wip: checking in

Author: jmgilman

services/api/cmd/api/bootstrap.go

@@ -10,8 +10,8 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	authseed "github.com/input-output-hk/catalyst-forge/services/api/internal/auth"
 	rbacgorm "github.com/input-output-hk/catalyst-forge/services/api/internal/authkit/rbac/gormstore"
-	rbacseed "github.com/input-output-hk/catalyst-forge/services/api/internal/authkit/rbacseed"
 	akgormstore "github.com/input-output-hk/catalyst-forge/services/api/internal/authkit/store/gormstore"
 	"github.com/input-output-hk/catalyst-forge/services/api/internal/config"
 	argomodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/argo"
@@ -21,6 +21,7 @@ import (
 	deploymentmodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/deployment"
 	environmentmodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/environment"
 	gitopsmodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/gitops"
+	orgmodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/org"
 	projectmodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/project"
 	releasemodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/release"
 	repositorymodels "github.com/input-output-hk/catalyst-forge/services/api/internal/models/repository"
@@ -94,6 +95,8 @@ func openDB(cfg config.Config, logger *slog.Logger) (*gorm.DB, error) {
 func runMigrations(db *gorm.DB) error {
 	// Core API models - All new models from Phase 1-4 implementation
 	if err := db.AutoMigrate(
+		// Organizations
+		&orgmodels.Organization{},
 		// Audit models
 		&adm.Log{},
 
@@ -216,19 +219,27 @@ func initRBAC(ctx context.Context, db *gorm.DB, cfg config.Config, logger *slog.
 		}
 		return
 	}
+
+	// Ensure admin role always exists independently of other seeds
+	if err := authseed.EnsureAdminRole(ctx, store); err != nil {
+		if logger != nil {
+			logger.Error("RBAC admin role seeding failed", "error", err)
+		}
+	}
+
 	if !cfg.Auth.RBACSeedDefaults {
 		if logger != nil {
-			logger.Info("RBAC seeding skipped by config")
+			logger.Info("RBAC default role seeding skipped by config")
 		}
 		return
 	}
 	if logger != nil {
 		logger.Info("Seeding default RBAC roles")
 	}
 	// Idempotent seeding; bump versions on change
-	if err := rbacseed.SeedDefaultRoles(ctx, store, true); err != nil {
+	if err := authseed.SeedDefaultRoles(ctx, store, true); err != nil {
 		if logger != nil {
-			logger.Error("RBAC seeding failed", "error", err)
+			logger.Error("RBAC default role seeding failed", "error", err)
 		}
 	}
 }

services/api/cmd/api/config_loader.go

@@ -26,6 +26,7 @@ func initViper(cfgFile string) {
 	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	// Ensure critical keys resolve from environment during Unmarshal
 	_ = viper.BindEnv("auth.bootstraptoken")
+	_ = viper.BindEnv("auth.rbacseeddefaults")
 
 	if err := viper.ReadInConfig(); err == nil {
 		fmt.Println("Using config file:", viper.ConfigFileUsed())

services/api/cmd/api/flags.go

@@ -119,7 +119,7 @@ func bindRunFlags() {
 	_ = viper.BindPFlag("auth.signingkeypem", runCmd.Flags().Lookup("auth-signing-key-pem"))
 	_ = viper.BindPFlag("auth.signingkeykid", runCmd.Flags().Lookup("auth-signing-key-kid"))
 	_ = viper.BindPFlag("auth.csrfsecret", runCmd.Flags().Lookup("auth-csrf-secret"))
-	// Intentionally avoid binding bootstrap-token to Viper to let ENV/Config take precedence
+	_ = viper.BindPFlag("auth.rbacseeddefaults", runCmd.Flags().Lookup("auth-rbac-seed-defaults"))
 
 	_ = viper.BindPFlag("auth.github.enabled", runCmd.Flags().Lookup("auth-github-enabled"))
 	_ = viper.BindPFlag("auth.github.issuer", runCmd.Flags().Lookup("auth-github-issuer"))