PR #1: CarbonIQ rebrand, auth removal, and Cloudflare-to-Vercel swap bundled in a self-merge
clapointe-carbonleo landed four commits as a single self-merged PR: a UI reskin under the CarbonIQ brand, a complete auth strip-out, an unrelated SQL addition, and a frontend hosting switch from Cloudflare to Vercel. None of the four changes were individually reviewed before merge.
The auth removal (e6568f87) is the most consequential piece. requireAuth stops verifying tokens and sets every request's user to internal@carbonleo.com. The access helpers in backend/src/lib/access.ts - the owner and shared-with checks - return hardcoded success for every call. The commit message frames this as a temporary state ("for now"), but it was merged to main immediately and the backend access logic was never fully restored in later commits.
The UI refactor (a15cd5a1) touches 70 files and replaces Mike's design tokens with Carbonleo's brand palette. Structurally, components are unchanged. The Cloudflare swap (cbd47b90, 8796dfef) deletes open-next.config.ts and the CF-specific npm scripts, and adds a minimal vercel.json. All four changes landed in the same PR with an empty description and a same-minute merge - typical of a developer self-deploying to an internal instance rather than building something for shared use.
The overall picture is a fork being reshaped for a specific internal deployment, with auth temporarily disabled to unblock that work. Judging the individual pieces: the UI reskin is Carbonleo-specific and not portable as-is; the auth state is a problem if the fork is ever exposed to multiple users; the Vercel switch is a deployment detail.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?