admin · setup

Admin setup

Gates and feature flags for the AgentProof staff tier. Customers do not see this page.

Open public-beta readiness →Product intelligence Intelligence ops Pre-beta readiness

Admin config · AGENTPROOF_ADMIN_TOOLS_ENABLED env flag.

Admin · Setup wizard

Live configuration wizard

Every required live configuration item, with state + named variable + exact next action. No environment variable values, secrets, URLs, or anon keys are echoed. Anon key only.

Open /system-health →Open /admin/pilot-readiness →Open /admin/intelligence-ops →

Callback flight recorder

Magic-link callback — last 1 flight

Last success: 2026-05-25T04:33:25.551ZNo failure recorded

1. Reached — code exchange succeeded2026-05-25T04:33:25.551Z
Request host
app.agentproofhq.com
App URL used
https://app.agentproofhq.com
App URL source
env
Code present
yes
Next path requested
(none)
Redirect target
/workspace
Cookies attempted
yes (2 names)
User email
chris.fourie.0000@gmail.com
- Magic-link exchange succeeded. Cookies set: 2. Redirecting to /workspace.

Ring buffer holds the last 16 flights, newest first. Never captures auth code values, access / refresh tokens, cookies, or secrets. Clears on process restart.

App URL foundation

Branded app URL configured — operational

branded canonical

NEXT_PUBLIC_APP_URL is set to the canonical branded host. Product surfaces, magic-link callbacks, and Supabase URL Configuration all use the same branded origin.

Product-facing canonical URL: https://app.agentproofhq.com
Resolved env URL: https://app.agentproofhq.com
Runtime callback origin: https://app.agentproofhq.com
Supabase callback URL (paste this): https://app.agentproofhq.com/auth/callback

Microsoft Entra · redirect URI

OperationalMicrosoft Entra · Redirect URI

Microsoft Entra redirect URI matches the branded canonical

MICROSOFT_REDIRECT_URI exactly matches the canonical Entra allowlist entry. Microsoft will redirect customers back to the branded host, the callback will fire, and tokens will exchange.

Required Redirect URI (paste into Entra)

https://app.agentproofhq.com/api/connectors/microsoft/auth/callback

Currently configured (MICROSOFT_REDIRECT_URI)

https://app.agentproofhq.com/api/connectors/microsoft/auth/callback

Matches canonical?

yes

Callback path (route-derived)

/api/connectors/microsoft/auth/callback

Branded host

app.agentproofhq.com

Production unblock — operator checklist

Production unblock: 4 blockers remain (4 block public beta, 3 block Tranche B).

4 blockers on public beta · 3 blockers on Tranche B (Make Radar Real)

1. Supabase SMTP not configured / not provenOperational

Owner: operator

Exact action: Configure SMTP (host / port / username / password / from address) in Supabase. Then set AGENTPROOF_SUPABASE_SMTP_CONFIGURED=true on Railway and redeploy. Then use R64 Auth Verification Centre to Send-test-magic-link + Verify-current-session round-trip.

Where: Supabase → Authentication → SMTP Settings + Railway → Variables (AGENTPROOF_SUPABASE_SMTP_CONFIGURED)

Verify at: /admin/setup (Auth Verification Centre — Send test magic-link + Verify current session)

🔒 blocks public beta · 🔒 blocks Tranche B

2. R66 A2 — Radar workspace-scope migration not appliedBlocked with exact action

Owner: operator

Exact action: Open Supabase → SQL editor. Paste the contents of migrations/r66_a2_radar_workspace_scope.sql and run it. The migration is idempotent (ADD COLUMN IF NOT EXISTS, CREATE POLICY IF NOT EXISTS).

Where: Supabase → SQL editor ← migrations/r66_a2_radar_workspace_scope.sql

Verify at: /admin/setup (Migration Verification Assistant — Radar workspace scope check)

🔒 blocks public beta · 🔒 blocks Tranche B

3. R66 A3 — missing tables migration not appliedBlocked with exact action

Owner: operator

Exact action: Open Supabase → SQL editor. Paste the contents of migrations/r66_a3_missing_tables.sql and run it. Creates: agentproof_workspace_members, agentproof_workspace_invitations, agentproof_audit_events, agentproof_product_intelligence_backlog. Redefines is_workspace_member() to the real check.

