From 19ed231a311e61d294208e187bc067a1891a79f9 Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Wed, 22 Apr 2026 14:56:53 +0200
Subject: [PATCH] fix: prevent duplicate default rules on multi-worker startup

- Replace insert_many with replace_one(..., upsert=True) keyed by rule name
- Safe for concurrent startup with multiple gunicorn workers
---
 backend/rules.py | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/backend/rules.py b/backend/rules.py
index edaeca8..8784ddf 100644
--- a/backend/rules.py
+++ b/backend/rules.py
@@ -136,10 +136,7 @@ def _create_alert(rule: dict, event: dict):
 
 
 def seed_default_rules():
-    """Insert pre-built admin-ops rule templates if the collection is empty."""
-    if rules_collection.count_documents({}) > 0:
-        return
-
+    """Upsert pre-built admin-ops rule templates. Safe for concurrent startup."""
     defaults = [
         {
             "name": "Failed Conditional Access",
@@ -261,8 +258,17 @@ def seed_default_rules():
         },
     ]
 
-    try:
-        rules_collection.insert_many(defaults)
-        logger.info("Default admin-ops rules seeded", count=len(defaults))
-    except Exception as exc:
-        logger.warning("Failed to seed default rules", error=str(exc))
+    inserted = 0
+    for rule in defaults:
+        try:
+            result = rules_collection.replace_one(
+                {"name": rule["name"]},
+                rule,
+                upsert=True,
+            )
+            if result.upserted_id:
+                inserted += 1
+        except Exception as exc:
+            logger.warning("Failed to seed rule", rule=rule["name"], error=str(exc))
+    if inserted:
+        logger.info("Default admin-ops rules seeded", inserted=inserted, total=len(defaults))