Environments & credentials

This page maps every environment and every credential the system uses. It lists each credential by name, purpose, and location only — no secret, service-role key, or raw VITE_ value appears here.

Environments

App	Production	Staging	Supabase schema
Marketing site	sitecrate.ca	staging.sitecrate.ca	public / staging
Admin	admin.sitecrate.ca	staging-admin.sitecrate.ca	public / staging
Client sites	{slug}.sitecrate.ca → real domain	—	(no DB writes)

Both staging sites deploy automatically on every PR push, after lint + build pass. Staging is routed to the isolated staging schema purely by setting VITE_SUPABASE_SCHEMA=staging; production omits that var and falls back to 'public'.

Hosting & DNS

Resource	Detail
Host	Netlify (separate sites for prod / staging / each client)
DNS	Cloudflare — wildcard *.sitecrate.ca CNAME → apex-loadbalancer.netlify.com
SSL	Auto-provisioned by Netlify per subdomain

Concrete Netlify site IDs are recorded in each repo’s CLAUDE.md and visible in the Netlify dashboard; they are operational identifiers, not reproduced on this public page.

Credential index

studio-website

Variable	Scope	Purpose	Lives in
VITE_SUPABASE_URL	client (bundled)	Supabase project URL	Netlify env + GitHub secret + local .env
VITE_SUPABASE_ANON_KEY	client (bundled)	Supabase anon key — intentionally public	Netlify env + GitHub secret + local .env
VITE_SUPABASE_SCHEMA	client (bundled)	staging on staging only; unset in prod	GitHub secret (staging job) / Netlify staging env
SUPABASE_SERVICE_ROLE_KEY	server only	send-email resolves projects by token	Netlify function env
RESEND_API_KEY	server only	Resend transactional email	Netlify function env + local .env

sitecrate-admin

Variable	Scope	Purpose	Lives in
VITE_SUPABASE_URL	client	Supabase project URL	Netlify env + GitHub secret + local .env
VITE_SUPABASE_ANON_KEY	client	Supabase anon key	Netlify env + GitHub secret + local .env
VITE_SUPABASE_SCHEMA	client	staging on staging only	GitHub secret (staging) / Netlify staging env
SUPABASE_SERVICE_ROLE_KEY	server only	admin-users.js user CRUD	Netlify function env + GitHub secret
GOOGLE_CLIENT_ID	server only	ga-report.js GA4 OAuth	Netlify function env + local .env
GOOGLE_CLIENT_SECRET	server only	GA4 OAuth	Netlify function env + local .env
GOOGLE_REFRESH_TOKEN	server only	GA4 OAuth	Netlify function env + local .env
GA_PROPERTY_ID	server only	GA4 property for reporting	Netlify function env + local .env
RESEND_API_KEY	server only	email-log.js reads Resend	Netlify function env + local .env

The VITE_ rule

Anything without a VITE_ prefix is server-side only and must never gain one. The VITE_ prefix tells Vite to inline the value into the public client bundle. Prefixing a service-role key, Resend key, or Google secret would leak it to every visitor. The anon key is the only sensitive-looking value that is meant to be public — RLS + capability RPCs make that safe.

Where credentials physically live

Location	Holds
Local .env (gitignored)	Dev copies of all vars for the repo
~/.supabase/access-token	Supabase Management API token (for ad-hoc SQL)
GitHub → repo Secrets	CI/CD build + deploy vars
Netlify → site env	Runtime + function env per site
Netlify accounts API	How staging env vars are set (not via the dashboard)

Supabase project

One project (ref recorded in CLAUDE.md), region East US / North Virginia, two PostgREST-exposed schemas: public and staging. Full schema and the security model: Data model · RPCs & RLS.