jchan7/mike: full rebrand to Bobby with a hardcoded dev-login bypass
Two commits rename everything from Mike to Bobby across 76 files and switch the package manager from bun to npm. Buried in the first commit is a client-side auth bypass: email `jason@rogo.ai` / password `jasonchan` skips Supabase entirely and stuffs a fake user into `localStorage`.
The rebrand in dbce928e is thorough: MikeMessage, MikeCitationAnnotation, MikeEditAnnotation, MikeFolder, MikeProject, MikeDocument, MikeChat all become Bobby*; mikeApi.ts and mike-icon.tsx are renamed; system prompts change from "You are Mike" to "You are Bobby"; the production URL becomes bobbyoss.com. The large diff count is mostly bun.lock deletion; fb270581 follows three seconds later to regenerate frontend/package-lock.json at 18,080 lines.
The security issue is in frontend/src/app/login/page.tsx. A new conditional checks for jason@rogo.ai / jasonchan and, on match, skips the Supabase auth flow, writes { id: "dev-jason", email: "jason@rogo.ai" } to localStorage["bobby_dev_user"], fires a bobby_dev_user_changed event, and navigates to /assistant. AuthContext.tsx is updated to pick up this key on mount and short-circuit onAuthStateChange for the duration of the session. signOut clears it.
The credentials are plaintext in the repo. Any deployed build of this fork ships with this bypass reachable from the login screen - it's not controlled by an environment variable. The intent reads as local development without a working Supabase configuration, but there is no mechanism to disable it in production.
The bun-to-npm switch has no behavioral effect but generates a large lockfile churn and drops the bun lockfile upstream maintains.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?