From 7a9ae3157f95e194fafc1572be880fed4e110f01 Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Tue, 5 May 2026 21:03:18 +0000
Subject: [PATCH] fix(seed): repair deployment_targets FK violation crashing
 fresh demo boot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Rank 5 cloud-target seed rows in `seed_demo.sql` referenced a
non-existent `ag-server` agent_id. On every fresh-clone
`docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up`
the server crash-looped at the demo-seed step:

  pq: insert or update on table "deployment_targets" violates foreign
  key constraint "deployment_targets_agent_id_fkey"

Origin: commit 9a7e818 ("docs, seed: cloud-target operator runbook +
AWS ACM / Azure KV demo seed rows") added the rows but didn't insert
or rebind to a matching agents row. The `ag-server` ID never existed
in seed_demo.sql or anywhere else.

Fix: bind the two cloud targets to the existing cloud sentinel agents
that were already inserted at lines 78-79 (alongside `cloud-gcp-sm`):

  - tgt-aws-acm-prod  → cloud-aws-sm
  - tgt-azure-kv-prod → cloud-azure-kv

These cloud sentinels were inserted in commit 9a7e818's same family
specifically to back agentless cloud targets — exact semantic match.

Why the existing test didn't catch this:
TestRunDemoSeed_AppliesIdempotently in
internal/repository/postgres/seed_test.go calls the same RunSeed +
RunDemoSeed pair the server uses at boot, so it WOULD have caught the
FK violation. But the test depends on a live PostgreSQL container via
testcontainers-go and is gated under `testing.Short()` → the default
`go test ./... -short` lane that `make verify` runs always skipped it.
The dedicated integration lane that strips `-short` either wasn't run
on commit 9a7e818 or the failure was missed. Promoting the test out
from under `-short` is a separate hardening conversation (CI runs
need docker-in-docker which isn't free); that's out of scope for this
hotfix.

Static FK audit confirms the fix:
  Defined agent IDs (12): ag-{data,edge-01,iis,k8s,lb,mac-dev,
    web-prod,web-staging}-prod, cloud-{aws-sm,azure-kv,gcp-sm},
    server-scanner
  Referenced agent_id values in deployment_targets after fix:
    ag-data-prod, ag-edge-01, ag-iis-prod, ag-k8s-prod, ag-lb-prod,
    ag-web-prod, ag-web-staging, cloud-aws-sm, cloud-azure-kv
  Unresolved: zero.

Acceptance gate (operator-side):
  - docker compose -f deploy/docker-compose.yml \
                   -f deploy/docker-compose.demo.yml up -d --build
    against a fresh clone — server boots clean within 30s, dashboard
    at https://localhost:8443 shows the seeded demo data.
---
 migrations/seed_demo.sql | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/migrations/seed_demo.sql b/migrations/seed_demo.sql
index 6e8e91d..d137f0b 100644
--- a/migrations/seed_demo.sql
+++ b/migrations/seed_demo.sql
@@ -95,8 +95,18 @@ INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, creat
   -- Rank 5 cloud target seed rows (2026-05-03 Infisical deep-research deliverable).
   -- AWS ACM and Azure Key Vault demo targets so QA can exercise the wiring
   -- end-to-end without standing up a real cloud account.
-  ('tgt-aws-acm-prod',  'AWS ACM Production',    'AWSACM',         'ag-server',      '{"region": "us-east-1", "tags": {"env": "production", "app": "api-gateway"}}', true, NOW() - INTERVAL '7 days', NOW()),
-  ('tgt-azure-kv-prod', 'Azure KeyVault Prod',   'AzureKeyVault',  'ag-server',      '{"vault_url": "https://prod-vault.vault.azure.net", "certificate_name": "api-prod", "credential_mode": "managed_identity", "tags": {"env": "production"}}', true, NOW() - INTERVAL '7 days', NOW())
+  --
+  -- 2026-05-05 fresh-clone repair: pre-fix these rows pointed at a
+  -- non-existent `ag-server` agent_id and the demo seed crashed with
+  -- `pq: insert or update on table "deployment_targets" violates foreign
+  -- key constraint "deployment_targets_agent_id_fkey"` on every fresh
+  -- `docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up`.
+  -- Bound the AWS target to the existing cloud-aws-sm sentinel agent and
+  -- the Azure target to cloud-azure-kv (both inserted at lines 78-79
+  -- alongside cloud-gcp-sm). These cloud sentinels exist precisely for
+  -- agentless cloud targets — semantic match.
+  ('tgt-aws-acm-prod',  'AWS ACM Production',    'AWSACM',         'cloud-aws-sm',   '{"region": "us-east-1", "tags": {"env": "production", "app": "api-gateway"}}', true, NOW() - INTERVAL '7 days', NOW()),
+  ('tgt-azure-kv-prod', 'Azure KeyVault Prod',   'AzureKeyVault',  'cloud-azure-kv', '{"vault_url": "https://prod-vault.vault.azure.net", "certificate_name": "api-prod", "credential_mode": "managed_identity", "tags": {"env": "production"}}', true, NOW() - INTERVAL '7 days', NOW())
 ON CONFLICT (id) DO NOTHING;
 
 -- ============================================================