Where: Supabase → SQL editor ← migrations/r66_a3_missing_tables.sql

Verify at: /admin/setup (Migration Verification Assistant — 4 tables + is_workspace_member check)

🔒 blocks public beta · 🔒 blocks Tranche B

4. workspace_members owner row missing or unprovenBlocked with exact action

Owner: operator

Exact action: After A2 + A3 migrations are applied, INSERT exactly one row into agentproof_workspace_members with role='owner' for the first founder/test user. Without this row, the new workspace-scoped Radar RLS refuses all reads + writes.

Where: Supabase → SQL editor (or Table editor → agentproof_workspace_members → Insert row)

Verify at: /admin/setup (Migration Verification Assistant — at least one workspace_members row exists check)

🔒 blocks public beta · 🔒 blocks Tranche B

5. Real magic-link round trip not provenOperational

Owner: operator

Exact action: After Supabase SMTP is configured, open /admin/setup → Auth Verification Centre → click Send test magic-link → click the link in your real inbox → click Verify current session. All 7 auth states should be green.

Where: /admin/setup → R64 Auth Verification Centre (no operator file edit)

Verify at: /admin/setup (Auth Verification Centre — 7 states all green)

🔒 blocks public beta · 🔒 blocks Tranche B

6. Radar live source not enabledNot started

Owner: code team

Exact action: Tranche B5. Set live_fetch_enabled: true on one low-risk source (e.g., openai_usage_policies) in lib/agentproof/radar/radar_source_registry_v3.ts. NOT in R67 scope — Tranche B work.

Where: lib/agentproof/radar/radar_source_registry_v3.ts (code change, not operator action)

Verify at: /admin/setup (Radar Live Fetch Readiness panel — live_fetched_source_count > 0)

🔒 blocks public beta · ✓ does not block Tranche B

📋 Apply R66 A2 — Radar workspace-scope migration

Adds workspace_id to all 9 Radar tables (5 R57 + 4 R43 legacy) and replaces user-scoped RLS with workspace-scoped RLS using the new is_workspace_member() function. Idempotent.

1. Open Supabase → SQL editor on the live deployment.
2. Open the file migrations/r66_a2_radar_workspace_scope.sql from this repo.
3. Paste the entire file into the SQL editor and click Run.
4. Verify on Supabase → Table editor that radar_runs / radar_source_checks / radar_signals / radar_proposals / radar_pack_publications now have a workspace_id column.
5. Return to /admin/setup and check the Migration Verification Assistant — A2 check should report Operational.

📋 Apply R66 A3 — missing tables migration

Creates: agentproof_workspace_members, agentproof_workspace_invitations, agentproof_audit_events, agentproof_product_intelligence_backlog. Redefines is_workspace_member() to do the real membership check. Idempotent.

1. Open Supabase → SQL editor on the live deployment.
2. Open the file migrations/r66_a3_missing_tables.sql from this repo.
3. Paste the entire file into the SQL editor and click Run.
4. Verify on Supabase → Table editor that the 4 new tables exist + each has RLS enabled.
5. Return to /admin/setup and check the Migration Verification Assistant — A3 check should report Operational.

📋 Insert the first workspace_members owner row

Required AFTER A3. Without this row, the new workspace-scoped RLS refuses all Radar reads/writes. Replace the placeholders with your real workspace_id and your auth.users.id.

-- Run in Supabase SQL editor after applying r66_a3_missing_tables.sql.
-- Replace the two placeholder UUIDs with your real values.

INSERT INTO public.agentproof_workspace_members
  (workspace_id, user_id, role)
VALUES
  ('00000000-0000-0000-0000-000000000000'::uuid,  -- ← your workspace UUID
   '00000000-0000-0000-0000-000000000000'::uuid,  -- ← your auth.users.id
   'owner');

1. Find your workspace UUID — Supabase → Table editor → agentproof_workspaces → copy the id of your workspace row. (If empty, create one via /workspace/admin first.)
2. Find your auth.users.id — Supabase → Authentication → Users → click your email → copy User UID.
3. Open Supabase → SQL editor → paste the SQL template above → replace the two UUIDs → click Run.
4. Verify: SELECT * FROM agentproof_workspace_members; should return your row.
5. Return to /admin/setup and check the Migration Verification Assistant — workspace_members owner row check should report Operational.

