Use this file to discover all available pages before exploring further.
Next.js loads .env.* files automatically based on the current run mode. ERP B2B Premium extends this convention with three explicitly scoped files: .env.local for local development, .env.staging for the staging environment (loaded manually), and .env.production for production builds. Each file points to a completely separate Supabase project so that development, QA, and production data never mix.
Use the bundled setup script to copy the correct template into .env.local for each environment:
npx ts-node scripts/setup-env.ts dev
Each command copies the appropriate environment template into .env.local, which Next.js picks up automatically on the next npm run dev or npm run build.
Each environment must point to a separate Supabase project to prevent data cross-contamination. Update the three files with the credentials from each project’s dashboard (Project Settings → API):
# Supabase local instance or cloud dev projectNEXT_PUBLIC_SUPABASE_URL=https://localhost:54321NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...local-anon-keyNEXT_PUBLIC_DEFAULT_TENANT_CODE=acmeSUPABASE_URL=https://localhost:54321SUPABASE_ANON_KEY=eyJ...local-anon-keySUPABASE_SERVICE_ROLE_KEY=eyJ...local-service-role-key# Optional: suppress unknown-tenant warnings during local testing# SUPPRESS_TENANT_WARNINGS=false
SUPABASE_SERVICE_ROLE_KEY bypasses Row Level Security entirely. Only use it inside server-side migration scripts (scripts/deploy-migrations.ts) and admin seed operations (scripts/seed-*.ts) — never inside Server Actions that read or write user-submitted data. Any Server Action that calls getSupabaseAdmin() with user-controlled input creates a privilege escalation risk. Prefer getPublicServerClient() (anon key + RLS) in all user-facing Server Actions.
The GitHub Actions workflow at .github/workflows/ci.yml runs on every push and pull request. It requires the following variables to be configured as repository secrets in GitHub (Settings → Secrets and variables → Actions):
Secret name
Maps to
NEXT_PUBLIC_SUPABASE_URL
Staging or CI-dedicated Supabase project URL
NEXT_PUBLIC_SUPABASE_ANON_KEY
Supabase anonymous key for the CI project
SUPABASE_SERVICE_ROLE_KEY
Service role key for migration checks in CI
NEXT_PUBLIC_DEFAULT_TENANT_CODE
Tenant slug used during automated tests (e.g. acme)
The CI pipeline executes four quality gates on every run:
npx tsc --noEmit — Zero TypeScript type errors
npm run lint — Zero new ESLint violations
npx vitest run — All unit tests pass
npm audit --audit-level=high — No high-severity CVEs
All four gates must pass before a pull request can be merged into main.