diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index 08d0b44..9904ca8 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -46,5 +46,6 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
   CMD wget -qO- http://localhost:3001/healthz || exit 1
 
 WORKDIR /app/apps/api
-# Apply pending migrations before booting. Prisma reads DATABASE_URL from env.
-CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node dist/index.js"]
+# Apply migrations → seed default admin on empty DB → start API.
+# Override the default admin credentials via SEED_ADMIN_{USERNAME,PASSWORD,EMAIL}.
+CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node ../../packages/db/ensure-admin.mjs && node dist/index.js"]
diff --git a/packages/db/ensure-admin.mjs b/packages/db/ensure-admin.mjs
new file mode 100644
index 0000000..e6c1fc8
--- /dev/null
+++ b/packages/db/ensure-admin.mjs
@@ -0,0 +1,30 @@
+// Bootstrap seed run at container start. Creates a default admin user
+// when the User table is empty so a fresh deployment has something to
+// log into. Subsequent boots see an existing user and skip silently.
+import bcrypt from 'bcryptjs';
+import { prisma } from './dist/client.js';
+
+try {
+  const count = await prisma.user.count();
+  if (count === 0) {
+    const username = process.env.SEED_ADMIN_USERNAME ?? 'admin';
+    const password = process.env.SEED_ADMIN_PASSWORD ?? 'admin';
+    const email = process.env.SEED_ADMIN_EMAIL ?? 'admin@vector.local';
+    await prisma.user.create({
+      data: {
+        username,
+        email,
+        passwordHash: await bcrypt.hash(password, 12),
+        role: 'ADMIN',
+      },
+    });
+    console.log(`[seed] Created default admin user "${username}". Change this password immediately.`);
+  } else {
+    console.log(`[seed] ${count} user(s) already exist — skipping default admin seed.`);
+  }
+} catch (err) {
+  console.error('[seed] Failed to ensure admin user:', err);
+  process.exit(1);
+} finally {
+  await prisma.$disconnect();
+}
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
index 14c58ec..3adee2e 100644
--- a/packages/db/src/client.ts
+++ b/packages/db/src/client.ts
@@ -9,13 +9,22 @@ declare global {
 
 function resolveSqliteUrl(raw: string | undefined): string | undefined {
   if (!raw || !raw.startsWith('file:')) return raw;
-  const rest = raw.slice('file:'.length).replace(/^\/+/, '');
-  if (path.isAbsolute(rest) || /^[A-Za-z]:[\\/]/.test(rest)) {
-    return 'file:' + rest.replace(/\\/g, '/');
-  }
+  let body = raw.slice('file:'.length);
+
+  // file:///unix/path is equivalent to file:/unix/path; collapse the host part.
+  if (body.startsWith('///')) body = body.slice(2);
+
+  // Windows: "/C:/..." → "C:/..." , then any backslashes to forward slashes.
+  const win = body.match(/^\/?([A-Za-z]:[\\/].*)$/);
+  if (win?.[1]) return 'file:' + win[1].replace(/\\/g, '/');
+
+  // Unix absolute (e.g. "/data/vector.db") — pass through verbatim.
+  if (body.startsWith('/')) return 'file:' + body;
+
+  // Relative — resolve against the schema dir so dev's default (file:./dev.db) keeps working.
   const here = path.dirname(fileURLToPath(import.meta.url));
   const schemaDir = path.resolve(here, '..', 'prisma');
-  const absolute = path.resolve(schemaDir, rest);
+  const absolute = path.resolve(schemaDir, body);
   return 'file:' + absolute.replace(/\\/g, '/');
 }