Issue

The project has at least 3 separate Supabase client configurations with inconsistent usage:

1. src/lib/supabase.ts - createBrowserClient (shared, with debug code)
2. src/lib/supabase-admin.ts - createClient with service role key
3. src/utils/supabase/server.ts - createServerClient
4. src/utils/supabase/client.ts - Another browser client
5. src/utils/supabase/authActions.ts - Auth-specific client

Why this matters

1. Debug code left in production - supabase.ts:16-19:

   supabase.auth.getSession().then(res => {
    console.log("📦 [supabase.ts] Initial session:", res);
   }).catch(err => {
    console.error("❌ [supabase.ts] Session fetch error:", err);
   });

   This runs every time the module is imported - on every page load, logging session data to the console.

2. Potential for service role key leaks - If supabase-admin.ts is ever imported on the client side (even accidentally), the SUPABASE_SERVICE_ROLE_KEY would be exposed to the browser, giving full database admin access.

3. Inconsistent session handling - Different parts of the app use different client instances, which may have different cookie/session states.

Fix

1. Remove the debug getSession() code from supabase.ts
2. Ensure supabase-admin.ts is only imported in server-side code (use if (typeof window === 'undefined') guard or move to a server-only directory)
3. Consolidate to a single client factory pattern