NEXT_PUBLIC_GARY_SKIP_AUTH flag bypasses Supabase login for dev/demo
foolish-bandit added a build-time flag that lets the frontend run as a fake demo user without a real Supabase session. Set `NEXT_PUBLIC_GARY_SKIP_AUTH=true` at build time and `AuthContext` skips the auth flow entirely, seeding a fixed demo identity. An amber banner at the top of the protected layout makes the mode visible.
The implementation is clean for what it is. AuthContext uses lazy useState initializers so the bypass doesn't require a setState inside the effect - the demo user (id: "00000000-0000-0000-0000-000000000000", email demo@gary.local) and authLoading: false are the initial values when SKIP_AUTH is true. The Supabase auth-state-change subscription short-circuits after a one-time console.warn. signOut becomes a no-op. The context exposes isAuthBypassed: boolean so downstream components can react.
The banner - an amber strip reading "Dev auth bypass enabled" rendered by DevAuthBanner - is on by default whenever the flag is active. It uses role="status" and aria-live="polite".
Backend calls still 401 while the bypass is on. There's no Supabase JWT, so any request that requires one will fail. foolish-bandit documents this explicitly in the console warning and in .env.local.example. The intended use is UI inspection, not end-to-end testing.
One thing to watch: NEXT_PUBLIC_* is baked into the client bundle at OpenNext build time. The flag cannot be flipped at runtime on a deployed Worker. foolish-bandit calls this out directly - this should live in a separate preview Worker, not the production deployment. But the gating is a single env-var string comparison, with no NODE_ENV !== "production" guard. Anyone deploying this to production with a misconfigured build pipeline would get an open frontend with no auth challenge.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?