Cimora Studio Admin

Admin session exchange boundary

Operators authenticate through Supabase first, then exchange that identity with the VPS admin API for a short-lived httpOnly admin session. This local slice uses an explicit mock token and never exposes provider keys in the browser.

Session exchange

Local development uses a mock bearer token shaped like admin_123:platform_admin.

idleLocal mock token for backend route tests.