Manage the invite-only admin allowlist, roles, and MFA state. Every change is step-up verified and written to the audit log.
| Role | MFA | Status | Created | Last seen | ||
|---|---|---|---|---|---|---|
lauri@melange.vcYou | Super Admin | Enabled | Active | 12 Feb 2026 | 4 days ago | |
support1@melange.vc | Support | Enabled | Active | 13 Apr 2026 | 5 days ago | |
billing@melange.vc | Billing Admin | Enabled | Active | 13 May 2026 | 6 days ago | |
analyst@melange.vc | Viewer | Not enrolled | Active | 29 May 2026 | 9 days ago | |
former@melange.vc | Support | Enabled | Inactive | 24 Nov 2025 | 14 Mar 2026 |
The admin allowlist lives in our Supabase admin DB (admin_users) — never in a Neura database. Deactivation, not deletion, is the revocation path; you cannot change your own role or deactivate your own account.
| Capability | Viewer | Support | Billing Admin | Super Admin |
|---|---|---|---|---|
| View dashboardviewDashboard | ✓ | ✓ | ✓ | ✓ |
| View users (360)viewUser | ✓ | ✓ | ✓ | ✓ |
| View billingviewBilling | ✓ | ✓ | ✓ | ✓ |
| View AI outputsviewAI | ✓ | ✓ | ✓ | ✓ |
| View activityviewActivity | ✓ | ✓ | ✓ | ✓ |
| View support & opsviewSupport | ✓ | ✓ | ✓ | ✓ |
| View integrationsviewIntegrations | ✓ | ✓ | ✓ | ✓ |
| View commsviewComms | ✓ | ✓ | ✓ | ✓ |
| View system healthviewSystemHealth | ✓ | ✓ | ✓ | ✓ |
| View costs (FinOps)viewCosts | ✓ | ✓ | ✓ | ✓ |
| View audit logviewAudit | ✓ | ✓ | ✓ | ✓ |
| View site analyticsviewAnalytics | ✓ | ✓ | ✓ | ✓ |
| Manage costs / add billsmanageCosts | — | — | ✓ | ✓ |
| Reveal PHI / raw chatrevealPHI | — | ✓+ step-up | ✓+ step-up | ✓+ step-up |
| Edit user (safe fields)editUser | — | ✓ | ✓ | ✓ |
| Suspend / reactivate usersuspendUser | — | ✓ | ✓ | ✓ |
| Delete userdeleteUser | — | — | — | ✓+ step-up |
| Billing actionsperformBillingAction | — | — | ✓+ step-up | ✓+ step-up |
| Flag AI outputflagAI | — | ✓ | ✓ | ✓ |
| Resolve AI flagresolveAIFlag | — | ✓ | ✓ | ✓ |
| Manage adminsmanageAdmins | — | — | — | ✓+ step-up |
Resolved from lib/auth/capabilities.ts— the single source of truth enforced server-side. Capabilities marked “+ step-up” require a fresh MFA challenge at call time and are always audited. Roles are resolved explicitly per capability (no “admin implies everything”).