MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · foolish-bandit/gary · this thread

foolish-bandit adds a demo-mode skeleton key

A new env var lets you browse the Gary fork's UI without logging in - handy for demos, dangerous if it ever ships.

securityworkflow

foolish-bandit has wired in a frontend bypass that fakes a logged-in user the moment a single environment variable is flipped on. The login screen disappears, a demo identity loads instantly, and an amber banner across the top of every page reminds you the bypass is live. Sign-out is disabled so the demo session can't be accidentally ended mid-pitch.

The team is upfront that this is cosmetic only: any actual backend call will fail because no real session token exists. It's a "walk a prospect through the screens" tool, not a way to use the product. The bypass is off by default and the variable ships commented out, so a fresh install still hits the real login flow.

The risk worth flagging for anyone borrowing the idea: a public-facing switch that turns auth off is exactly the kind of toggle that gets left on by mistake in a real deployment.

So what Useful pattern for anyone running legal-AI demos to non-technical buyers, but a cautionary tale for engineering leads about how easily a demo shortcut can become a production incident.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from foolish-bandit/gary, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
ad478709 Merge pull request #11 from foolish-bandit/claude/dev-auth-bypass Zack Brenner 2026-05-07 ↗ GitHub 
Add NEXT_PUBLIC_GARY_SKIP_AUTH dev/demo bypass
0b9ad4db Add NEXT_PUBLIC_GARY_SKIP_AUTH dev/demo bypass Claude 2026-05-07 ↗ GitHub
commit body 
Lets us inspect the app without going through Supabase login during
development and on demo deploys. Frontend-only.

When NEXT_PUBLIC_GARY_SKIP_AUTH=true:
- AuthContext initializes with a fake demo user
  ({ id: "00000000-...-000", email: "demo@gary.local" }) via lazy
  useState, so isAuthenticated is true immediately.
- The Supabase session check + auth-state-change subscription are
  skipped (the useEffect bails out after a one-time console.warn).
- signOut becomes a no-op so the demo session stays stable.
- A slim amber "Dev auth bypass enabled" banner renders at the top
  of the (pages) layout via the new DevAuthBanner component.
- The flag is exposed as `isAuthBypassed` on the auth context so
  any consumer can branch on it later.

When the flag is unset or "false":
- useState initializers return null/true, identical to today.
- The effect's bypass branch is dead and the original Supabase
  logic runs unchanged. Login/signup, signOut, and the redirect
  gate in (pages)/layout.tsx are untouched.

Documents the variable in frontend/.env.local.example as
commented-out so normal setups stay on real auth.

No backend changes, no schema changes, no auth contract changes.
Backend calls made while the bypass is on will 401 because no
real Supabase session exists - that's intentional and noted in
the console warning.

https://claude.ai/code/session_019pRkhcGDRKQWHjzAnV5yCL

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-164.md from inside the repo you want the changes in.

⬇ Download capture-thread-164.md