Sign in with a pre-provisioned admin email. The session role is stamped by the custom access token hook, and every privileged action is still re-checked against admin membership rows.