Require explicit FORGE_API_KEY at API startup

[SaltProphet]

Motivation

• Prevent accidental use of an insecure default API key and ensure the service is only usable when an operator explicitly configures credentials.
• Fail fast on startup when API key configuration is missing so deployments do not expose an unprotected API.
• Allow an explicit, opt-in local development mode only when FORGE_DEV_MODE is intentionally set.

Description

• Removed the previous insecure fallback and changed API key handling so API_KEY is initialized to None and populated during startup validation in startup_event in api.py.
• Implemented startup validation that reads FORGE_API_KEY, sets API_KEY when present, and raises a clear RuntimeError when the variable is missing or empty; when FORGE_DEV_MODE is explicitly enabled a non-production DEV_API_KEY is used with a printed warning.
• Added a readiness guard in the auth dependency get_api_key that returns 503 while API_KEY is not configured to prevent accepting requests before startup succeeds.
• Updated README.md and DEPLOYMENT.md with required FORGE_API_KEY setup instructions and a clear note about the explicit FORGE_DEV_MODE opt-in for local development; added new unit tests at tests/unit/test_api_startup_security.py covering the new behaviors.

Testing

• Ran the focused unit tests with pytest -q -o addopts='' tests/unit/test_api_startup_security.py, which passed (4 passed).
• An initial attempt to run the single test file with the repository default pytest configuration failed due to coverage-related pytest.ini addopts, so the targeted command above was used to run the new tests in isolation.

---

Codex Task

[Copilot]

Pull request overview

This PR tightens security for the FastAPI service by removing the insecure default API key behavior and requiring operators to explicitly configure FORGE_API_KEY (with an opt-in dev-mode fallback) before the API is considered ready.

Changes:

• Change API key initialization to None and enforce startup-time validation of FORGE_API_KEY (or explicit FORGE_DEV_MODE) in startup_event.
• Add an auth readiness guard to return 503 until the API key is configured.
• Add unit tests and update docs to reflect the new required environment variable behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
api.py	Enforces explicit API key configuration at startup; blocks auth until configured.
tests/unit/test_api_startup_security.py	Adds tests covering startup validation and readiness behavior.
README.md	Documents required FORGE_API_KEY / optional FORGE_DEV_MODE configuration.
DEPLOYMENT.md	Adds deployment guidance for required API environment variables.

[Copilot]

APIKeyHeader(..., auto_error=False) can yield None when the header is missing, but get_api_key currently types api_key as str and doesn’t explicitly handle the None case. Update the signature to accept Optional[str] (or APIKey | None) and return a clear 403/401 for missing credentials before comparing to API_KEY.

[Copilot]

Other unit tests in tests/unit/ are consistently marked with @pytest.mark.unit (e.g., tests/unit/test_utils.py). Consider marking this module/tests as unit as well (e.g., module-level pytestmark = pytest.mark.unit) so marker-based test selection remains consistent.

Suggested change

	pytestmark = pytest.mark.unit

[Copilot]

This section documents how to configure the server-side API key, but it doesn’t say how clients must present it (header name / request format). Please mention that requests must include the X-API-Key header set to the same value as FORGE_API_KEY (and how dev mode affects that), otherwise users won’t know how to authenticate.

[Copilot]

Like the README change, this deployment section explains setting FORGE_API_KEY but doesn’t mention how clients authenticate. Add a note that callers must send X-API-Key: <FORGE_API_KEY> with API requests so operators can validate deployments end-to-end.