From 96e75f781d40fcf7384497613840d984c09b9502 Mon Sep 17 00:00:00 2001 From: Nora Date: Fri, 26 Jun 2026 17:08:36 -0600 Subject: [PATCH] docs(memory): note PERF_TEST_AUTH bypass flag + 2026-06-26 audit The PERF_TEST_AUTH=1 env var was introduced in commit 826f554 and enables the dev_session cookie bypass in production mode. Document it here so future contributors know it exists, why, and that it must never be set in real production. Also point future work at the audit-2026-06-26 report for the 10 remaining unsupported promises. --- MEMORY.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/MEMORY.md b/MEMORY.md index 71eee96..1987e36 100644 --- a/MEMORY.md +++ b/MEMORY.md @@ -2,7 +2,35 @@ This file captures key context, decisions, fixes, and state from recent work so it survives across conversations. -**Last updated:** 2026-06 (admin_users schema fix + migration reliability + Google sign-in work) +**Last updated:** 2026-06 (PERF_TEST_AUTH auth-bypass flag, infra pool/auth tuning, audit-2026-06-26) + +## 2026-06: `PERF_TEST_AUTH=1` enables dev_session bypass in production (USE WITH CARE) + +The flag is honored by **both** `src/lib/admin-permissions.ts` (`getAdminUser()`) +and `src/proxy.ts` (edge middleware). When set to `1`, the `dev_session` +cookie grants `platform_admin` / `brand_admin` / `store_employee` access +**without any Neon Auth session check**, even with `NODE_ENV=production`. + +Purpose: Playwright perf benchmarks against authenticated admin pages +without provisioning a real Neon Auth account. + +**NEVER set `PERF_TEST_AUTH=1` in real production.** Document in the +deploy / hosting env-var dashboard and any incident playbook. The flag +exists so CI/perf environments can short-circuit auth; it is not a +sustained state for production traffic. + +The `src/lib/auth.ts` fast-path wrapper around `getSession()` also +short-circuits when `NEON_AUTH_BASE_URL` is unset/placeholder, which is +the CI build-time value — that path returns `null` (treated as logged-out) +and is safe to leave in production builds. + +## 2026-06: QA promise-audit pass (docs/qa/audit-2026-06-26/) + +Full audit of customer-facing marketing claims vs code reality. See +`docs/qa/audit-2026-06-26/FINAL-REPORT.md` for TL;DR + verified checks +and `PROMISE-AUDIT.md` for the 32-promise inventory. **The high-risk +items were fixed in commit `bb349e4`**; the 10 remaining items need +separate decisions (recommendations in PROPOSE section). ## 2026-06: `admin_users` schema — extra columns for create-user flow (migration 0043)