← Command Center
Second Order

Ops Dashboard

Manage Vercel env vars and Supabase DB from the NowPage dashboard. No more context-switching to external tools.

Why this exists: Managing Vercel env vars and running Supabase migrations requires switching to external dashboards that only Jason can access. This creates a bottleneck. Bringing these into the app means the team can self-serve on env var rotation and DB changes without context-switching.

Priority: After mobile responsiveness. Captured now so it doesn't get lost. Each loop ships independently and delivers value on its own.

Second-Order Effects

Self-Service Infrastructure
Team members rotate keys and check DB state without asking Jason.
Vault ↔ Vercel Sync
One-click push/pull between vault secrets and Vercel env vars. No manual double-updates.
Migration Confidence
Apply migrations from the dashboard with clear success/error feedback. No more copy-pasting SQL into Supabase Studio.
Schema Visibility
Browse tables, columns, and RLS policies without leaving the app.

Layer 10: Vercel Env Var Sync

Manage Vercel project env vars from the app dashboard. No more switching to vercel.com for key rotation.

10.1
Read Vercel Env Vars

API route /api/ops/vercel-env (GET) calls Vercel REST API to list env vars. Returns key name, target (production/preview/development), type, last updated. Secret values are never returned — only names and metadata. Admin-only.

Depends on: Credential Vault (resolveKey for VERCEL_TOKEN)

10.2
Add / Edit / Delete Env Vars

POST/PATCH/DELETE handlers on the same route. Create new env vars, update values, or remove them — all through the Vercel REST API. Every change gets logged to ops_audit_log with who, what, when.

10.3
Vault ↔ Vercel Sync

"Push to Vercel" button next to vault keys that also exist as Vercel env vars. One-click sync. "Pull from Vercel" imports a Vercel env var into the vault (encrypted). Visual badges show sync status: in-sync, out-of-sync, vault-only, vercel-only.

Layer 11: Supabase SQL Editor

Run SQL queries and apply migrations from the app dashboard. No more switching to Supabase Studio.

11.1
SQL Query Runner

Textarea with execute button and results table. Read-only mode toggle wraps queries in a read-only transaction. Query history saved in localStorage (last 20). Duration display. 30-second timeout, max 1000 rows. Admin-only.

11.2
Migration Runner

Lists pending migration files from supabase/migrations/. Shows which have been applied (tracked in _migrations_applied table). One-click "Apply" button runs the migration SQL and marks it as applied. Shows full error output on failure.

11.3
Schema Browser

List all tables with row counts. Click to expand: columns with types, nullable, defaults. Shows indexes, foreign keys, and RLS policies per table. Read-only — no schema modifications from this view.

Layer 12: Ops Dashboard UI

12.1
Unified Ops Tab

New "Ops" section in the dashboard, visible only to admin. Sub-tabs: Vercel Env Vars | SQL Editor | Migrations | Schema. Each sub-tab renders the corresponding component. Collapsible like existing sidebar panels.

Build Order

Track A — Vercel
10.1 → 10.2 → 10.3
Read first, then write, then sync
Track B — Supabase
11.1 → 11.2 + 11.3
Query runner first, then migration + schema in parallel
Depends On
Both → 12.1
Components exist before container
External Dep
Credential Vault
Loop 10.1 needs resolveKey for VERCEL_TOKEN

Key Files

FileRole
app/api/ops/vercel-env/route.tsVercel env var CRUD
app/api/ops/sql/route.tsSQL query execution
app/api/ops/migrations/route.tsMigration list + apply
app/api/ops/schema/route.tsSchema browser data
app/api/ops/vercel-sync/route.tsVault ↔ Vercel sync
components/OpsPanel.tsxContainer with sub-tabs
components/VercelEnvManager.tsxEnv var table + CRUD UI
components/SqlEditor.tsxQuery editor + results
components/MigrationRunner.tsxMigration list + apply UI
components/SchemaBrowser.tsxTable/column/RLS browser

Security

All ops routes are admin-only. Check user.email === ADMIN_EMAIL on every request. Never return secret values from Vercel reads. Audit log every mutation. SQL editor runs raw SQL intentionally — but only admin can access it. Read-only mode is the default.

Verification

  1. Admin sees Ops tab in dashboard — non-admin does not
  2. Vercel env var list matches Vercel dashboard (names only, no secrets)
  3. SQL SELECT count(*) FROM pages returns correct count
  4. SQL read-only mode blocks INSERT/UPDATE/DELETE
  5. Every mutation logged in ops_audit_log
  6. Migration runner shows pending vs applied correctly
  7. Schema browser matches Supabase Studio output
NowPage Platform · PRD v1.0 · March 6, 2026