From 556c11e08cc7032f1da249f2d31477c5e53ee6bc Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Wed, 4 Feb 2026 16:08:15 +0100
Subject: [PATCH] Add Role.get_admin_role for Release.seed_admin

Used by Mv.Release to resolve Admin role when creating/updating admin user from ENV.
---
 lib/mv/authorization/role.ex | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/mv/authorization/role.ex b/lib/mv/authorization/role.ex
index 59c0e51..8700a33 100644
--- a/lib/mv/authorization/role.ex
+++ b/lib/mv/authorization/role.ex
@@ -181,4 +181,18 @@ defmodule Mv.Authorization.Role do
     |> Ash.Query.filter(name == "Mitglied")
     |> Ash.read_one(authorize?: false, domain: Mv.Authorization)
   end
+
+  @doc """
+  Returns the Admin role if it exists.
+
+  Used by release tasks (e.g. seed_admin) and OIDC role sync to assign the admin role.
+  """
+  @spec get_admin_role() :: {:ok, t() | nil} | {:error, term()}
+  def get_admin_role do
+    require Ash.Query
+
+    __MODULE__
+    |> Ash.Query.filter(name == "Admin")
+    |> Ash.read_one(authorize?: false, domain: Mv.Authorization)
+  end
 end