GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/postgresql/unified/00-create-databases.sql

@@ -0,0 +1,26 @@
+-- GT 2.0 Admin Database Creation Script
+-- Creates databases for admin/control panel cluster only
+-- This MUST run first (00-prefix ensures execution order)
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create gt2_admin database for control panel
+SELECT 'CREATE DATABASE gt2_admin'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'gt2_admin')\gexec
+
+-- Create gt2_control_panel database for control panel backend
+SELECT 'CREATE DATABASE gt2_control_panel'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'gt2_control_panel')\gexec
+
+-- Log database creation completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 ADMIN DATABASE CREATION ===';
+    RAISE NOTICE 'Databases created successfully:';
+    RAISE NOTICE '- gt2_admin (control panel metadata)';
+    RAISE NOTICE '- gt2_control_panel (control panel backend)';
+    RAISE NOTICE 'Note: gt2_tenants created in tenant cluster separately';
+    RAISE NOTICE '======================================';
+END $$;

scripts/postgresql/unified/00-create-tenant-database.sql

@@ -0,0 +1,20 @@
+-- GT 2.0 Tenant Database Creation Script
+-- Creates database for tenant cluster only
+-- This MUST run first (00-prefix ensures execution order)
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create gt2_tenants database for tenant data storage
+SELECT 'CREATE DATABASE gt2_tenants'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'gt2_tenants')\gexec
+
+-- Log database creation completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 TENANT DATABASE CREATION ===';
+    RAISE NOTICE 'Database created successfully:';
+    RAISE NOTICE '- gt2_tenants (tenant data storage with PGVector)';
+    RAISE NOTICE '=======================================';
+END $$;

scripts/postgresql/unified/01-create-admin-roles.sql

@@ -0,0 +1,33 @@
+-- GT 2.0 Admin Cluster Role Creation Script
+-- Creates PostgreSQL roles for admin/control panel cluster
+-- Runs in admin postgres container only
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create admin user for control panel database
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_admin') THEN
+        CREATE ROLE gt2_admin LOGIN PASSWORD 'dev_password_change_in_prod';
+        RAISE NOTICE 'Created gt2_admin role for control panel access';
+    ELSE
+        RAISE NOTICE 'gt2_admin role already exists';
+    END IF;
+END $$;
+
+-- Grant database connection permissions (only on databases that exist in admin container)
+GRANT CONNECT ON DATABASE gt2_admin TO gt2_admin;
+GRANT CONNECT ON DATABASE gt2_control_panel TO gt2_admin;
+
+-- Log completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 ADMIN CLUSTER ROLE CREATION ===';
+    RAISE NOTICE 'Role created: gt2_admin';
+    RAISE NOTICE 'Permissions granted on:';
+    RAISE NOTICE '  - gt2_admin database';
+    RAISE NOTICE '  - gt2_control_panel database';
+    RAISE NOTICE '=========================================';
+END $$;