Migration verification — 9 checks

0/9 Operational

Migration verification: 0/9 Operational, 9 Blocked with exact action.

R66 A2: NOT appliedR66 A3: NOT appliedis_workspace_member real check: not activePublic-beta gate: blocked

1. Radar tables have workspace_id columnsBlocked with exact action

One or more Radar tables missing workspace_id. Likely cause: r66_a2 migration not yet applied.

Missing: workspace_id column on radar_source_checks / radar_signals / radar_proposals / radar_pack_publications / 4 agentproof_radar_* legacy tables

Migration file: migrations/r66_a2_radar_workspace_scope.sql

Exact action: Open Supabase → SQL editor → paste the contents of migrations/r66_a2_radar_workspace_scope.sql → run.

Verify: Run: SELECT column_name FROM information_schema.columns WHERE table_name = 'radar_signals' AND column_name = 'workspace_id'; — should return one row.

2. Radar RLS policies use workspace_id (workspace-scoped)Blocked with exact action

Radar RLS still uses old auth.uid()-only check. Cross-workspace leak possible until r66_a2 is applied.

Missing: Workspace-scoped RLS policies on Radar tables

Migration file: migrations/r66_a2_radar_workspace_scope.sql

Exact action: Apply r66_a2 migration. DROP POLICY IF EXISTS statements + CREATE POLICY statements with public.is_workspace_member(workspace_id) inside are included.

Verify: Run: SELECT policyname FROM pg_policies WHERE tablename = 'radar_runs'; — should include 'radar_runs read own workspace v2'.

3. agentproof_workspace_members table existsBlocked with exact action

Table missing. Until created, is_workspace_member() returns false and all Radar reads/writes are refused.

Missing: Table public.agentproof_workspace_members

Migration file: migrations/r66_a3_missing_tables.sql

Exact action: Apply r66_a3 migration.

Verify: Run: SELECT 1 FROM information_schema.tables WHERE table_name = 'agentproof_workspace_members'; — should return one row.

4. agentproof_workspace_invitations table existsBlocked with exact action

Table missing. Invitations cannot be persisted.

Missing: Table public.agentproof_workspace_invitations

Migration file: migrations/r66_a3_missing_tables.sql

Exact action: Apply r66_a3 migration.

Verify: Run: SELECT 1 FROM information_schema.tables WHERE table_name = 'agentproof_workspace_invitations'; — should return one row.

5. agentproof_audit_events table existsBlocked with exact action

Table missing. Audit log writes silently fall to local fallback.

Missing: Table public.agentproof_audit_events

Migration file: migrations/r66_a3_missing_tables.sql

Exact action: Apply r66_a3 migration.

Verify: Run: SELECT 1 FROM information_schema.tables WHERE table_name = 'agentproof_audit_events'; — should return one row.

6. agentproof_product_intelligence_backlog table existsBlocked with exact action

Table missing. Product intelligence backlog writes silently fall to local fallback.

Missing: Table public.agentproof_product_intelligence_backlog

Migration file: migrations/r66_a3_missing_tables.sql

Exact action: Apply r66_a3 migration.

Verify: Run: SELECT 1 FROM information_schema.tables WHERE table_name = 'agentproof_product_intelligence_backlog'; — should return one row.

7. public.is_workspace_member(uuid) function existsBlocked with exact action

Function missing. Radar RLS will refuse all reads/writes.

Missing: Function public.is_workspace_member(ws_id uuid)

Migration file: migrations/r66_a2_radar_workspace_scope.sql (placeholder) + migrations/r66_a3_missing_tables.sql (real check)

Exact action: Apply both r66_a2 and r66_a3 migrations.

Verify: Run: SELECT 1 FROM pg_proc WHERE proname = 'is_workspace_member'; — should return one row.

8. is_workspace_member() returns true for the active user's own workspaceBlocked with exact action

Function returns false. Either A3 not applied (still placeholder), OR no membership row exists for this user.

Missing: Either A3 migration OR a workspace_members row for the signed-in user

Migration file: migrations/r66_a3_missing_tables.sql + manual INSERT

Exact action: After applying r66_a3, INSERT one row into agentproof_workspace_members (workspace_id, user_id, role='owner') for the current user. See /admin/setup → R67 O1 Production Unblock Checklist → Copy-safe SQL guidance.

