feat: add bootstrap API key creation on startup

biru-codeastromer · claude · biru-codeastromer · commit b330daa6088f · 2026-03-29T00:47:16.000+05:30
When WMG_BOOTSTRAP_API_KEY env var is set, the server creates an
admin/runs:write API key on first startup if no keys exist yet.
This enables production write access without shell access.
Added to render.yaml with generateValue for secure auto-generation.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/render.yaml b/render.yaml
@@ -26,3 +26,5 @@ services:
         value: "false"
       - key: WMG_UPLOAD_TOKEN
         generateValue: true
+      - key: WMG_BOOTSTRAP_API_KEY
+        generateValue: true
diff --git a/server/worldmodel_server/config.py b/server/worldmodel_server/config.py
@@ -64,6 +64,7 @@ def __init__(self) -> None:
         self.seed_demo_data = _as_bool(os.getenv("WMG_SEED_DEMO_DATA"), False)
         self.log_json = _as_bool(os.getenv("WMG_LOG_JSON"), True)
         self.log_level = os.getenv("WMG_LOG_LEVEL", "INFO").upper()
+        self.bootstrap_api_key = os.getenv("WMG_BOOTSTRAP_API_KEY", "")
 
     @property
     def is_production(self) -> bool:
diff --git a/server/worldmodel_server/main.py b/server/worldmodel_server/main.py
@@ -19,7 +19,7 @@
 from worldmodel_server.rate_limit import rate_limiter
 from worldmodel_server.request_logging import configure_logging, log_request_event
 from worldmodel_server.schemas import LeaderboardRow, RunCreate, RunResponse
-from worldmodel_server.seed import seed_demo_runs
+from worldmodel_server.seed import bootstrap_api_key, seed_demo_runs
 from worldmodel_server.storage import (
     artifact_key,
     ensure_storage_dirs,
@@ -53,6 +53,9 @@ async def lifespan(_app: FastAPI):
             print("[lifespan] Migrations complete", flush=True)
         ensure_storage_dirs()
         print("[lifespan] Storage dirs ensured", flush=True)
+        with SessionLocal() as session:
+            if bootstrap_api_key(session):
+                print("[lifespan] Bootstrap API key created", flush=True)
         if settings.seed_demo_data:
             print("[lifespan] Seeding demo data...", flush=True)
             with SessionLocal() as session:
diff --git a/server/worldmodel_server/seed.py b/server/worldmodel_server/seed.py
@@ -6,7 +6,7 @@
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 
-from worldmodel_server.models import RunEntry
+from worldmodel_server.models import ApiKey, RunEntry
 from worldmodel_server.storage import save_run_artifact, storage_status
 
 DEMO_RUNS = [
@@ -126,3 +126,27 @@ def seed_demo_runs(session: Session, *, force: bool = False) -> int:
 
     session.commit()
     return created_count
+
+
+def bootstrap_api_key(session: Session) -> bool:
+    """Create a production API key from WMG_BOOTSTRAP_API_KEY if no keys exist yet.
+
+    Returns True if a new key was created, False otherwise.
+    """
+    from worldmodel_server.auth import create_api_key as _create_api_key
+    from worldmodel_server.config import settings
+
+    if not settings.bootstrap_api_key:
+        return False
+
+    existing = session.scalars(select(ApiKey.id).limit(1)).first()
+    if existing is not None:
+        return False
+
+    _create_api_key(
+        session,
+        name="prod-writer",
+        scopes=["admin", "runs:write"],
+        raw_key=settings.bootstrap_api_key,
+    )
+    return True