scripts/postgresql/unified/01-create-tenant-roles.sql

@@ -0,0 +1,62 @@
+-- GT 2.0 Tenant Cluster Role Creation Script
+-- Creates PostgreSQL roles for tenant cluster (including replication)
+-- Runs in tenant postgres container only
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create replication user for High Availability
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'replicator') THEN
+        CREATE ROLE replicator WITH REPLICATION PASSWORD 'tenant_replicator_dev_password' LOGIN;
+        RAISE NOTICE 'Created replicator role for HA cluster';
+    ELSE
+        RAISE NOTICE 'Replicator role already exists';
+    END IF;
+END $$;
+
+-- Create application user for tenant backend connections (legacy)
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_app') THEN
+        CREATE ROLE gt2_app LOGIN PASSWORD 'gt2_app_password';
+        RAISE NOTICE 'Created gt2_app role for tenant backend';
+    ELSE
+        RAISE NOTICE 'gt2_app role already exists';
+    END IF;
+END $$;
+
+-- Create tenant user for tenant database operations (current)
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_tenant_user') THEN
+        CREATE ROLE gt2_tenant_user LOGIN PASSWORD 'gt2_tenant_dev_password';
+        RAISE NOTICE 'Created gt2_tenant_user role for tenant operations';
+    ELSE
+        RAISE NOTICE 'gt2_tenant_user role already exists';
+    END IF;
+END $$;
+
+-- Set default search_path for gt2_tenant_user role
+-- This ensures all connections automatically use tenant_test_company schema
+ALTER ROLE gt2_tenant_user SET search_path TO tenant_test_company, public;
+
+-- Grant database connection permissions (only on gt2_tenants which exists in tenant container)
+GRANT CONNECT ON DATABASE gt2_tenants TO gt2_app;
+GRANT CONNECT ON DATABASE gt2_tenants TO gt2_tenant_user;
+GRANT CONNECT ON DATABASE gt2_tenants TO replicator;
+
+-- Log completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 TENANT CLUSTER ROLE CREATION ===';
+    RAISE NOTICE 'Roles created:';
+    RAISE NOTICE '  - replicator (for HA replication)';
+    RAISE NOTICE '  - gt2_app (tenant backend - legacy)';
+    RAISE NOTICE '  - gt2_tenant_user (tenant operations - current)';
+    RAISE NOTICE 'Permissions granted on:';
+    RAISE NOTICE '  - gt2_tenants database';
+    RAISE NOTICE '==========================================';
+END $$;

scripts/postgresql/unified/02-init-extensions.sql

@@ -0,0 +1,98 @@
+-- GT 2.0 Unified Extensions Initialization
+-- Ensures all required extensions are properly configured for all databases
+-- Run after user creation (02-prefix ensures execution order)
+
+-- Enable logging (but don't stop on errors for database connections)
+\set ECHO all
+
+-- Connect to gt2_tenants database first for PGVector setup
+\c gt2_tenants
+\set ON_ERROR_STOP on
+
+-- Vector extension for embeddings (PGVector) - Required for tenant database
+CREATE EXTENSION IF NOT EXISTS vector;
+
+-- Full-text search support
+CREATE EXTENSION IF NOT EXISTS pg_trgm;
+CREATE EXTENSION IF NOT EXISTS unaccent;
+
+-- Statistics and monitoring
+CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+CREATE EXTENSION IF NOT EXISTS pg_buffercache;
+
+-- UUID generation (built-in in PostgreSQL 13+, but ensure availability)
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
+-- JSON support enhancements
+CREATE EXTENSION IF NOT EXISTS "btree_gin";
+CREATE EXTENSION IF NOT EXISTS "btree_gist";
+
+-- Security extensions
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Connect to control panel database and add required extensions (if it exists)
+\set ON_ERROR_STOP off
+\c gt2_control_panel
+\set ON_ERROR_STOP on
+
+-- Basic extensions for control panel
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pg_stat_statements";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Connect to admin database and add required extensions (if it exists)
+\set ON_ERROR_STOP off
+\c gt2_admin
+\set ON_ERROR_STOP on
+
+-- Basic extensions for admin database
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "pg_stat_statements";
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Switch back to tenant database for verification
+\set ON_ERROR_STOP off
+\c gt2_tenants
+\set ON_ERROR_STOP on
+
+-- Verify critical extensions are loaded
+DO $$
+DECLARE
+    ext_count INTEGER;
+BEGIN
+    -- Check vector extension
+    SELECT COUNT(*) INTO ext_count FROM pg_extension WHERE extname = 'vector';
+    IF ext_count = 0 THEN
+        RAISE EXCEPTION 'Vector extension not loaded - PGVector support required for embeddings';
+    ELSE
+        RAISE NOTICE 'Vector extension loaded successfully - PGVector enabled';
+    END IF;
+    
+    -- Check pg_trgm extension
+    SELECT COUNT(*) INTO ext_count FROM pg_extension WHERE extname = 'pg_trgm';
+    IF ext_count = 0 THEN
+        RAISE EXCEPTION 'pg_trgm extension not loaded - Full-text search support required';
+    ELSE
+        RAISE NOTICE 'pg_trgm extension loaded successfully - Full-text search enabled';
+    END IF;
+    
+    -- Check pg_stat_statements extension
+    SELECT COUNT(*) INTO ext_count FROM pg_extension WHERE extname = 'pg_stat_statements';
+    IF ext_count = 0 THEN
+        RAISE WARNING 'pg_stat_statements extension not loaded - Query monitoring limited';
+    ELSE
+        RAISE NOTICE 'pg_stat_statements extension loaded successfully - Query monitoring enabled';
+    END IF;
+END $$;
+
+-- Log completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 UNIFIED EXTENSIONS SETUP ===';
+    RAISE NOTICE 'Extensions configured in all databases:';
+    RAISE NOTICE '- gt2_tenants: PGVector + full-text + monitoring';
+    RAISE NOTICE '- gt2_control_panel: Basic extensions + crypto';
+    RAISE NOTICE '- gt2_admin: Basic extensions + crypto';
+    RAISE NOTICE 'All critical extensions verified and loaded';
+    RAISE NOTICE '=====================================';
+END $$;