Verify: Sign in. Open /admin/setup → R67 O1 Production Unblock Checklist — workspace_members owner row check should report Operational.

9. At least one agentproof_workspace_members row exists for the active userBlocked with exact action

No membership row exists for any user. is_workspace_member() always returns false → Radar reads/writes refused.

Missing: Row in public.agentproof_workspace_members for the active user with role='owner'

Migration file: n/a (data insert, not migration)

Exact action: INSERT INTO public.agentproof_workspace_members (workspace_id, user_id, role) VALUES (<ws-uuid>, <user-uuid>, 'owner'); — see /admin/setup → R67 O1 → Copy-safe SQL guidance.

Verify: Run: SELECT count(*) FROM agentproof_workspace_members WHERE user_id = auth.uid(); — should return >= 1.

Activation verdict

Where is AgentProof right now?

Pilot verification result (R35)

No verification result on record

No pilot verification result on record. Run the one-click verification on /system-health to confirm persistence works end-to-end.

Why pilot verification matters

Pilot verification is the product's own proof that Supabase persistence works end-to-end for the signed-in customer. Every readiness surface consumes the verdict — pilot readiness flips Ready only after this passes.

What it verifies

Supabase session exists for the signed-in customer.
Supabase is configured (URL + anon key) on this deploy.
manual_environments table accepts upsert + read-back.
manual_agents table accepts upsert + read-back.
review_snapshots table accepts upsert + read-back.
report_history table accepts upsert + read-back.

Next action: Open /system-health and click Run pilot verification.

Run pilot verification →

The cached run is a localStorage cache of the/api/system-health/pilot-verification-run endpoint response — never proof on its own. The endpoint return value is the authoritative source.

Setup wizard (R34)

5 critical item(s) are missing. Add the named env vars and redeploy.

2 configured/reachable·6 missing·0 failing·1 disabled

Supabase URL
Missing
Variable name: NEXT_PUBLIC_SUPABASE_URL
Supabase URL env var is not set on this deploy.
Next action: Set the named env var on Railway Variables and redeploy.
Supabase publishable (anon) key
Missing
Variable name: NEXT_PUBLIC_SUPABASE_ANON_KEY
Supabase anon key env var is not set on this deploy.
Next action: Set the named env var on Railway Variables and redeploy. Anon key only — never the service-role key.
Supabase auth enabled
Deferred
Variable name: AGENTPROOF_SUPABASE_AUTH_ENABLED
Supabase auth flag is off.
Next action: Set the named env var to true once Supabase is configured.
AgentProof public app URL
Missing
Variable name: NEXT_PUBLIC_AGENTPROOF_APP_URL
Public app URL env var is not set.
Next action: Set the named env var to the deploy URL (e.g. https://<your-deploy>.up.railway.app).
Radar scheduled public base URL
Missing
Variable name: AGENTPROOF_PUBLIC_BASE_URL
Radar scheduled base URL is not configured. The GitHub Actions workflow + Railway CLI need this to fire live.
Next action: Add the named secret in GitHub Settings → Secrets → Actions (or set it as the Railway env var).
Radar scheduled workflow artefact
Missing
Variable name: .github/workflows/radar-scheduled-run.yml
Workflow file is missing in the repo.
Next action: Restore the file from the R33 commit.
Admin tools enabled
Missing
Variable name: AGENTPROOF_ADMIN_TOOLS_ENABLED
Admin tools are off. Some admin actions will refuse to run.
Next action: Set the named env var to true on Railway Variables.
Demo mode
Configured
Variable name: AGENTPROOF_DEMO_MODE_ENABLED
Demo mode is on (default). The safe sample demo is visible.
Next action: No action — demo defaults to on.
Manual non-Microsoft agent enabled
Configured
Variable name: AGENTPROOF_MANUAL_NON_MICROSOFT_AGENT_ENABLED
Manual non-Microsoft agent flow is on.
Next action: No action.
report_history table reachable
Unknown
Variable name: report_history
Probe has not been run on this request.
Next action: Open /system-health or /api/admin/setup-status.
manual_agents table reachable
Unknown
Variable name: manual_agents
Probe has not been run on this request.
Next action: Open /system-health or /api/admin/setup-status.
review_snapshots table reachable
Unknown
Variable name: review_snapshots
Probe has not been run on this request.
Next action: Open /system-health or /api/admin/setup-status.
manual_environments table reachable
Unknown
Variable name: manual_environments
Probe has not been run on this request.
Next action: Open /system-health or /api/admin/setup-status.
HTTP Basic Auth master switch
Explicitly disabled
Variable name: AGENTPROOF_HTTP_BASIC_AUTH_ENABLED
HTTP Basic Auth is off. Customer routes do not pop up a browser auth dialog.
Next action: No action — keep this flag off for the pilot.

