refactor: Move demo user seeding to post-provisioning hook

bjcoombs · bjcoombs · commit 817ec45138b0 · 2026-04-06T09:39:56.000+01:00
SeedDemoUsers ran at startup (wire_services.go:102) before tenant
schemas were provisioned. On deploys that drop and recreate schemas,
the provisioning worker takes 30-60s after boot to apply migrations,
so the startup seeder consistently failed with "relation identity
does not exist" and the demo user was never created.

Move demo user seeding to a post-provisioning hook registered as
"demo-operator" in the provisioning worker's hook chain. This
guarantees the identity schema exists before the seeder runs - the
hook fires after all service migrations complete for each tenant.

The hook reads DEMO_OPERATOR_EMAIL, DEMO_OPERATOR_PASSWORD, and
DEMO_OPERATOR_TENANT at registration time and builds a tenant lookup
set. For each provisioned tenant, it checks membership in the set
and seeds the demo user only for matching tenants. If the env vars
are not set, the hook is a silent no-op (safe for production).

SeedDemoUsers remains exported for tests and manual invocation but
is no longer called from the startup path.
diff --git a/cmd/meridian/wire_services.go b/cmd/meridian/wire_services.go
@@ -97,11 +97,10 @@ func registerServices(
 		logger.Warn("identity bootstrap failed, service startup continues", "error", err)
 	}
 
-	// Seed demo users (operator, etc.) from environment variables.
-	// No-op if env vars are not set. Idempotent on every boot.
-	if err := identitybootstrap.SeedDemoUsers(ctx, identityRepo); err != nil {
-		logger.Warn("demo user seeding failed, service startup continues", "error", err)
-	}
+	// Demo user seeding moved to post-provisioning hook ("demo-operator")
+	// registered in startProvisioningWorker. This ensures demo users are
+	// seeded after tenant schemas exist, not at startup when schemas may
+	// not yet be provisioned.
 
 	// Tier 1: Depend on Tier 0 via loopback
 	for _, wire := range []struct {
@@ -195,6 +194,8 @@ func createSchemaProvisioner(baseDSN string, platformDB *gorm.DB, logger *slog.L
 //  3. saga-definitions: Seeds platform default saga scripts into tenant schema
 //  4. account-type-blueprints: Seeds canonical account type blueprints
 //  5. valuation-defaults: Seeds system valuation methods and policies
+//  6. self-registered-admin: Creates admin identity from registration metadata
+//  7. demo-operator: Seeds demo user from DEMO_OPERATOR_* env vars (no-op in production)
 //
 // All hooks are fail-hard: any failure prevents tenant activation.
 func startProvisioningWorker(ctx context.Context, prov *tenantprovisioner.PostgresProvisioner, conns *serviceConns, logger *slog.Logger) (*tenantworker.ProvisioningWorker, func(), error) {
@@ -253,6 +254,11 @@ func startProvisioningWorker(ctx context.Context, prov *tenantprovisioner.Postgr
 	}
 	w.RegisterPostProvisioningHook("self-registered-admin", selfRegHook.AsPostProvisioningHook())
 
+	// Demo operator: seeds demo user identities configured via DEMO_OPERATOR_*
+	// env vars. No-op if env vars are not set (safe for production). Must run
+	// after admin-identity so the identity schema is guaranteed to exist.
+	w.RegisterPostProvisioningHook("demo-operator", identitybootstrap.AsDemoUserHook(identityRepo))
+
 	go w.Start(ctx)
 	logger.Info("provisioning worker started")
 
diff --git a/services/identity/bootstrap/bootstrap.go b/services/identity/bootstrap/bootstrap.go
@@ -415,3 +415,35 @@ func buildRoleAssignments(tid tenant.TenantID, identityID uuid.UUID, roles []aut
 	}
 	return assignments
 }
+
+// AsDemoUserHook returns a post-provisioning hook that seeds demo operator
+// identities into newly provisioned tenant schemas.
+//
+// The hook reads demo user configuration from environment variables
+// (DEMO_OPERATOR_EMAIL, DEMO_OPERATOR_PASSWORD, DEMO_OPERATOR_TENANT).
+// If the env vars are not set, the hook is a silent no-op - safe for
+// production. For each provisioned tenant, the hook checks whether the
+// tenant is in the configured DEMO_OPERATOR_TENANT list and seeds the
+// demo user only for matching tenants.
+//
+// Usage:
+//
+//	repo := persistence.NewRepository(db)
+//	worker.RegisterPostProvisioningHook("demo-operator", bootstrap.AsDemoUserHook(repo))
+func AsDemoUserHook(repo domain.Repository) func(ctx context.Context, tenantID tenant.TenantID) error {
+	// Load config once at registration time, not per invocation.
+	users := loadDemoUsers()
+	// Build a lookup set of tenant IDs that need demo users.
+	tenantSet := make(map[string]DemoUser, len(users))
+	for _, u := range users {
+		tenantSet[u.TenantID] = u
+	}
+
+	return func(ctx context.Context, tenantID tenant.TenantID) error {
+		u, ok := tenantSet[string(tenantID)]
+		if !ok {
+			return nil // this tenant is not configured for demo users
+		}
+		return seedDemoUser(ctx, repo, u)
+	}
+}
