fix: replace hardcoded admin credentials with environment variables

[memosr]

Problem

Admin credentials are hardcoded in lib/supabase/initialize-admin-user.ts:

const adminEmail = "admin@admin.com";
const adminPassword = "123456";

Since this is an open source repository, anyone can read these default credentials and attempt to access admin accounts on deployed instances that haven't changed them.

Fix

- const adminEmail = "admin@admin.com";
- const adminPassword = "123456";
+ const adminEmail = process.env.ADMIN_EMAIL ?? "admin@admin.com";
+ const adminPassword = process.env.INITIAL_ADMIN_PASSWORD;
+ if (!adminPassword) {
+   console.warn("INITIAL_ADMIN_PASSWORD not set, skipping admin user creation.");
+   return;
+ }

Impact

• Security: Admin password no longer exposed in source code
• Risk: Low — additive change, no breaking changes

[Cassxbt]

This changes the setup contract: without INITIAL_ADMIN_PASSWORD, first startup now skips admin user creation entirely.

That behavior is not reflected in the setup docs on this PR head. .env.example still only lists ADMIN_EMAIL, and the README still says the admin account is automatically created with password 123456.

Concrete fix: add INITIAL_ADMIN_PASSWORD to .env.example, include it in the README environment block/table, and update the User Accounts section to say the admin user is created only when INITIAL_ADMIN_PASSWORD is set. Otherwise a new developer can follow the README exactly and end up with no admin account.

[memosr]

yes bro, thanks

All three documentation gaps addressed in 3ef2671

Added INITIAL_ADMIN_PASSWORD to .env.example
Updated the "Getting Started" section to note admin user creation now requires INITIAL_ADMIN_PASSWORD to be set
Updated the "User Accounts" section to remove the hardcoded 123456 reference and document the new setup contract

Now a developer following the README will set both env vars and get an admin account, or see a clear console warning if INITIAL_ADMIN_PASSWORD is missing.