fix(finance): seed admin account in finance_users on startup (#37)

SeedAdmin now creates the finance_users account from ADMIN_EMAIL /
ADMIN_PASSWORD env vars if it doesn't exist, so a fresh cluster
bootstraps a working login without manual registration.

Wires ADMIN_EMAIL and ADMIN_PASSWORD into the deployment from the
finance-api-secrets k8s secret (optional — pod still starts without it).

Also gitignores /main build artifact and *.test binaries.

Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -4,3 +4,7 @@
 
 # node
 node_modules
+
+# go build artifacts
+/main
+*.test

apps/finance/services/api/k8s/deployment.yaml

@@ -33,6 +33,18 @@ spec:
               value: "jaeger.monitoring.svc:4317"
             - name: BASE_URL
               value: "https://finance.homelab.local"
+            - name: ADMIN_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: finance-api-secrets
+                  key: ADMIN_EMAIL
+                  optional: true
+            - name: ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: finance-api-secrets
+                  key: ADMIN_PASSWORD
+                  optional: true
           envFrom:
             - secretRef:
                 name: mongodb-shared-config

apps/finance/services/api/main/seed.go

@@ -8,17 +8,45 @@ import (
 	"time"
 
 	"go.mongodb.org/mongo-driver/v2/bson"
+	"golang.org/x/crypto/bcrypt"
 )
 
-// SeedAdmin looks up the admin user by email directly in the shared MongoDB
+// SeedAdmin ensures an admin account exists in finance_users, then seeds demo
-// (both services use the same DB) and seeds demo data if the account has no
+// data if the account has no existing transactions.
-// existing transactions.
 func SeedAdmin(ctx context.Context, store *Store) {
 	email := os.Getenv("SEED_USER_EMAIL")
 	if email == "" {
 		email = "admin@homelab.local"
 	}
 
+	if _, err := store.findAuthUserByEmail(ctx, email); err != nil {
+		password := os.Getenv("ADMIN_PASSWORD")
+		if password == "" {
+			slog.Warn("seed: no finance_users account and ADMIN_PASSWORD not set, skipping", "email", email)
+		} else {
+			hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
+			if err != nil {
+				slog.Error("seed: bcrypt failed", "err", err)
+				return
+			}
+			name := os.Getenv("ADMIN_NAME")
+			if name == "" {
+				name = "Admin"
+			}
+			u := &AuthUser{
+				Email:        email,
+				Name:         name,
+				PasswordHash: string(hash),
+				CreatedAt:    time.Now(),
+			}
+			if err := store.createAuthUser(ctx, u); err != nil {
+				slog.Error("seed: create admin user failed", "err", err)
+				return
+			}
+			slog.Info("seed: created admin user", "email", email)
+		}
+	}
+
 	userID, err := lookupUserByEmailMongo(ctx, store, email)
 	if err != nil {
 		slog.Warn("seed: could not resolve admin user, skipping", "email", email, "err", err)