[CLAUDE] Infra: Plan CA Chunk D2 hotfix — Password ≥12 chars cho catalog.manager (S22+2 policy)

Reviewer spawn pre-push verify catch CRITICAL bug Chunk D 4a592cf:
- DemoUserPassword = "User@123456" (11 chars)
- Identity password policy S22+2 ≥12 chars enforced
- → New user catalog.manager CreateAsync FAIL prod → user KHÔNG seed
- → Bro UAT login fe-user 401 → Plan CA broken on prod

Fix: per-user password override conditional check trên roles.Contains(CatalogManager).
- CatalogManager role → password = "CatalogMgr@2026" (15 chars, complexity OK)
- Existing 30 demo user → giữ DemoUserPassword "User@123456" (created pre-S22+2, alive)

Pattern reusable: Khi add demo user MỚI sau S22+2 password policy bump, MUST verify
password ≥12 chars OR override per-user. Existing 30 user idempotent skip CreateAsync
nên KHÔNG bị ảnh hưởng (password hashed in DB từ pre-bump).

Verify:
- dotnet build SolutionErp.slnx PASS 0 err
- Idempotent: existing catalog.manager (nếu manual create) skip + KHÔNG đụng password
- Smart Friend Reviewer guard active — caught issue trước push

Plan CA chain (5 commits cumulative):
- A 80d39a0 BE Role + Seed (em main solo)
- B 06a441c FE move 4 master pages (Implementer Case 2)
- C c995f42 Sidebar filter 2 app (em main solo)
- D 4a592cf Seed demo user (em main solo) — INTRODUCED BUG
- D2 (this) Hotfix password policy (em main solo, Reviewer catch)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs

@@ -1286,7 +1286,12 @@ public static class DbInitializer
                         Position = position,
                         CreatedAt = DateTime.UtcNow,
                     };
-                    var result = await userManager.CreateAsync(user, DemoUserPassword);
+                    // [Plan CA S29 2026-05-22] CatalogManager role mới — password
+                    // ≥12 chars per policy S22+2 (existing 30 demo user dùng
+                    // DemoUserPassword 11 chars seed pre-S22+2 nên alive). User
+                    // mới phải tuân policy mới hoặc CreateAsync fail trên prod.
+                    var pwd = roles.Contains(AppRoles.CatalogManager) ? "CatalogMgr@2026" : DemoUserPassword;
+                    var result = await userManager.CreateAsync(user, pwd);
                     if (!result.Succeeded)
                     {
                         logger.LogWarning("Demo user {Email} CREATE fail: {Err}",