foolish-bandit adds a demo-mode door into Gary

A build-time flag lets you walk through the UI without a real login - handy for showing off, useless for kicking the tires.

chat-uiinfrastructure

foolish-bandit wired in an opt-in bypass that skips the login screen and seeds a fake demo user, so anyone can poke around the interface without standing up a real auth backend. A thin amber strip across the top makes it obvious you're in pretend mode, and the bypass only activates when a specific build-time flag is set - leave it off and the app behaves exactly as before.

The limits are honest and called out up front: anything that actually talks to the backend will fail, because there's no real session to authorise the call. This is a tour-guide mode, not a sandbox. It's intended for a separate preview deployment, not production, since the flag is baked in when the app is built rather than flipped at runtime.

So what Useful if you're evaluating Gary as a starting point for your own legal-AI product and want to see the UI before committing to infrastructure.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from foolish-bandit/gary, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date

0b9ad4db Add NEXT_PUBLIC_GARY_SKIP_AUTH dev/demo bypass Claude 2026-05-07 ↗ GitHub

SHA	Subject	Author	Date
`0b9ad4db`	Add NEXT_PUBLIC_GARY_SKIP_AUTH dev/demo bypass	Claude	2026-05-07	↗ GitHub
commit body Lets us inspect the app without going through Supabase login during development and on demo deploys. Frontend-only. When NEXT_PUBLIC_GARY_SKIP_AUTH=true: - AuthContext initializes with a fake demo user ({ id: "00000000-...-000", email: "demo@gary.local" }) via lazy useState, so isAuthenticated is true immediately. - The Supabase session check + auth-state-change subscription are skipped (the useEffect bails out after a one-time console.warn). - signOut becomes a no-op so the demo session stays stable. - A slim amber "Dev auth bypass enabled" banner renders at the top of the (pages) layout via the new DevAuthBanner component. - The flag is exposed as `isAuthBypassed` on the auth context so any consumer can branch on it later. When the flag is unset or "false": - useState initializers return null/true, identical to today. - The effect's bypass branch is dead and the original Supabase logic runs unchanged. Login/signup, signOut, and the redirect gate in (pages)/layout.tsx are untouched. Documents the variable in frontend/.env.local.example as commented-out so normal setups stay on real auth. No backend changes, no schema changes, no auth contract changes. Backend calls made while the bypass is on will 401 because no real Supabase session exists - that's intentional and noted in the console warning. https://claude.ai/code/session_019pRkhcGDRKQWHjzAnV5yCL

commit body

Lets us inspect the app without going through Supabase login during
development and on demo deploys. Frontend-only.

When NEXT_PUBLIC_GARY_SKIP_AUTH=true:
- AuthContext initializes with a fake demo user
  ({ id: "00000000-...-000", email: "demo@gary.local" }) via lazy
  useState, so isAuthenticated is true immediately.
- The Supabase session check + auth-state-change subscription are
  skipped (the useEffect bails out after a one-time console.warn).
- signOut becomes a no-op so the demo session stays stable.
- A slim amber "Dev auth bypass enabled" banner renders at the top
  of the (pages) layout via the new DevAuthBanner component.
- The flag is exposed as `isAuthBypassed` on the auth context so
  any consumer can branch on it later.

When the flag is unset or "false":
- useState initializers return null/true, identical to today.
- The effect's bypass branch is dead and the original Supabase
  logic runs unchanged. Login/signup, signOut, and the redirect
  gate in (pages)/layout.tsx are untouched.

Documents the variable in frontend/.env.local.example as
commented-out so normal setups stay on real auth.

No backend changes, no schema changes, no auth contract changes.
Backend calls made while the bypass is on will 401 because no
real Supabase session exists - that's intentional and noted in
the console warning.

https://claude.ai/code/session_019pRkhcGDRKQWHjzAnV5yCL

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-269.md from inside the repo you want the changes in.

⬇ Download capture-thread-269.md