NEXT_PUBLIC_GARY_SKIP_AUTH build-time flag bypasses Supabase login
A single commit adds a frontend-only Supabase auth bypass gated on `NEXT_PUBLIC_GARY_SKIP_AUTH=true`. When set, `AuthContext` skips the auth flow and seeds a fake demo user. An amber banner renders in the protected layout. Backend calls still 401 - the bypass is for UI inspection only.
The mechanism uses lazy useState initializers so no setState runs inside the auth effect. SKIP_AUTH is resolved once at module load time from process.env.NEXT_PUBLIC_GARY_SKIP_AUTH; when true, the initial user state is { id: "00000000-0000-0000-0000-000000000000", email: "demo@gary.local" } and authLoading starts as false. The Supabase subscription and ensure-profile POST are skipped. signOut is a no-op because the "session" is synthetic.
The context exposes isAuthBypassed: boolean. The protected layout ((pages)/layout.tsx) reads it and conditionally renders a DevAuthBanner component - a 21-line amber strip with role="status" - at the top of the page. The variable is commented out in .env.local.example so default installs see real auth.
The catch is worth spelling out clearly. NEXT_PUBLIC_* is baked into the client bundle at build time on Cloudflare Workers via OpenNext. This isn't a runtime toggle - enabling it requires a rebuild. That makes accidental production exposure less likely than a runtime env var, but the only guard is a string comparison against the env value. There's no NODE_ENV !== "production" check. A production build with NEXT_PUBLIC_GARY_SKIP_AUTH=true in the environment would ship a publicly accessible frontend with no login required.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?