ENABLE_ADMIN_MODE=true ADMIN_SECRET=<long-random-secret> ADMIN_EMAIL=<your-email@example.com> BROWSER_PROOF_EMAIL=<your-email@example.com> SUPABASE_SERVICE_ROLE_KEY=<service-role-key>
Owner tools
Admin pages should prove things.
Use admin mode only on your own machine. It can verify schema, run browser proof, inspect backups, preview cleanup, and repair one user backup state.
Private .env only
Enable admin mode.
Do not commit these values. Do not place the service-role key in frontend code.
Real browser check
Open proof after admin unlock.
The browser proof page starts a real browser run for onboarding, profile/settings, avatar, tour, study session, and sync status.
Open admin
http://127.0.0.1:3000/__admin
Open browser proof
http://127.0.0.1:3000/__admin/browser-proof
Useful admin pages
What each page is for.
/__admin/verify
Checks schema, RPCs, storage buckets, auth guard behavior, and integration wiring.
/__admin/sync
Shows best backup, candidates, canonical path status, and repair actions.
/__admin/storage
Shows buckets, backup files, avatar duplicates, and cleanup preview/apply.
Rule
Preview before destructive work
Cleanup must show paths, sizes, hashes, keep/delete decisions, and bytes freed before apply.
Rule
Admin keys stay server-side
The service-role key and PAT must never be written into HTML, bundled assets, localStorage, or logs.