Skip to main content

Admin & Privacy

The accountability surface for v10r.dev — who collects what, why it's lawful, how long it's kept, and how to exercise your rights.

What the operator can see — and what stops them from doing more.

Transparency cuts both ways. You should know not just what is collected, but what the person running v10r.dev can do with it. Below is the full inventory of admin capabilities, along with the four guarantees that hem them in.

Four hard guarantees

Code-enforced

Single-admin gate

The admin surface is gated by a single environment variable, ADMIN_EMAIL. There is no is_admin database column and no role table — nothing to escalate, nothing to drift.

404, not 403

Non-admins receive a generic 404 from any /admin/* path. The gate does not leak the existence of admin routes to unauthenticated visitors.

Append-only audit

Every admin write is logged to audit_log with actor, action, target, and timestamp. The audit table has no UPDATE or DELETE handlers — entries cannot be erased after the fact.

No write without consent

Cron jobs that mutate user-facing data (cleanup, rollup) are gated behind a Bearer token shared only with Vercel Cron, not exposed in any UI.

What the admin sidebar exposes

admin-only — non-admins 404

Observe

  • DB Observation Read row counts and live queries — no writes.
  • Analytics Aggregate dashboards over the retention window. No raw IPs.
  • Audit Log Read every admin write that has ever happened. Append-only.
  • Feedback Read submissions and update their status (new / read / archived).

Manage

  • Users View and ban accounts. Cannot read passwords (Argon2 hashed).
  • Feature Flags Toggle features for rollout / kill-switch.
  • Branding Update site name and theme tokens.

Content

  • Posts Create, edit, and publish posts.
  • Tags Manage taxonomy.

System

  • Jobs Inspect cron history; manually re-run a job.
  • Notifications Configure email / Telegram / Discord channels.
  • AI Usage Read token usage and per-model spend.
  • RAG Inspect retrieval index health.
  • Cache Inspect Redis state; flush stale keys.

What the admin can not do

  • Read your raw IP. We never wrote it down.
  • Read your password. Argon2id is one-way; no offline crack worth attempting.
  • See your journey if you rejected analytics. There is no session_id to join on.
  • Erase the audit log. No UPDATE / DELETE handlers exist for that table.
  • Promote anyone to admin via a database write. The gate is an env var; promotion requires Vercel access + a redeploy.