chore(dev): Add dev cluster seed bootstrap#2556
Merged
daryllimyt merged 2 commits intomainfrom Apr 22, 2026
Merged
Conversation
|
✅ No security or compliance issues detected. Reviewed everything up to cd80139. Security OverviewDetected Code Changes
|
daryllimyt
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 5 files
Confidence score: 3/5
- There is a concrete regression risk in
packages/tracecat-admin/tracecat_admin/services/bootstrap.py: the upsert lookup ignoresorganization_id, which can match the wrong row and overwrite role assignments across organizations. - Because this is a medium-severity (6/10) issue with high confidence (8/10) and affects authorization-related data scoping, the merge risk is moderate rather than minimal.
- This should be addressed before relying on bootstrap role assignment behavior in multi-organization environments.
- Pay close attention to
packages/tracecat-admin/tracecat_admin/services/bootstrap.py- ensure theWHEREclause includesorganization_idso updates are correctly tenant-scoped.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/tracecat-admin/tracecat_admin/services/bootstrap.py">
<violation number="1" location="packages/tracecat-admin/tracecat_admin/services/bootstrap.py:385">
P2: The `organization_id` parameter is not used in the lookup query, so the upsert can match and overwrite a role assignment from a different organization. Add `organization_id` to the `WHERE` clause to scope the check correctly.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jordan-umusu
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[email protected]) and a tenant dev user ([email protected]).just cluster upseed by default, while--no-seedskips it and attached mode keeps compose logs attached immediately via a background seeder.--default-tier-entitlements all|none|a,b, defaulting to all known entitlement enum values.[dev-seed]so it is distinguishable from app/container logs.Why
Platform superusers can no longer enter tenant context, so local dev clusters need a first-class way to create both a platform SU and a normal tenant user without manually doing the tenant invite flow.
Validation
shellcheck -x scripts/clusterbash -n scripts/clusteruv run ruff check .uv run basedpyright packages/tracecat-admin/tracecat_admin/services/bootstrap.py packages/tracecat-admin/tracecat_admin/commands/admin.py packages/tracecat-admin/tests/test_admin_commands.py packages/tracecat-admin/tests/test_cli.pyuv run pytest packages/tracecat-admin/tests/test_admin_commands.py::TestCreateDevUser packages/tracecat-admin/tests/test_cli.py::TestAdminCommands::test_admin_helpPre-commit hooks also passed during commit.
Summary by cubic
Adds a dev cluster seeding flow that creates a platform superuser and a tenant dev user by default, plus a
tracecat admin create-dev-usercommand to bootstrap local environments fast. Also scopes role assignment upserts to the organization to avoid cross-org matches during seeding.New Features
scripts/cluster up(dev profile) now auto-seeds: superuser[email protected]and tenant[email protected]. Use--no-seedto skip. Supports--default-tier-entitlements all|none|a,b(default:all). Attached mode keeps logs; a background seeder waits for API readiness. Output is prefixed with[dev-seed].tracecat admin create-dev-userCLI command with options for user creds, superuser creds, entitlements, and role slugs. Enforces 12+ char passwords and prints colorized seed logs.tracecat_admin.services.bootstrap.create_dev_userflow: bypasses RLS to ensure default organization, default tier + entitlements, org/workspace memberships, and role assignments. Supportsorganization-ownerandworkspace-admin(configurable).Bug Fixes
_ensure_role_assignmentto prevent cross-organization matches. Test coverage added.Written for commit cd80139. Summary will update on new commits.