## Summary
- Adds root user support with environment-based provisioning, protection guards, and automatic reconciliation. A root user is a special admin user that is provisioned via configuration (environment variables) rather than the UI, designed for automated/headless deployments.
## Key Features
- Environment-based provisioning: Configure root user via user.root.enabled, user.root.email, user.root.password, and user.root.org_name settings
- Automatic reconciliation: A background service runs on startup that:
- Looks up the organization by configured org_name
- If no matching org exists, creates the organization and root user via CreateFirstUser
- If the org exists, reconciles the root user (creates, promotes existing user, or updates email/password to match config)
- Retries every 10 seconds until successful
- Protection guards: Root users cannot be:
- Updated or deleted through the API
- Invited or have their password changed through the UI
- Authenticated via SSO/SAML (password-only authentication enforced)
- Self-registration disabled: When root user provisioning is enabled, the self-registration endpoint (/register) is blocked to prevent creating duplicate organizations
- Idempotent password sync: On every reconciliation, the root user's password is synced with the configured value — if it differs, it's updated; if it matches, no-op
