docs(memory): note PERF_TEST_AUTH bypass flag + 2026-06-26 audit

The PERF_TEST_AUTH=1 env var was introduced in commit 826f554 and
enables the dev_session cookie bypass in production mode. Document it
here so future contributors know it exists, why, and that it must never
be set in real production. Also point future work at the audit-2026-06-26
report for the 10 remaining unsupported promises.
This commit is contained in:
Nora
2026-06-26 17:08:36 -06:00
parent 826f554ae1
commit 96e75f781d
+29 -1
View File
@@ -2,7 +2,35 @@
This file captures key context, decisions, fixes, and state from recent work so it survives across conversations.
**Last updated:** 2026-06 (admin_users schema fix + migration reliability + Google sign-in work)
**Last updated:** 2026-06 (PERF_TEST_AUTH auth-bypass flag, infra pool/auth tuning, audit-2026-06-26)
## 2026-06: `PERF_TEST_AUTH=1` enables dev_session bypass in production (USE WITH CARE)
The flag is honored by **both** `src/lib/admin-permissions.ts` (`getAdminUser()`)
and `src/proxy.ts` (edge middleware). When set to `1`, the `dev_session`
cookie grants `platform_admin` / `brand_admin` / `store_employee` access
**without any Neon Auth session check**, even with `NODE_ENV=production`.
Purpose: Playwright perf benchmarks against authenticated admin pages
without provisioning a real Neon Auth account.
**NEVER set `PERF_TEST_AUTH=1` in real production.** Document in the
deploy / hosting env-var dashboard and any incident playbook. The flag
exists so CI/perf environments can short-circuit auth; it is not a
sustained state for production traffic.
The `src/lib/auth.ts` fast-path wrapper around `getSession()` also
short-circuits when `NEON_AUTH_BASE_URL` is unset/placeholder, which is
the CI build-time value — that path returns `null` (treated as logged-out)
and is safe to leave in production builds.
## 2026-06: QA promise-audit pass (docs/qa/audit-2026-06-26/)
Full audit of customer-facing marketing claims vs code reality. See
`docs/qa/audit-2026-06-26/FINAL-REPORT.md` for TL;DR + verified checks
and `PROMISE-AUDIT.md` for the 32-promise inventory. **The high-risk
items were fixed in commit `bb349e4`**; the 10 remaining items need
separate decisions (recommendations in PROPOSE section).
## 2026-06: `admin_users` schema — extra columns for create-user flow (migration 0043)