silently lock the API).""" |
| value = os.environ.get(ADMIN_ENV_VAR) |
| return value if value else None |
|
|
