fix(rbac): scope seeding for new orgs

[jordan-umusu]

Summary

• System roles (admin, editor, viewer, etc.) and their scope assignments were only seeded at API startup, meaning any org created after boot wouldn't get its preset roles
  until the next restart
• Extracted seed_system_roles_for_org() from the bulk startup seeder and call it in ensure_organization_defaults(), so roles are upserted at org creation time
• Fully idempotent — existing roles get name/description updated via ON CONFLICT DO UPDATE, existing role-scope links are skipped via ON CONFLICT DO NOTHING

QA

• Create a new org via the admin API — verify it immediately has all preset roles (organization-owner, organization-admin, organization-member, workspace-admin,
  workspace-editor, workspace-viewer) with correct scope assignments
• Restart the API — verify no duplicate roles or scope links are created for existing orgs
• Verify existing org creation flows (default org bootstrap, ensure_default_organization) still work

---

Summary by cubic

Fixes RBAC scope seeding for new organizations by seeding preset roles and role-scope links during org initialization. Commits the default workspace and seeded roles before tier assignment so new orgs have complete roles and permissions immediately.

• Bug Fixes

  • Seed system roles and global scope assignments during org init; commit workspace and roles before tier assignment for immediate availability.
  • Fix missing role-scope links in new orgs that caused permission checks to fail.

• Refactors

  • Added seed_system_roles_for_org and reused it in seed_system_roles_for_all_orgs.
  • Scoped upserts to a single org; remains idempotent.

^{Written for commit aae6f27. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 33506eb998

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/organization/management.py">

<violation number="1" location="tracecat/organization/management.py:74">
P2: Committing inside ensure_organization_defaults breaks transaction boundaries for callers and can leave partially-initialized orgs if later steps fail. Prefer letting the caller manage the commit and keep defaults initialization atomic.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[topher-lo]

Consider replacing API startup check with an API endpoint (e.g. /roles/reset?) for platform admins to hard seed / reset org roles from the UI if for any reason get they corrupted.