diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 8909396..9dc944b 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -9,6 +9,10 @@ services:
     ports:
       - "3001:3001"
 
+  logto-bootstrap:
+    environment:
+      VENDOR_SEED_ENABLED: "true"
+
   cameleer-saas:
     ports:
       - "8080:8080"
diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 191898e..04f076a 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -35,6 +35,12 @@ TENANT_NAME="Example Tenant"
 TENANT_SLUG="default"
 BOOTSTRAP_TOKEN="${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}"
 
+# Vendor seed (optional — creates saas-vendor role + vendor user)
+VENDOR_SEED_ENABLED="${VENDOR_SEED_ENABLED:-false}"
+VENDOR_USER="${VENDOR_USER:-vendor}"
+VENDOR_PASS="${VENDOR_PASS:-vendor}"
+VENDOR_NAME="${VENDOR_NAME:-SaaS Vendor}"
+
 # Server config
 SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}"
 SERVER_UI_USER="${SERVER_UI_USER:-admin}"
@@ -714,6 +720,78 @@ cat > "$BOOTSTRAP_FILE" <<EOF
 EOF
 chmod 644 "$BOOTSTRAP_FILE"
 
+# ============================================================
+# Phase 12: Vendor Seed (optional)
+# ============================================================
+
+if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
+  log ""
+  log "=== Phase 12: Vendor Seed ==="
+
+  # Create saas-vendor global role with all API scopes
+  log "Checking for saas-vendor role..."
+  EXISTING_ROLES=$(api_get "/api/roles")
+  VENDOR_ROLE_ID=$(echo "$EXISTING_ROLES" | jq -r '.[] | select(.name == "saas-vendor" and .type == "User") | .id')
+
+  if [ -n "$VENDOR_ROLE_ID" ]; then
+    log "saas-vendor role exists: $VENDOR_ROLE_ID"
+  else
+    ALL_SCOPE_IDS=$(api_get "/api/resources/$API_RESOURCE_ID/scopes" | jq '[.[].id]')
+    log "Creating saas-vendor role with all scopes..."
+    VENDOR_ROLE_RESPONSE=$(api_post "/api/roles" "{
+      \"name\": \"saas-vendor\",
+      \"description\": \"SaaS vendor — full platform control across all tenants\",
+      \"type\": \"User\",
+      \"scopeIds\": $ALL_SCOPE_IDS
+    }")
+    VENDOR_ROLE_ID=$(echo "$VENDOR_ROLE_RESPONSE" | jq -r '.id')
+    log "Created saas-vendor role: $VENDOR_ROLE_ID"
+  fi
+
+  # Create vendor user
+  log "Checking for vendor user '$VENDOR_USER'..."
+  VENDOR_USER_ID=$(api_get "/api/users?search=$VENDOR_USER" | jq -r ".[] | select(.username == \"$VENDOR_USER\") | .id")
+
+  if [ -n "$VENDOR_USER_ID" ]; then
+    log "Vendor user exists: $VENDOR_USER_ID"
+  else
+    log "Creating vendor user '$VENDOR_USER'..."
+    VENDOR_RESPONSE=$(api_post "/api/users" "{
+      \"username\": \"$VENDOR_USER\",
+      \"password\": \"$VENDOR_PASS\",
+      \"name\": \"$VENDOR_NAME\"
+    }")
+    VENDOR_USER_ID=$(echo "$VENDOR_RESPONSE" | jq -r '.id')
+    log "Created vendor user: $VENDOR_USER_ID"
+  fi
+
+  # Assign saas-vendor role
+  if [ -n "$VENDOR_ROLE_ID" ] && [ "$VENDOR_ROLE_ID" != "null" ]; then
+    api_post "/api/users/$VENDOR_USER_ID/roles" "{\"roleIds\": [\"$VENDOR_ROLE_ID\"]}" >/dev/null 2>&1
+    log "Assigned saas-vendor role globally."
+  fi
+
+  # Add vendor to all existing organizations with owner role
+  log "Adding vendor to all organizations..."
+  ORG_OWNER_ROLE_ID=$(api_get "/api/organization-roles" | jq -r '.[] | select(.name == "owner") | .id')
+  ORGS=$(api_get "/api/organizations")
+  ORG_COUNT=$(echo "$ORGS" | jq 'length')
+
+  for i in $(seq 0 $((ORG_COUNT - 1))); do
+    SEED_ORG_ID=$(echo "$ORGS" | jq -r ".[$i].id")
+    SEED_ORG_NAME=$(echo "$ORGS" | jq -r ".[$i].name")
+    api_post "/api/organizations/$SEED_ORG_ID/users" "{\"userIds\": [\"$VENDOR_USER_ID\"]}" >/dev/null 2>&1
+    if [ -n "$ORG_OWNER_ROLE_ID" ] && [ "$ORG_OWNER_ROLE_ID" != "null" ]; then
+      curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+        -d "{\"organizationRoleIds\": [\"$ORG_OWNER_ROLE_ID\"]}" \
+        "${LOGTO_ENDPOINT}/api/organizations/$SEED_ORG_ID/users/$VENDOR_USER_ID/roles" >/dev/null 2>&1
+    fi
+    log "  Added to org '$SEED_ORG_NAME' with owner role."
+  done
+
+  log "Vendor seed complete."
+fi
+
 log ""
 log "=== Bootstrap complete! ==="
 # dev only — remove credential logging in production
@@ -722,5 +800,7 @@ log "  Viewer:         $TENANT_ADMIN_USER / $TENANT_ADMIN_PASS  (org role: viewe
 log "  Tenant:         $TENANT_NAME (slug: $TENANT_SLUG)"
 log "  Organization:   $ORG_ID"
 log "  SPA Client ID:  $SPA_ID"
+if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
+  log "  Vendor:         $VENDOR_USER / $VENDOR_PASS  (role: saas-vendor)"
+fi
 log ""
-log "  To add SaaS Vendor role (hosted only): run docker/vendor-seed.sh"