Open System health →Open Intelligence ops →Open Pilot readiness →Open Workspace →Open Reports →

Variable names only. No environment variable values, secrets, URLs, anon keys, JWTs, or service-role values are echoed by this panel or its API. Anon key only.

Magic-link email delivery — warning

smtp configured no login observed yet

SMTP configured · no login round-trip observed yet

Operator has flagged SMTP as configured. No signed-in session has been observed on this request. Login is not blocked — but cannot be proven on this surface until someone signs in.

Exact action: Send a test magic-link to your own email and complete the round-trip. /admin/setup will reflect the result and /workspace will read the same session.

Where: Supabase → Authentication → SMTP Settings

Fallback paths while SMTP is being configured

Open demo / sample — Sample data — never claims real. Lets a tester walk the journey while SMTP is being configured.

Local test access (dev only) — Only available on non-production deployments with AGENTPROOF_ENABLE_LOCAL_TEST_AUTH=true. Uses the safe test workspace.

Auth verification centre — product-side proof

signed out

Auth pipeline ready — no test attempt yet.

Exact next action: Click Send test magic-link below and complete the round-trip. The product will report whether the link sends, the callback runs, the session is created, and the workspace is reached.

1. SMTP configured on Supabase pending

SMTP status: smtp_configured_no_login_observed_yet.

2. Email delivery not rate-limited ok

No rate-limit error observed on the last magic-link attempt.

3. Send test magic-link attempted pending

No magic-link send attempted yet. Use the Send test magic-link action below.

4. Send test magic-link succeeded pending

No successful magic-link send yet.

5. /auth/callback received the code pending

No callback round-trip observed yet. Click the magic link in the email after it arrives.

6. Supabase session created pending

No active session on this request. Complete the magic-link round-trip first.

7. Workspace reached pending

Workspace check pending until a session exists.

Send test magic-link

Action enabled — sends a one-shot test magic link to verify the auth round-trip.

Verify current session

Checks server session, shared access resolver, workspace state, route guard decision. No tokens, cookies, anon keys, or service-role keys are returned.

Last checked: 2026-05-25T04:41:44.325Z

Safe non-production test access — proof

production blocked

Production deployment — staging test access permanently blocked.

Exact next action: No action available on production. Use real magic-link sign-in (Supabase SMTP must be configured).

Disabled by default: yes

The gate requires AGENTPROOF_ENABLE_LOCAL_TEST_AUTH=true. Unset = blocked. This is a hard invariant.

Permanently blocked in production: BLOCKED (NODE_ENV=production)

NODE_ENV=production on this deployment. Local test access is permanently disabled here.

AGENTPROOF_ENABLE_LOCAL_TEST_AUTH flag: (unset)

Operator has NOT enabled the flag. This is the safe default.

NEXT_PUBLIC_APP_URL not a production host: (production host)

Deploy URL looks like a production hostname. Test access is blocked even if the flag is set.

AGENTPROOF_LOCAL_TEST_USER_EMAIL set: (unset)

No test user email — test access cannot sign anyone in even if the flag is on.

AGENTPROOF_LOCAL_TEST_USER_PASSWORD set: (unset)

No test user password — test access cannot sign anyone in even if the flag is on.

Final decision: flag_not_set

AGENTPROOF_ENABLE_LOCAL_TEST_AUTH is not 'true'. Local test access is disabled by default.

Counts as production auth ready: no — never

Staging test access NEVER satisfies the public-beta gate. Production auth ready requires real magic-link sign-in working with a real customer email + SMTP configured.

Staging test access entry point

Staging test access (non-production) — AGENTPROOF_ENABLE_LOCAL_TEST_AUTH is not 'true'. Local test access is disabled by default.

