Generate API key on actor create, return in response

Previously, POST /actors created an actor with no API key — the
APIKeyHash field was json:"-" and the generic jsonBody handler had
no way to generate one. The actor was created but unusable.

Now the handler generates a random API key, hashes it, stores the
hash, and returns the plaintext key as api_key in the response
(shown once). This matches the seed admin flow and makes actor
creation via CLI/API/MCP fully functional.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bricef

internal/http/handlers.go

@@ -2,7 +2,10 @@ package http
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 
@@ -20,6 +23,42 @@ func (s *Server) updateActor(ctx context.Context, r *http.Request) (any, error)
 	return s.svc.UpdateActor(ctx, p)
 }
 
+// --- Actors ---
+
+func (s *Server) createActor(ctx context.Context, r *http.Request) (any, error) {
+	var p model.CreateActorParams
+	if err := decodeBody(r, &p); err != nil {
+		return nil, err
+	}
+
+	// Generate an API key for the new actor.
+	apiKey, err := generateAPIKey()
+	if err != nil {
+		return nil, fmt.Errorf("generating API key: %w", err)
+	}
+	p.APIKeyHash = HashAPIKey(apiKey)
+
+	actor, err := s.svc.CreateActor(ctx, p)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return the actor with the plaintext API key (shown once).
+	type actorWithKey struct {
+		model.Actor
+		APIKey string `json:"api_key"`
+	}
+	return actorWithKey{Actor: actor, APIKey: apiKey}, nil
+}
+
+func generateAPIKey() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
 // --- Boards ---
 
 func (s *Server) listBoards(ctx context.Context, r *http.Request) (any, error) {

internal/http/routes.go

@@ -137,7 +137,7 @@ func (s *Server) resourceHandlers() map[string]handler {
 func (s *Server) operationHandlers() map[string]handler {
 	return map[string]handler{
 		// Actors
-		"actor_create": jsonBody(s.svc.CreateActor),
+		"actor_create": s.createActor,
 		"actor_update": s.updateActor,
 
 		// Boards