diff --git a/bundles/left4me/README.md b/bundles/left4me/README.md
index 3385156..f6f4308 100644
--- a/bundles/left4me/README.md
+++ b/bundles/left4me/README.md
@@ -70,12 +70,15 @@ from defaults. None of these need to be declared per-node.
 - **CAKE shaping is configured separately**, via
   `network/<iface>/cake` on the node (consumed by `bundles/network/`),
   not by this bundle.
-- **First-run admin user is manual.** After `bw apply`, run on the host:
-  `sudo -u left4me sh -c '. /etc/left4me/host.env && . /etc/left4me/web.env &&
-  LEFT4ME_ADMIN_PASSWORD=<picked> /opt/left4me/.venv/bin/flask
-  --app l4d2web.app:create_app create-user <username> --admin'`.
-  The bundle deliberately doesn't seed an admin to keep credentials out
-  of the metadata pipeline.
+- **First-run admin user is manual.** After `bw apply`, ssh to the host and
+  bootstrap the admin via the `left4me` wrapper (it sources the env files,
+  drops to the `left4me` user, and runs the flask CLI):
+  `sudo left4me create-user <username> --admin` (prompts for password via
+  the flask CLI, or set `LEFT4ME_ADMIN_PASSWORD` first). The bundle
+  deliberately doesn't seed an admin to keep credentials out of the
+  metadata pipeline. The same `left4me` wrapper accepts any other flask
+  subcommand: `sudo left4me seed-script-overlays <dir>`,
+  `sudo left4me routes`, `sudo left4me shell`, etc.
 - **CPU isolation drop-ins are not managed by this bundle.** The
   upstream shell deploy generated `/etc/systemd/system/system.slice.d/
   99-left4me-cpuset.conf` (and siblings for user/build/game slices)
diff --git a/bundles/left4me/files/usr/local/sbin/left4me b/bundles/left4me/files/usr/local/sbin/left4me
new file mode 100644
index 0000000..7a106d3
--- /dev/null
+++ b/bundles/left4me/files/usr/local/sbin/left4me
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Run l4d2web flask CLI commands as the left4me user with the deploy env loaded.
+# Usage: left4me <flask-subcommand> [args...]
+# Examples:
+#   left4me create-user alice --admin
+#   left4me seed-script-overlays /opt/left4me/src/examples/script-overlays
+#   left4me routes
+set -eu
+exec sudo -u left4me sh -c '
+    set -a
+    . /etc/left4me/host.env
+    . /etc/left4me/web.env
+    set +a
+    export JOB_WORKER_ENABLED=false
+    export PYTHONPATH=/opt/left4me/src
+    exec /opt/left4me/.venv/bin/flask --app l4d2web.app:create_app "$@"
+' sh "$@"
diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index 5cc5ce4..02c3137 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -68,6 +68,11 @@ HELPERS = (
 )
 
 files = {
+    '/usr/local/sbin/left4me': {
+        'mode': '0755',
+        'owner': 'root',
+        'group': 'root',
+    },
     **{
         f'/usr/local/libexec/left4me/{h}': {
             'source': f'usr/local/libexec/left4me/{h}',