diff --git a/src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs b/src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs
index 1038548..d28df77 100644
--- a/src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs
+++ b/src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs
@@ -1286,7 +1286,12 @@ public static class DbInitializer
                         Position = position,
                         CreatedAt = DateTime.UtcNow,
                     };
-                    var result = await userManager.CreateAsync(user, DemoUserPassword);
+                    // [Plan CA S29 2026-05-22] CatalogManager role mới — password
+                    // ≥12 chars per policy S22+2 (existing 30 demo user dùng
+                    // DemoUserPassword 11 chars seed pre-S22+2 nên alive). User
+                    // mới phải tuân policy mới hoặc CreateAsync fail trên prod.
+                    var pwd = roles.Contains(AppRoles.CatalogManager) ? "CatalogMgr@2026" : DemoUserPassword;
+                    var result = await userManager.CreateAsync(user, pwd);
                     if (!result.Succeeded)
                     {
                         logger.LogWarning("Demo user {Email} CREATE fail: {Err}",