Crossmall

Admin access blocked

Management backend is private

Admin pages are private by default. Configure ADMIN_PAGE_ACCESS_CONTROL behind OIDC/IAM, a trusted gateway, VPN, IP allowlist, or private network before exposing /admin.

Declared control
not configured
Missing
ADMIN_PAGE_ACCESS_CONTROL

`ADMIN_API_TOKEN` is still only a local/staging API smoke fallback. Do not use it as public production admin page authentication.