feat(api): sync ADMIN_EMAILS users with admin role at startup (#32)

Add sync_admin_users() that runs at every startup to ensure users
configured in ADMIN_EMAILS always have the admin role, even if
their role was accidentally changed in the database.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Clément VALENTIN <clement.valentin@blacktiger.tech>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

apps/api/src/models/database.py

@@ -21,6 +21,10 @@ async def init_db() -> None:
         await conn.run_sync(Base.metadata.create_all)
 
     # Seed default roles and permissions
-    from .seed import init_default_roles_and_permissions
+    from .seed import init_default_roles_and_permissions, sync_admin_users
     async with async_session_maker() as session:
         await init_default_roles_and_permissions(session)
+
+    # Ensure ADMIN_EMAILS users have admin role (runs every startup)
+    async with async_session_maker() as session:
+        await sync_admin_users(session)

apps/api/src/models/seed.py

@@ -3,6 +3,7 @@
 
 This module provides functions to initialize default roles and permissions
 in the database when the application starts for the first time.
+It also ensures ADMIN_EMAILS users always have the admin role.
 """
 
 import logging
@@ -185,3 +186,72 @@ async def init_default_roles_and_permissions(db: AsyncSession) -> None:
         logger.error(f"[SEED] Error initializing roles and permissions: {e}")
         await db.rollback()
         raise
+
+
+async def sync_admin_users(db: AsyncSession) -> None:
+    """
+    Ensure all users in ADMIN_EMAILS have the admin role.
+
+    This function runs at every startup to guarantee that configured
+    admin emails always have admin privileges, even if their role
+    was accidentally changed.
+    """
+    from ..config import settings
+    from .user import User
+
+    if not settings.ADMIN_EMAILS:
+        logger.info("[SEED] No ADMIN_EMAILS configured, skipping admin sync")
+        return
+
+    try:
+        # Get admin role
+        result = await db.execute(select(Role).where(Role.name == "admin"))
+        admin_role = result.scalar_one_or_none()
+
+        if not admin_role:
+            logger.warning("[SEED] Admin role not found, cannot sync admin users")
+            return
+
+        # Parse admin emails
+        admin_emails = [e.strip().lower() for e in settings.ADMIN_EMAILS.split(",") if e.strip()]
+
+        if not admin_emails:
+            return
+
+        logger.info(f"[SEED] Syncing admin role for {len(admin_emails)} configured admin(s)...")
+
+        updated_count = 0
+        for email in admin_emails:
+            # Find user by email (case-insensitive)
+            result = await db.execute(
+                select(User).where(User.email.ilike(email))
+            )
+            user = result.scalar_one_or_none()
+
+            if not user:
+                logger.debug(f"[SEED] Admin user not found (not yet registered): {email}")
+                continue
+
+            # Check if user needs update
+            needs_update = False
+            if user.role_id != admin_role.id:
+                user.role_id = admin_role.id
+                needs_update = True
+            if not user.is_admin:
+                user.is_admin = True
+                needs_update = True
+
+            if needs_update:
+                updated_count += 1
+                logger.info(f"[SEED] Admin role assigned to: {user.email}")
+
+        if updated_count > 0:
+            await db.commit()
+            logger.info(f"[SEED] Admin sync complete: {updated_count} user(s) updated")
+        else:
+            logger.info("[SEED] Admin sync complete: all admin users already have correct role")
+
+    except Exception as e:
+        logger.error(f"[SEED] Error syncing admin users: {e}")
+        await db.rollback()
+        raise