scripts/postgresql/unified/05-create-tenant-test-data.sql

@@ -0,0 +1,64 @@
+-- GT 2.0 Tenant Test Data Creation Script
+-- Creates test tenant and gtadmin@test.com user in tenant database
+-- Mirrors the control panel test data for user sync compatibility
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create test tenant in tenant schema
+INSERT INTO tenant_test_company.tenants (
+    domain,
+    name,
+    created_at,
+    updated_at
+) VALUES (
+    'test-company',
+    'HW Workstation Test Deployment',
+    NOW(),
+    NOW()
+) ON CONFLICT (domain) DO UPDATE SET
+    name = EXCLUDED.name,
+    updated_at = NOW();
+
+-- Create test super admin user in tenant schema
+-- Role mapping: super_admin from control panel → 'admin' in tenant database
+-- This mirrors what sync_user_to_tenant_database() does in control-panel-backend
+INSERT INTO tenant_test_company.users (
+    email,
+    username,
+    full_name,
+    tenant_id,
+    role,
+    created_at,
+    updated_at
+) VALUES (
+    'gtadmin@test.com',
+    'gtadmin',
+    'GT Admin',
+    (SELECT id FROM tenant_test_company.tenants WHERE domain = 'test-company' LIMIT 1),
+    'admin',
+    NOW(),
+    NOW()
+) ON CONFLICT (email, tenant_id) DO UPDATE SET
+    username = EXCLUDED.username,
+    full_name = EXCLUDED.full_name,
+    role = EXCLUDED.role,
+    updated_at = NOW();
+
+-- Log completion
+DO $$
+DECLARE
+    tenant_count INTEGER;
+    user_count INTEGER;
+BEGIN
+    SELECT COUNT(*) INTO tenant_count FROM tenant_test_company.tenants WHERE domain = 'test-company';
+    SELECT COUNT(*) INTO user_count FROM tenant_test_company.users WHERE email = 'gtadmin@test.com';
+
+    RAISE NOTICE '=== GT 2.0 TENANT TEST DATA CREATION ===';
+    RAISE NOTICE 'Test tenant created: % (domain: test-company)', tenant_count;
+    RAISE NOTICE 'Test user created: % (email: gtadmin@test.com)', user_count;
+    RAISE NOTICE 'User role: admin (mapped from super_admin)';
+    RAISE NOTICE 'Note: User can now log into tenant app at localhost:3002';
+    RAISE NOTICE '========================================';
+END $$;

