fix: prevent duplicate default rules on multi-worker startup

- Replace insert_many with replace_one(..., upsert=True) keyed by rule name
- Safe for concurrent startup with multiple gunicorn workers

backend/rules.py

@@ -136,10 +136,7 @@ def _create_alert(rule: dict, event: dict):
 
 
 def seed_default_rules():
-    """Insert pre-built admin-ops rule templates if the collection is empty."""
+    """Upsert pre-built admin-ops rule templates. Safe for concurrent startup."""
-    if rules_collection.count_documents({}) > 0:
-        return
-
     defaults = [
         {
             "name": "Failed Conditional Access",
@@ -261,8 +258,17 @@ def seed_default_rules():
         },
     ]
 
-    try:
+    inserted = 0
-        rules_collection.insert_many(defaults)
+    for rule in defaults:
-        logger.info("Default admin-ops rules seeded", count=len(defaults))
+        try:
-    except Exception as exc:
+            result = rules_collection.replace_one(
-        logger.warning("Failed to seed default rules", error=str(exc))
+                {"name": rule["name"]},
+                rule,
+                upsert=True,
+            )
+            if result.upserted_id:
+                inserted += 1
+        except Exception as exc:
+            logger.warning("Failed to seed rule", rule=rule["name"], error=str(exc))
+    if inserted:
+        logger.info("Default admin-ops rules seeded", inserted=inserted, total=len(defaults))