Verify an API key (optionally requiring scopes) and return a { scopes } Principal.
DEVIATION from saastarter (receipted): saastarter never derives IDENTITY from verifyApiKey — identity comes from
the session, and verifyApiKey is used ONLY to check scopes (services/auth.ts:133-147). Suluk's key-auth-only
path uses the verified key's userId + permissions AS the Principal — an invented composition for stateless API
callers that have no session. Result-returning (not throwing) to match the package idiom (preview.ts/principal.ts).
Verify an API key (optionally requiring scopes) and return a
{ scopes }Principal.DEVIATION from saastarter (receipted): saastarter never derives IDENTITY from
verifyApiKey— identity comes from the session, andverifyApiKeyis used ONLY to check scopes (services/auth.ts:133-147). Suluk's key-auth-only path uses the verified key'suserId+permissionsAS the Principal — an invented composition for stateless API callers that have no session. Result-returning (not throwing) to match the package idiom (preview.ts/principal.ts).