try:
    from fastapi import Header, HTTPException
except Exception:
    Header = None
    HTTPException = Exception
from api_key_auth import verify_api_key, require_permission_principal

def extract_bearer(authorization):
    if not authorization or not authorization.startswith('Bearer '): return None
    return authorization.replace('Bearer ', '', 1).strip()
def require_permission(permission):
    def dependency(authorization: str = Header(None)):
        raw = extract_bearer(authorization)
        if not raw: raise HTTPException(status_code=401, detail='Missing bearer token')
        verified = verify_api_key(raw)
        if not verified.get('ok'): raise HTTPException(status_code=401, detail=verified.get('error'))
        principal = verified['principal']; check = require_permission_principal(principal, permission)
        if not check.get('ok'): raise HTTPException(status_code=403, detail=check.get('error'))
        return principal
    return dependency