scripts/postgresql/unified/05-create-test-data.sql

@@ -0,0 +1,245 @@
+-- GT 2.0 Test Data Creation Script
+-- Creates test tenant and gtadmin@test.com user for development/testing
+-- This is the ONLY place where the test user should be created
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create test tenant
+INSERT INTO public.tenants (
+    uuid,
+    name,
+    domain,
+    template,
+    status,
+    max_users,
+    resource_limits,
+    namespace,
+    subdomain,
+    optics_enabled,
+    created_at,
+    updated_at
+) VALUES (
+    'test-tenant-uuid-001',
+    'GT AI OS',
+    'test-company',
+    'enterprise',
+    'active',
+    100,
+    '{"cpu": "4000m", "memory": "8Gi", "storage": "50Gi"}',
+    'gt-test',
+    'test',
+    false,  -- Optics disabled by default (enable via Control Panel)
+    NOW(),
+    NOW()
+) ON CONFLICT (domain) DO UPDATE SET
+    name = EXCLUDED.name,
+    template = EXCLUDED.template,
+    status = EXCLUDED.status,
+    max_users = EXCLUDED.max_users,
+    resource_limits = EXCLUDED.resource_limits,
+    namespace = EXCLUDED.namespace,
+    subdomain = EXCLUDED.subdomain,
+    optics_enabled = EXCLUDED.optics_enabled,
+    updated_at = NOW();
+
+-- Create test super admin user
+-- Password: Test@123
+-- Hash generated with: python -c "from passlib.context import CryptContext; print(CryptContext(schemes=['bcrypt']).hash('Test@123'))"
+INSERT INTO public.users (
+    uuid,
+    email,
+    full_name,
+    hashed_password,
+    user_type,
+    tenant_id,
+    capabilities,
+    is_active,
+    created_at,
+    updated_at
+) VALUES (
+    'test-admin-uuid-001',
+    'gtadmin@test.com',
+    'GT Admin Test User',
+    '$2b$12$otRZHfXz7GJUjA.ULeIc4ev612FSAK3tDcOYZdZCJ219j7WFNjFye',
+    'super_admin',
+    (SELECT id FROM public.tenants WHERE domain = 'test-company'),
+    '[{"resource": "*", "actions": ["*"], "constraints": {}}]',
+    true,
+    NOW(),
+    NOW()
+) ON CONFLICT (email) DO UPDATE SET
+    hashed_password = EXCLUDED.hashed_password,
+    user_type = EXCLUDED.user_type,
+    tenant_id = EXCLUDED.tenant_id,
+    capabilities = EXCLUDED.capabilities,
+    is_active = EXCLUDED.is_active,
+    updated_at = NOW();
+
+-- ===================================================================
+-- MODEL CONFIGURATIONS
+-- ===================================================================
+
+-- Insert LLM model configurations
+INSERT INTO public.model_configs (
+    model_id, name, version, provider, model_type, endpoint,
+    context_window, max_tokens, capabilities,
+    cost_per_million_input, cost_per_million_output,
+    is_active, health_status, request_count, error_count,
+    success_rate, avg_latency_ms,
+    tenant_restrictions, required_capabilities,
+    created_at, updated_at
+) VALUES
+-- Groq Llama 3.1 8B Instant (fast, cheap)
+('llama-3.1-8b-instant', 'Groq Llama 3.1 8b Instant', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 131072,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.05, 0.08, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Groq Compound AI Search (blended: GPT-OSS-120B + Llama 4 Scout)
+('groq/compound', 'Groq Compound AI Search', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 8192,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.13, 0.47, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Groq OpenAI GPT OSS 120B (large OSS)
+('openai/gpt-oss-120b', 'Groq Open AI GPT OSS 120b', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 32000,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.15, 0.60, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Groq OpenAI GPT OSS 20B (medium OSS)
+('openai/gpt-oss-20b', 'Groq Open AI GPT OSS 20b', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 65536,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.075, 0.30, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Groq Meta Llama 4 Maverick 17B (17Bx128E MoE)
+('meta-llama/llama-4-maverick-17b-128e-instruct', 'Groq Meta Llama 4 Maverick 17b 128 MOE Instruct', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 8192,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.20, 0.60, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Moonshot AI Kimi K2 (1T parameters, 256k context)
