diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 73da618..191898e 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -591,6 +591,31 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
       }")
     log "OIDC config response: $(echo "$OIDC_RESPONSE" | head -c 200)"
     log "cameleer3-server OIDC configured."
+
+    # Seed claim mapping rules (roles → server RBAC)
+    log "Seeding claim mapping rules..."
+    EXISTING_MAPPINGS=$(curl -s -H "Authorization: Bearer $SERVER_TOKEN" \
+      "${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" 2>/dev/null || echo "[]")
+
+    seed_claim_mapping() {
+      local match_value="$1"
+      local target="$2"
+      local priority="$3"
+      local exists=$(echo "$EXISTING_MAPPINGS" | jq -r ".[] | select(.matchValue == \"$match_value\") | .id")
+      if [ -n "$exists" ]; then
+        log "  Claim mapping '$match_value' → $target exists"
+      else
+        local resp=$(curl -s -X POST "${SERVER_ENDPOINT}/api/v1/admin/claim-mappings" \
+          -H "Authorization: Bearer $SERVER_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{\"claim\":\"roles\",\"matchType\":\"contains\",\"matchValue\":\"$match_value\",\"action\":\"assignRole\",\"target\":\"$target\",\"priority\":$priority}")
+        log "  Created claim mapping '$match_value' → $target"
+      fi
+    }
+
+    seed_claim_mapping "server:admin" "ADMIN" 10
+    seed_claim_mapping "server:operator" "OPERATOR" 20
+    log "Claim mapping rules seeded."
   else
     log "WARNING: Could not login to cameleer3-server — skipping OIDC config"
   fi