As a developer deploying the platform,
I want to run a single seed command that provisions the super-admin account,
So that I don't have to manually insert records or hardcode credentials in source control.
Acceptance Criteria
AC-1.1 Running npx prisma db seed creates a User record with email sametpolat22@istanbularel.edu if one does not already exist
AC-1.2 The command creates a GlobalModerator row linked to that user
AC-1.3 The temporary password is generated randomly at seed time and never stored in source control
AC-1.4 The temporary password is printed to stdout exactly once so the operator can copy it
AC-1.5 Re-running the seed on an already-provisioned account makes no changes (idempotent)
AC-1.6 The account is created with emailVerified set so the email-verification gate is not triggered
AC-1.7 The account is created with mustSetPassword = true
As a provisioned admin,
I want to be automatically redirected to a password-setup page the first time I sign in,
So that I replace the temporary password with one only I know before I can access any part of the platform.
Acceptance Criteria
AC-2.1 After a successful sign-in with the temporary password, the admin is redirected to /onboarding/set-password before reaching any other page
AC-2.2 Any attempt to navigate to another URL while mustSetPassword = true redirects back to /onboarding/set-password
AC-2.3 The redirect check runs server-side (via the route guard) and cannot be bypassed by manipulating client state
AC-2.4 The mustSetPassword flag is re-read from the database inside the server action, not inferred from the JWT alone
AC-2.5 Once the admin sets a new password, mustSetPassword is cleared and they are redirected to the home page
AC-2.6 If the session token update fails after a successful password change, the admin is signed out and redirected to /login rather than being left in a redirect loop
As a platform security owner,
I want to enforce stronger password requirements for the super-admin setup flow than for regular users,
So that the GlobalModerator account cannot be secured with a weak password.
Acceptance Criteria
AC-3.1 The new password must be at least 12 characters
AC-3.2 The new password must contain at least one uppercase letter, one lowercase letter, and one digit
AC-3.3 Submitting a password that does not meet requirements returns a specific error message without clearing the form
AC-3.4 The confirmation field must match the new password; a mismatch returns an error
AC-3.5 The password is hashed with bcrypt (cost factor 12) before being stored
As a platform security owner,
I want to ensure that signing in via a social provider (GitHub) does not skip the mustSetPassword redirect,
So that the admin cannot access the platform with an unset permanent password regardless of which sign-in method they use.
Acceptance Criteria
AC-4.1 If the admin account's email is linked to a GitHub OAuth account, a GitHub sign-in also triggers the /onboarding/set-password redirect
AC-4.2 The mustSetPassword value is read from the database during the signIn callback and stamped onto the session for all providers, not only credentials
AC-4.3 After the admin sets a password via the setup page, subsequent GitHub sign-ins are no longer redirected
As a developer deploying the platform,
I want to run a single seed command that provisions the super-admin account,
So that I don't have to manually insert records or hardcode credentials in source control.
Acceptance Criteria
AC-1.1 Running npx prisma db seed creates a User record with email sametpolat22@istanbularel.edu if one does not already exist
AC-1.2 The command creates a GlobalModerator row linked to that user
AC-1.3 The temporary password is generated randomly at seed time and never stored in source control
AC-1.4 The temporary password is printed to stdout exactly once so the operator can copy it
AC-1.5 Re-running the seed on an already-provisioned account makes no changes (idempotent)
AC-1.6 The account is created with emailVerified set so the email-verification gate is not triggered
AC-1.7 The account is created with mustSetPassword = true
As a provisioned admin,
I want to be automatically redirected to a password-setup page the first time I sign in,
So that I replace the temporary password with one only I know before I can access any part of the platform.
Acceptance Criteria
AC-2.1 After a successful sign-in with the temporary password, the admin is redirected to /onboarding/set-password before reaching any other page
AC-2.2 Any attempt to navigate to another URL while mustSetPassword = true redirects back to /onboarding/set-password
AC-2.3 The redirect check runs server-side (via the route guard) and cannot be bypassed by manipulating client state
AC-2.4 The mustSetPassword flag is re-read from the database inside the server action, not inferred from the JWT alone
AC-2.5 Once the admin sets a new password, mustSetPassword is cleared and they are redirected to the home page
AC-2.6 If the session token update fails after a successful password change, the admin is signed out and redirected to /login rather than being left in a redirect loop
As a platform security owner,
I want to enforce stronger password requirements for the super-admin setup flow than for regular users,
So that the GlobalModerator account cannot be secured with a weak password.
Acceptance Criteria
AC-3.1 The new password must be at least 12 characters
AC-3.2 The new password must contain at least one uppercase letter, one lowercase letter, and one digit
AC-3.3 Submitting a password that does not meet requirements returns a specific error message without clearing the form
AC-3.4 The confirmation field must match the new password; a mismatch returns an error
AC-3.5 The password is hashed with bcrypt (cost factor 12) before being stored
As a platform security owner,
I want to ensure that signing in via a social provider (GitHub) does not skip the mustSetPassword redirect,
So that the admin cannot access the platform with an unset permanent password regardless of which sign-in method they use.
Acceptance Criteria
AC-4.1 If the admin account's email is linked to a GitHub OAuth account, a GitHub sign-in also triggers the /onboarding/set-password redirect
AC-4.2 The mustSetPassword value is read from the database during the signIn callback and stamped onto the session for all providers, not only credentials
AC-4.3 After the admin sets a password via the setup page, subsequent GitHub sign-ins are no longer redirected