docs(memory): note PERF_TEST_AUTH bypass flag + 2026-06-26 audit
The PERF_TEST_AUTH=1 env var was introduced in commit 826f554 and
enables the dev_session cookie bypass in production mode. Document it
here so future contributors know it exists, why, and that it must never
be set in real production. Also point future work at the audit-2026-06-26
report for the 10 remaining unsupported promises.
This commit is contained in:
@@ -2,7 +2,35 @@
|
|||||||
|
|
||||||
This file captures key context, decisions, fixes, and state from recent work so it survives across conversations.
|
This file captures key context, decisions, fixes, and state from recent work so it survives across conversations.
|
||||||
|
|
||||||
**Last updated:** 2026-06 (admin_users schema fix + migration reliability + Google sign-in work)
|
**Last updated:** 2026-06 (PERF_TEST_AUTH auth-bypass flag, infra pool/auth tuning, audit-2026-06-26)
|
||||||
|
|
||||||
|
## 2026-06: `PERF_TEST_AUTH=1` enables dev_session bypass in production (USE WITH CARE)
|
||||||
|
|
||||||
|
The flag is honored by **both** `src/lib/admin-permissions.ts` (`getAdminUser()`)
|
||||||
|
and `src/proxy.ts` (edge middleware). When set to `1`, the `dev_session`
|
||||||
|
cookie grants `platform_admin` / `brand_admin` / `store_employee` access
|
||||||
|
**without any Neon Auth session check**, even with `NODE_ENV=production`.
|
||||||
|
|
||||||
|
Purpose: Playwright perf benchmarks against authenticated admin pages
|
||||||
|
without provisioning a real Neon Auth account.
|
||||||
|
|
||||||
|
**NEVER set `PERF_TEST_AUTH=1` in real production.** Document in the
|
||||||
|
deploy / hosting env-var dashboard and any incident playbook. The flag
|
||||||
|
exists so CI/perf environments can short-circuit auth; it is not a
|
||||||
|
sustained state for production traffic.
|
||||||
|
|
||||||
|
The `src/lib/auth.ts` fast-path wrapper around `getSession()` also
|
||||||
|
short-circuits when `NEON_AUTH_BASE_URL` is unset/placeholder, which is
|
||||||
|
the CI build-time value — that path returns `null` (treated as logged-out)
|
||||||
|
and is safe to leave in production builds.
|
||||||
|
|
||||||
|
## 2026-06: QA promise-audit pass (docs/qa/audit-2026-06-26/)
|
||||||
|
|
||||||
|
Full audit of customer-facing marketing claims vs code reality. See
|
||||||
|
`docs/qa/audit-2026-06-26/FINAL-REPORT.md` for TL;DR + verified checks
|
||||||
|
and `PROMISE-AUDIT.md` for the 32-promise inventory. **The high-risk
|
||||||
|
items were fixed in commit `bb349e4`**; the 10 remaining items need
|
||||||
|
separate decisions (recommendations in PROPOSE section).
|
||||||
|
|
||||||
## 2026-06: `admin_users` schema — extra columns for create-user flow (migration 0043)
|
## 2026-06: `admin_users` schema — extra columns for create-user flow (migration 0043)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user