package permission

import (
	"context"
	"net/http"

	logic "gateway/internal/logic/permission"
)

// actorContext threads (tenant_id, uid) onto the request context. Bearer
// JWT middleware writes Actor first; dev mode falls back to headers so
// `make run-local` works without auth.
func actorContext(ctx context.Context, r *http.Request) context.Context {
	if _, err := logic.ActorFromContext(ctx); err == nil {
		return ctx
	}
	return logic.WithActor(ctx, r.Header.Get("X-Tenant-ID"), r.Header.Get("X-UID"))
}