+('moonshotai/kimi-k2-instruct-0905', 'Groq Moonshot AI Kimi K2 instruct 0905', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 262144, 16384,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 1.00, 3.00, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- Groq Llama Guard 4 12B (safety/moderation model)
+('meta-llama/llama-guard-4-12b', 'Groq Llama Guard 4 12B', '1.0', 'groq', 'llm',
+ 'https://api.groq.com/openai/v1/chat/completions',
+ 131072, 8192,
+ '{"reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false, "multilingual": false}'::json,
+ 0.20, 0.20, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW()),
+
+-- BGE-M3 Multilingual Embedding Model (embeddings, input only)
+('BAAI/bge-m3', 'BGE-M3 Multilingual Embedding', '1.0', 'external', 'embedding',
+ 'http://gentwo-vllm-embeddings:8000/v1/embeddings',
+ 8192, 8193,
+ '{"multilingual": true, "reasoning": false, "function_calling": false, "vision": false, "audio": false, "streaming": false}'::json,
+ 0.01, 0.00, true, 'unknown', 0, 0, 100, 0,
+ '{"global_access": true}'::json, '[]'::json,
+ NOW(), NOW())
+
+ON CONFLICT (model_id) DO UPDATE SET
+    name = EXCLUDED.name,
+    version = EXCLUDED.version,
+    provider = EXCLUDED.provider,
+    model_type = EXCLUDED.model_type,
+    endpoint = EXCLUDED.endpoint,
+    context_window = EXCLUDED.context_window,
+    max_tokens = EXCLUDED.max_tokens,
+    capabilities = EXCLUDED.capabilities,
+    cost_per_million_input = EXCLUDED.cost_per_million_input,
+    cost_per_million_output = EXCLUDED.cost_per_million_output,
+    is_active = EXCLUDED.is_active,
+    tenant_restrictions = EXCLUDED.tenant_restrictions,
+    required_capabilities = EXCLUDED.required_capabilities,
+    updated_at = NOW();
+
+-- ===================================================================
+-- TENANT MODEL ACCESS
+-- ===================================================================
+
+-- Enable all models for test tenant with 10,000 requests/min rate limit
+INSERT INTO public.tenant_model_configs (
+    tenant_id, model_id, is_enabled, tenant_capabilities,
+    rate_limits, usage_constraints, priority,
+    created_at, updated_at
+) VALUES
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'llama-3.1-8b-instant', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'groq/compound', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'openai/gpt-oss-120b', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'openai/gpt-oss-20b', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'meta-llama/llama-4-maverick-17b-128e-instruct', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'moonshotai/kimi-k2-instruct-0905', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'meta-llama/llama-guard-4-12b', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW()),
+
+((SELECT id FROM public.tenants WHERE domain = 'test-company'), 'BAAI/bge-m3', true, '{}'::json,
+ '{"requests_per_minute": 10000}'::json, '{}'::json, 5, NOW(), NOW())
+
+ON CONFLICT (tenant_id, model_id) DO UPDATE SET
+    is_enabled = EXCLUDED.is_enabled,
+    rate_limits = EXCLUDED.rate_limits,
+    updated_at = NOW();
+
+-- Log completion
+DO $$
+DECLARE
+    tenant_count INTEGER;
+    user_count INTEGER;
+    model_count INTEGER;
+    tenant_model_count INTEGER;
+BEGIN
+    SELECT COUNT(*) INTO tenant_count FROM public.tenants WHERE domain = 'test-company';
+    SELECT COUNT(*) INTO user_count FROM public.users WHERE email = 'gtadmin@test.com';
+    SELECT COUNT(*) INTO model_count FROM public.model_configs;
+    SELECT COUNT(*) INTO tenant_model_count FROM public.tenant_model_configs WHERE tenant_id = (SELECT id FROM public.tenants WHERE domain = 'test-company');
+
+    RAISE NOTICE '=== GT 2.0 TEST DATA CREATION ===';
+    RAISE NOTICE 'Test tenant created: % (domain: test-company)', tenant_count;
+    RAISE NOTICE 'Test user created: % (email: gtadmin@test.com)', user_count;
+    RAISE NOTICE 'Login credentials:';
+    RAISE NOTICE '  Email: gtadmin@test.com';
+    RAISE NOTICE '  Password: Test@123';
+    RAISE NOTICE '';
+    RAISE NOTICE 'LLM Models configured: %', model_count;
+    RAISE NOTICE 'Tenant model access enabled: %', tenant_model_count;
+    RAISE NOTICE 'Rate limit: 10,000 requests/minute per model';
+    RAISE NOTICE '====================================';
+END $$;