feat: apikey alias/renewal + markdown/patch authorship

- APIKey.alias (unique, required). Creating with an existing alias
  renews that key: same key string kept, validity reset to 15d,
  reactivated, name/roles updated (response has renewed=true).
- get_actor(): X-API-Key -> key alias, Bearer -> 'admin'.
- markdown & patch create/update record author / created_at /
  updated_at / last_modified_by from the actor.
- Idempotent run_migrations() (information_schema-guarded ALTERs +
  backfill) so existing tables/data gain the new columns on startup;
  create_all still covers fresh DBs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

db/__init__.py

@@ -59,12 +59,71 @@ def init_payload():
         session.commit()
 
 
+def _column_exists(conn, table, column):
+    row = conn.execute(text(
+        "SELECT 1 FROM information_schema.columns "
+        "WHERE table_schema = :db AND table_name = :t AND column_name = :c"
+    ), {"db": DB_NAME, "t": table, "c": column}).first()
+    return row is not None
+
+
+def _index_exists(conn, table, index):
+    row = conn.execute(text(
+        "SELECT 1 FROM information_schema.statistics "
+        "WHERE table_schema = :db AND table_name = :t AND index_name = :i"
+    ), {"db": DB_NAME, "t": table, "i": index}).first()
+    return row is not None
+
+
+def run_migrations():
+    """Idempotent additive schema migrations for already-existing tables.
+
+    create_all() creates missing tables (with the new columns) for a fresh
+    DB, but never alters existing ones. This adds the new columns to legacy
+    tables and backfills sensible defaults. Safe to run on every startup.
+    """
+    # (table, column, DDL, backfill SQL or None)
+    steps = [
+        ("apikey", "alias", "ALTER TABLE apikey ADD COLUMN alias VARCHAR(255) NULL",
+         "UPDATE apikey SET alias = `key` WHERE alias IS NULL"),
+        ("markdown", "updated_at", "ALTER TABLE markdown ADD COLUMN updated_at DATETIME NULL",
+         "UPDATE markdown SET updated_at = created_at WHERE updated_at IS NULL"),
+        ("markdown", "author", "ALTER TABLE markdown ADD COLUMN author VARCHAR(255) NULL",
+         "UPDATE markdown SET author = 'admin' WHERE author IS NULL"),
+        ("markdown", "last_modified_by", "ALTER TABLE markdown ADD COLUMN last_modified_by VARCHAR(255) NULL",
+         "UPDATE markdown SET last_modified_by = 'admin' WHERE last_modified_by IS NULL"),
+        ("markdown_patch", "author", "ALTER TABLE markdown_patch ADD COLUMN author VARCHAR(255) NULL",
+         "UPDATE markdown_patch SET author = 'admin' WHERE author IS NULL"),
+        ("markdown_patch", "last_modified_by", "ALTER TABLE markdown_patch ADD COLUMN last_modified_by VARCHAR(255) NULL",
+         "UPDATE markdown_patch SET last_modified_by = 'admin' WHERE last_modified_by IS NULL"),
+    ]
+    try:
+        with engine.begin() as conn:
+            for table, column, ddl, backfill in steps:
+                if not _column_exists(conn, table, column):
+                    conn.execute(text(ddl))
+                    if backfill:
+                        conn.execute(text(backfill))
+                    print(f"[ x ] migrated {table}.{column}")
+            # Unique constraint on apikey.alias once it is populated.
+            if not _index_exists(conn, "apikey", "uq_apikey_alias"):
+                conn.execute(text(
+                    "ALTER TABLE apikey ADD CONSTRAINT uq_apikey_alias UNIQUE (alias)"
+                ))
+                print("[ x ] migrated apikey.alias unique constraint")
+    except Exception as e:
+        # Don't block startup on a migration hiccup; surface loudly.
+        print(f"[ ! ] run_migrations error (continuing): {e}")
+
+
 def setup_db():
     if DB_SCHEMA_UPDATED:
         clear_db()
         print("[ x ] db cleared")
     create_all()
     print("[ x ] db created")
+    run_migrations()
+    print("[ x ] db migrations applied")
     run_scripts()
     print("[ x ] db scripts executed")
     init_payload()