-- 1) Marcar como SaaS master
insert into public.saas_admins (user_id)
values ('40a4b683-a0c9-4890-a201-20faf41fca06')
on conflict (user_id) do nothing;

-- 2) Garantir profile (seu session.js busca role em profiles)
insert into public.profiles (id, role)
values ('40a4b683-a0c9-4890-a201-20faf41fca06', 'saas_admin')
on conflict (id) do update set role = excluded.role;