Skip to main content
Authoritative sources: the branch ↔ Vercel ↔ Supabase mapping lives in supabase/config.toml and VERCEL_SUPABASE_ENV_ALIGNMENT.md. Frontend Supabase credentials are baked at build time by vite.config.ts (keyed off the VERCEL_PROJECT_ID system variable) — they are not regenerated by Lovable and not taken from user-defined Vercel env vars (CI guards this via npm run check:no-vercel-env-config). This file is a human-readable reference; if it disagrees with config.toml/vite.config.ts, those win.
PHI guardrail: node-side code (RLS/integration tests, CLI, agents) hard-fails when its resolved Supabase URL is the prod project, unless ALLOW_PROD=1 is set deliberately — enforced by scripts/database/supabase-tier.ts and the static npm run check:no-prod-refs guard. Design: 2026-06-01-environment-consistency-design.md. Node-side .env.local template: env.local.example.

Quick Reference

The development branch is the working default and pairs with the dev project. The Lovable encore_builder project is used by the Lovable editor only and is not a deployment target for the app.

How frontend credentials are resolved

There is no .env-driven switch and no Lovable client regeneration step. vite.config.ts maps VERCEL_PROJECT_ID → Supabase target and inlines the URL + publishable key as build-time defines for both npm run dev and production builds: Because of this, a plain npm run dev / build / preview / test:e2e already points at the dev project with no secrets required. src/integrations/supabase/client.ts reads import.meta.env.VITE_SUPABASE_URL / VITE_SUPABASE_PUBLISHABLE_KEY, which Vite has replaced with the baked values.

When .env.local matters

.env.local (gitignored) is only needed for node-side consumers that read process.env directly — RLS tests, integration tests, and CLI/scripts — or to point a local dev server at a non-default project. Generate it via bash scripts/setup/web-env-setup.sh (see also VERCEL_SUPABASE_ENV_ALIGNMENT.md).

Environment Credentials

Publishable / anon keys are client-safe and ship in the bundle; treat them as public. The service-role key bypasses RLS — never commit it; provide it only as an environment secret when RLS/integration tests need it.

Dev (encore_os_dev)

Dashboard: https://supabase.com/dashboard/project/anuwknikgsijbameytzr

Production (encore_os_prod)

⚠️ Live data and real PHI. Do not point local/test sessions here without a reason.
Dashboard: https://supabase.com/dashboard/project/aximlomrwfuhctxjhrsf

Supabase CLI: linking to a remote

supabase/config.toml defines [remotes.dev] (anuwknikgsijbameytzr) and [remotes.production] (aximlomrwfuhctxjhrsf). Link with:
See SUPABASE_MULTI_ENV_SETUP.md for the full multi-environment runbook and MCP_MULTI_PROJECT_SETUP.md for MCP project scoping.

Environment Purposes