easterbrooka/mike: upstream safe-testing guide cherry-picked, service-role key removed from frontend env example

easterbrooka pulled upstream commit adc2cf2 from willchen96/mike to add a local testing guide and, more materially, remove the Supabase service-role key from the frontend environment example file.

securityinfrastructure

The testing guide documents a defensive posture for local development: disposable Supabase projects, spend-capped API keys, synthetic documents rather than real client matter, and checking git status before commits to catch accidentally staged secrets or sample files. Standard hygiene, but worth having written down.

The more concrete change is the deletion of SUPABASE_SECRET_KEY from the frontend .env.example. The service-role key bypasses Supabase row-level security entirely. Having it as a placeholder in a frontend-scoped example file is actively misleading - it suggests to contributors that the frontend needs it, when the key should only ever be present server-side. Removing it from the example treats the file as a security artifact rather than a convenience template.

No new code paths. No runtime behavior changes. The PR merged in about two minutes, consistent with a straightforward cherry-pick of an already-reviewed upstream change.

So what The service-role key deletion is the part worth checking in your own fork. If your `frontend/.env.example` still lists `SUPABASE_SECRET_KEY`, remove it. The testing guide is worth having if you're onboarding contributors, but there's no code to pull.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?