fix(projects): perm-gate create + apikey-via-Bearer + introspect with apikey

Three coupled fixes so non-admin agents (e.g. nav, role=mgr) can
actually create projects through hf-cli with their API key:

1. POST /projects no longer hardcodes is_admin. It checks the global
   `project.create` perm via role_permissions (admin still wins via
   is_admin short-circuit). Permission-denied 403 message names the
   exact perm.

2. /auth/me/permissions now uses get_current_user_or_apikey (was
   get_current_user JWT-only). This is what hf-cli hits to populate
   its local permission cache that drives the "not permitted" gate;
   previously every API-key-authed agent saw all commands as gated.

3. get_current_user_or_apikey now also accepts an API key delivered
   via Authorization: Bearer (in addition to X-API-Key). hf-cli only
   knows Bearer; trying to JWT-decode an API key string would fail —
   so on decode failure, fall through to the API key lookup. Keeps
   X-API-Key behavior unchanged.

4. init_bootstrap: add `project.create` to DEFAULT_PERMISSIONS and to
   _MGR_PERMISSIONS so admin (auto-all) + mgr both get it on seed.

Bug came to light when manager-agent reported `hf project list`/`create`
returned `not permitted`. Root cause: hf-cli calls /auth/me/permissions
with the API key via Bearer header → 401 → state.Known=false → every
command in the surface is gated false locally. Even after the local
gate, POST /projects would still 403 due to the hardcoded admin check.
All four steps above are required end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/api/routers/auth.py

@@ -11,7 +11,7 @@ from app.core.config import get_db, settings
 from app.models import models
 from app.models.role_permission import Permission, Role, RolePermission
 from app.schemas import schemas
-from app.api.deps import Token, verify_password, create_access_token, get_current_user
+from app.api.deps import Token, verify_password, create_access_token, get_current_user, get_current_user_or_apikey
 
 router = APIRouter(prefix="/auth", tags=["Auth"])
 
@@ -80,7 +80,7 @@ class PermissionIntrospectionResponse(BaseModel):
 
 @router.get("/me/permissions", response_model=PermissionIntrospectionResponse)
 async def get_my_permissions(
-    current_user: models.User = Depends(get_current_user),
+    current_user: models.User = Depends(get_current_user_or_apikey),
     db: Session = Depends(get_db),
 ):
     """Return the current user's effective permissions for CLI help introspection."""

app/api/routers/projects.py

@@ -153,9 +153,27 @@ def _generate_project_code(db, name: str) -> str:
 
 @router.post("", response_model=schemas.ProjectResponse, status_code=status.HTTP_201_CREATED)
 def create_project(project: schemas.ProjectCreate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
-    # Check if user is admin
+    # Project creation is gated by the `project.create` global permission
+    # (admin auto-grants by virtue of is_admin). Any role granted that perm
+    # via the Role Editor can create projects.
     if not current_user.is_admin:
-        raise HTTPException(status_code=403, detail="Only admins can create projects")
+        from app.models.role_permission import Permission, RolePermission
+        has = (
+            db.query(Permission.id)
+            .join(RolePermission, RolePermission.permission_id == Permission.id)
+            .filter(
+                RolePermission.role_id == current_user.role_id,
+                Permission.name == "project.create",
+            )
+            .first()
+            if current_user.role_id
+            else None
+        )
+        if not has:
+            raise HTTPException(
+                status_code=403,
+                detail="Permission denied: project.create required",
+            )
     # Auto-fill owner_name from owner_id
     user = db.query(models.User).filter(models.User.id == project.owner_id).first()
     if not user: