Leave Localhost logoLeave LocalhostDocs
Admin

Removing the Admin Panel and Audit Log

These features are optional. You can remove the admin panel alone, or also remove the audit log underneath it. The audit log can stand on its own; the admin panel depends on it.

These features are optional. You can remove the admin panel alone, or also remove the audit log underneath it. The audit log can stand on its own; the admin panel depends on it.

Quickest "off" switch (no code changes)

Leave SUPER_ADMIN_EMAILS unset/blank. With no allow-listed emails, nobody is a super admin: the sidebar link is hidden, /admin returns 404, and every admin query/mutation is denied. The audit log keeps recording but has no reader UI.

Remove the admin panel (keep the audit log)

  1. Frontend
    • Delete apps/app/src/app/[locale]/(dashboard)/admin/.
    • In apps/app/src/app/[locale]/(dashboard)/_components/app-sidebar.tsx, remove the adminAccess query, the ShieldAlert import, and the "Platform" admin SidebarGroup.
  2. Backend
    • Delete packages/backend/convex/admin/.
    • In convex/security/sensitiveActions.ts, delete the admin.organizationSuspend and admin.organizationReactivate registry entries (and, if unused elsewhere, the requiresSuperAdmin field).
    • In convex/security/validators.ts, remove those two ids from sensitiveActionIdValidator and the SensitiveActionId type.
    • In convex/security/challenges.ts and convex/security/passwordConfirmation.ts, remove the requireSuperAdmin import and the if (definition.requiresSuperAdmin) { ... } guard block.
    • In convex/env.ts, remove SUPER_ADMIN_EMAILS and SUPER_ADMIN_REQUIRE_2FA from both the server schema and runtimeEnv.
    • If you removed the audit log too, convex/security/challenges.ts's consumeSensitiveVerificationChallenge returns a ConsumeChallengeResult (it does not throw on a wrong/expired code) — keep that contract; the verify dialog depends on it.
    • Update convex/security/sensitiveActions.test.ts (catalog list) and delete convex/admin/*.test.ts.
  3. Docs/env — remove the two SUPER_ADMIN_* vars from Environment Variables and delete the docs/admin/* pages and docs/security/super-admin-access.md.

Run bun --cwd packages/backend convex codegen, bun run typecheck, bun run lint, and bun --cwd packages/backend test.

Also remove the audit log

After the steps above:

  1. Delete packages/backend/convex/audit/.
  2. Remove the audit_events table from convex/schema.ts (and its validator imports).
  3. Remove every writeAuditEvent / recordSubscriptionAudit call and its import from:
    • convex/auth.ts (the user.onCreate / user.onDelete triggers)
    • convex/organizations/mutations.ts
    • convex/members.ts
    • convex/billing/grants.ts
    • convex/billing/auditHelpers.ts (delete the file) and the three convex/billing/{stripe,polar,lemonSqueezy}/mutations.ts call sites
    • convex/security/challenges.ts
  4. Remove the audit_events branch (and AuditEvent type / rows entry) from convex/billing/grants.test.ts.
  5. Delete docs/security/audit-log.md, docs/reference/audit-events.md, and docs/recipes/write-an-audit-event.md.

Re-run codegen, typecheck, lint, and tests. A clean way to find stragglers:

rg "writeAuditEvent|audit_events|recordAuditEvent|requireSuperAdmin|SUPER_ADMIN"

On this page