Public-beta separation: Staging test access NEVER satisfies the public-beta gate. Production auth ready requires real magic-link sign-in working end-to-end with a real customer email + Supabase SMTP configured.

Setup activation verdict

blocked

Setup blocked — 1 item to clear in order.

1
Supabase is reachable but the required tables are missing — durability cannot be proven.
Action: Apply migrations/r57_cp2_radar_tables.sql and the workspace + report migrations in Supabase SQL editor.
Owner: operator · Where: Supabase SQL editor

Admin details

Supabase connection: present
Signed-in session detected (via shared resolver): no
Required tables: missing
Auth callback route: present
SMTP: unknown
Radar status: dry_run
Public app URL resolved: yes

Auth live proof

Not proven yet

Access state: signed_out
Signed in: no
Local test access: inactive
Workspace found: no
Workspace ownership valid: no
Supabase configured: yes
Supabase SMTP: unknown
Magic-link route: present
Sign-out route: present
Storage source: supabase
Signed-in email: —
Last checked: 2026-05-25T04:41:44.325Z

Next: Sign in via /auth/sign-in to complete the proof.

Supabase durability — table + migration status

0 durable · 0 missing · 12 RLS-blocked · 0 local fallback · 0 not yet probed. Local fallback NEVER counts as durable.

Entity	State	Table	Migration	Why it matters	Exact next action
Workspace	rls denied signed out	agentproof_workspaces	0007_r45_workspaces.sql	Workspace is the top-level customer container. Without durable workspaces, sign-in does not lead to anything that survives.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Workspace membership	rls denied signed out	agentproof_workspace_members	migrations/r66_a3_missing_tables.sql	Determines who can access which workspace. Without it, RLS cannot enforce per-tenant isolation. R66 A3 created this table and the public.is_workspace_member() function that all Radar RLS depends on.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Workspace invitations	rls denied signed out	agentproof_workspace_invitations	migrations/r66_a3_missing_tables.sql	Token-based workspace invitation lifecycle (pending/accepted/rejected/expired/revoked). Lets the operator invite testers without giving them admin access. R66 A3 closed the missing-migration gap.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Environments	rls denied signed out	agentproof_environments	0007_r45_workspaces.sql	Environments hold the agents under review. Without durable environments, assessments cannot be saved.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Agents	rls denied signed out	agentproof_agents	0007_r45_workspaces.sql	The actual AI agents that AgentProof assesses. Without this table, agents only live in memory.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Assessments / reviews	rls denied signed out	agentproof_assessment_reviews	0009_r46_assessments_and_reports.sql	Captures the customer's answers + AgentProof's scoring. Without durability, the customer loses their work.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Reports	rls denied signed out	agentproof_reports	0009_r46_assessments_and_reports.sql	Generated readiness reports for shareable / printable evidence. Without durability, reports are session-local.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Improvement actions	rls denied signed out	agentproof_improvement_actions	0010_r47_improvements.sql	Backlog of improvement actions tied to a report. Without this, the improvement cycle has no memory.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Radar runs	rls denied signed out	radar_runs	r57_cp2_radar_tables.sql	Persists every radar run + source check evidence so the operating history survives refresh.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Radar signals	rls denied signed out	radar_signals	r57_cp2_radar_tables.sql	Stores candidate signals from radar runs so proposals and impact mapping have evidence to point to.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Product intelligence backlog	rls denied signed out	agentproof_product_intelligence_backlog	migrations/r66_a3_missing_tables.sql	Backlog of product-side proposals derived from radar signals + manual review. Without durability, backlog resets. R66 A3 closed the missing-migration gap.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.
Workspace audit events	rls denied signed out	agentproof_audit_events	migrations/r66_a3_missing_tables.sql	Workspace audit trail: who created which agent, when assessment was submitted, who approved which proposal. Without durability, the audit log is local-only and resets.	Sign in at /auth/sign-in. Once SMTP is configured (see SMTP blocker panel), magic-link sign-in will populate the session cookie and the probe will retry under RLS.

AI Radar — table migration + durability readiness

0/5 durable

0/5 durable · 0 missing · 5 RLS-blocked · 0 local fallback · 0 not yet probed. Local fallback NEVER counts as durable.

Radar runs (radar_runs) rls denied signed out

Persists every Radar run + its source-check evidence so the operating history survives refresh, redeploys, and multi-customer use.