Removing the Admin Panel and Audit Log
These features are optional. You can remove the admin panel alone, or also remove the audit log underneath it. The audit log can stand on its own; the admin panel depends on it.
These features are optional. You can remove the admin panel alone, or also remove the audit log underneath it. The audit log can stand on its own; the admin panel depends on it.
Quickest "off" switch (no code changes)
Leave SUPER_ADMIN_EMAILS unset/blank. With no allow-listed emails, nobody is a
super admin: the sidebar link is hidden, /admin returns 404, and every admin
query/mutation is denied. The audit log keeps recording but has no reader UI.
Remove the admin panel (keep the audit log)
- Frontend
- Delete
apps/app/src/app/[locale]/(dashboard)/admin/. - In
apps/app/src/app/[locale]/(dashboard)/_components/app-sidebar.tsx, remove theadminAccessquery, theShieldAlertimport, and the "Platform" adminSidebarGroup.
- Delete
- Backend
- Delete
packages/backend/convex/admin/. - In
convex/security/sensitiveActions.ts, delete theadmin.organizationSuspendandadmin.organizationReactivateregistry entries (and, if unused elsewhere, therequiresSuperAdminfield). - In
convex/security/validators.ts, remove those two ids fromsensitiveActionIdValidatorand theSensitiveActionIdtype. - In
convex/security/challenges.tsandconvex/security/passwordConfirmation.ts, remove therequireSuperAdminimport and theif (definition.requiresSuperAdmin) { ... }guard block. - In
convex/env.ts, removeSUPER_ADMIN_EMAILSandSUPER_ADMIN_REQUIRE_2FAfrom both theserverschema andruntimeEnv. - If you removed the audit log too,
convex/security/challenges.ts'sconsumeSensitiveVerificationChallengereturns aConsumeChallengeResult(it does not throw on a wrong/expired code) — keep that contract; the verify dialog depends on it. - Update
convex/security/sensitiveActions.test.ts(catalog list) and deleteconvex/admin/*.test.ts.
- Delete
- Docs/env — remove the two
SUPER_ADMIN_*vars from Environment Variables and delete thedocs/admin/*pages anddocs/security/super-admin-access.md.
Run bun --cwd packages/backend convex codegen, bun run typecheck,
bun run lint, and bun --cwd packages/backend test.
Also remove the audit log
After the steps above:
- Delete
packages/backend/convex/audit/. - Remove the
audit_eventstable fromconvex/schema.ts(and its validator imports). - Remove every
writeAuditEvent/recordSubscriptionAuditcall and its import from:convex/auth.ts(theuser.onCreate/user.onDeletetriggers)convex/organizations/mutations.tsconvex/members.tsconvex/billing/grants.tsconvex/billing/auditHelpers.ts(delete the file) and the threeconvex/billing/{stripe,polar,lemonSqueezy}/mutations.tscall sitesconvex/security/challenges.ts
- Remove the
audit_eventsbranch (andAuditEventtype / rows entry) fromconvex/billing/grants.test.ts. - Delete
docs/security/audit-log.md,docs/reference/audit-events.md, anddocs/recipes/write-an-audit-event.md.
Re-run codegen, typecheck, lint, and tests. A clean way to find stragglers:
rg "writeAuditEvent|audit_events|recordAuditEvent|requireSuperAdmin|SUPER_ADMIN"Admin: Global Audit Log
/admin/audit-log shows the full application audit history to super admins. It is the UI over the audit_events table — see Audit Log for what is and isn't logged.
Add a Dashboard Page
Add a new authenticated page to the product app, wired into the localized dashboard layout, sidebar, and Convex data.