Closes the bootstrap gap two parallel QA agents surfaced on 2026-04-22:
fresh Authority DBs lacked the `default` tenant row so setup-wizard admin
creation failed with users_tenant_id_fkey and /connect/token returned
invalid_grant. Fix is on the migration path per AGENTS.md §2.7; the init
script stays seeds-only as established in SPRINT_20260422_003.
- New embedded migration 003_seed_default_tenants.sql performs
`INSERT ... ON CONFLICT (tenant_id) DO NOTHING` for `default` and
`installation`. Numeric prefix (not S-prefix) so the migration runner's
Startup category auto-applies it; S-prefix files route to Seed category
which is intentionally manual-only per
StartupMigrationHost.cs:158.
- `default` is strictly required (Authority's
StandardPluginBootstrapper.DefaultTenantId; /internal/users bootstrap
inserts under this FK). `installation` is not Authority-FK-referenced
today but matches the empirical workaround both QA agents converged on
and serves as defense for cross-service inserts that join
authority.tenants.tenant_id.
Fresh-volume verification (docs/qa/authority-default-tenant-20260422/):
1. docker compose down -v (20 volumes removed incl. compose_postgres-data)
2. docker compose up -d — 62 containers, Authority healthy in ~15s.
3. Startup log: applying 001 (144ms) → 002 (13ms) → 003 (7ms).
authority.tenants contains default + installation.
4. POST /api/v1/setup/sessions → 201; database/valkey/migrations prereqs
ran; admin/execute with admin/Admin@Stella2026! → 200 "Bootstrap
administrator 'admin' ensured successfully."
5. POST /connect/token (password, stellaops-cli, ui.admin openid) → 200
+ JWT carrying role=admin, stellaops:tenant=default.
6. docker compose restart authority → "Database is up to date for
Authority." Clean no-op.
Docs: docs/modules/authority/architecture.md §1.1 "Seeded bootstrap
tenants (migration-owned)". Cross-link added to the archived prior
sprint's Decisions & Risks so the lineage is traceable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
47665927ab