"""
infra.auth.admin — platform-level admin credential (Stage 5b).

A single secret read from the ``ORGSTATE_ADMIN_KEY`` environment variable.
When set, it gates ``POST /tenants`` (so randoms can't enumerate the
platform) and acts as an override for the tenant-key check on any
tenant-scoped endpoint (so operators can manage all tenants without
holding every per-tenant key).

When **not** set, admin enforcement is a no-op — that keeps the v1
bootstrap experience working locally (``docker compose up`` then
``curl POST /tenants``) without surprising operators with 401s.

A future slice can replace this with an ``admin_keys`` table for rotation,
multi-admin, and audit — keeping the same helper surface.
"""
from __future__ import annotations

import os
from typing import Optional

ADMIN_ENV_VAR = "ORGSTATE_ADMIN_KEY"


def get_admin_key() -> Optional[str]:
    """The configured admin key, or None if admin auth is not configured.

    Empty string is treated as not-configured (so ``ORGSTATE_ADMIN_KEY=``
    in a .env file does not silently lock the API)."""
    value = os.environ.get(ADMIN_ENV_VAR)
    return value if value else None