chore: add dev-only auth bypass for frontend testing#885
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughIntroduces a dev-only auth bypass gated by the environment flag `VITE_DEV_AUTH_BYPASS` combined with the Vite dev-mode check `import.meta.env.DEV`. When enabled, the app initializes with a fixed bypass token, a hardcoded user, and marks setup as complete (skipping normal localStorage token checks and initial setup fetch). Adds exported `IS_DEV_AUTH_BYPASS` and adjusts 401 response handling to avoid automatic logout/redirect when the bypass is active. 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Code Review
This pull request introduces a development-only authentication and setup bypass mechanism, enabling local development without a backend by setting the VITE_DEV_AUTH_BYPASS environment variable. The implementation updates the auth and setup stores to inject a fake user and token when the bypass is active. Review feedback highlights that the logic for detecting the bypass state is duplicated across multiple files and should be extracted into a shared utility module to improve maintainability.
web/src/stores/auth.ts
Outdated
|
|
||
| // Dev-only fake user for bypassing auth when no backend is running. | ||
| // Active only when VITE_DEV_AUTH_BYPASS=true AND import.meta.env.DEV. | ||
| const DEV_AUTH_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true' |
There was a problem hiding this comment.
The logic for determining if the dev auth bypass is active is duplicated in web/src/stores/setup.ts. To improve maintainability and ensure consistency, consider extracting this logic into a shared utility file.
For example, you could create a file src/utils/dev.ts:
// src/utils/dev.ts
export const IS_DEV_AUTH_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true';Then, you can import and use this constant in both auth.ts and setup.ts.
web/src/stores/setup.ts
Outdated
| } | ||
|
|
||
| // Dev-only: skip setup check when auth bypass is active | ||
| const DEV_SETUP_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true' |
There was a problem hiding this comment.
This logic for determining if the dev auth bypass is active is also present in web/src/stores/auth.ts. To avoid duplication and improve maintainability, this logic should be extracted into a shared utility module.
For example, you could create a file src/utils/dev.ts:
// src/utils/dev.ts
export const IS_DEV_AUTH_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true';Then, you can import and use this constant here and in auth.ts.
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/src/stores/auth.ts`:
- Around line 50-52: DEV_USER is currently hardcoded with the highest privilege
('ceo'), causing all dev-bypass sessions to get canWrite=true; change the
default dev-bypass role to a least-privilege value (e.g., 'observer') instead of
'ceo', and allow an optional environment override to elevate the role when
explicitly required (use DEV_AUTH_BYPASS and UserInfoResponse to populate role
dynamically). Update the DEV_USER assignment so it uses a safe default role and
reads an env var if provided to set a different role for development.
In `@web/src/stores/setup.ts`:
- Around line 13-17: The DEV-only bypass expression (import.meta.env.DEV &&
import.meta.env.VITE_DEV_AUTH_BYPASS === 'true') is duplicated; create a single
exported constant (e.g., DEV_AUTH_BYPASS) in a new module (suggest name
devFlags.ts) and replace the local DEV_SETUP_BYPASS in useSetupStore and the
similar flag in useAuthStore to import and use that shared constant; update
references to DEV_SETUP_BYPASS and the other store's local flag to use the new
DEV_AUTH_BYPASS to prevent drift.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ad848ffc-5e64-49bf-9922-63342a6767f4
📒 Files selected for processing (3)
web/.env.exampleweb/src/stores/auth.tsweb/src/stores/setup.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
- GitHub Check: Dashboard Test
- GitHub Check: Build Web
- GitHub Check: Build Sandbox
- GitHub Check: Build Backend
- GitHub Check: Dependency Review
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
web/src/**/*.{tsx,ts}
📄 CodeRabbit inference engine (CLAUDE.md)
web/src/**/*.{tsx,ts}: Always reuse existing components from web/src/components/ui/ before creating new ones
Use semantic Tailwind classes (text-foreground, bg-card, text-accent, text-success, bg-danger) or CSS variables (var(--so-*)); never hardcode hex values in .tsx/.ts files
Use font-sans or font-mono (maps to Geist tokens); never set fontFamily directly
Use density-aware tokens (p-card, gap-section-gap, gap-grid-gap) or standard Tailwind spacing; never hardcode pixel values for layout spacing
Use token variables (var(--so-shadow-card-hover), border-border, border-bright) for shadows/borders; never hardcode values
Do not recreate status dots inline -- use
Do not build card-with-header layouts from scratch -- use
Do not create metric displays with 'text-metric font-bold' -- use
Do not render initials circles manually -- use
Do not create complex (>8 line) JSX inside .map() -- extract to a shared component
Do not use rgba() with hardcoded values -- use design token variables
CSS side-effect imports need type declarations; Vite's '/// ' covers this in TS 6
Files:
web/src/stores/setup.tsweb/src/stores/auth.ts
web/src/**/*
📄 CodeRabbit inference engine (CLAUDE.md)
PostToolUse hook (scripts/check_web_design_system.py) runs automatically on every Edit/Write to web/src/ files; fix all violations before proceeding
Files:
web/src/stores/setup.tsweb/src/stores/auth.ts
🧠 Learnings (3)
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/.storybook/**/*.{ts,tsx} : Use 'defineMain' from 'storybook/react-vite/node' and 'definePreview' from 'storybook/react-vite' in Storybook 10; include explicit 'framework' field
Applied to files:
web/src/stores/setup.ts
📚 Learning: 2026-03-14T15:43:05.601Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T15:43:05.601Z
Learning: Applies to web/package.json : Web dashboard Node.js 20+; dependencies in web/package.json (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, ESLint, vue-tsc)
Applied to files:
web/.env.example
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Applies to web/** : Web dashboard: Node.js 20+, dependencies in web/package.json (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc).
Applied to files:
web/.env.example
🔇 Additional comments (2)
web/.env.example (1)
3-6: Clear and safe dev-bypass documentation.This is explicit about scope (
npm run dev+import.meta.env.DEV) and helps prevent accidental misuse.web/src/stores/auth.ts (1)
55-55: Bypass bootstrap path is internally consistent.Line 55 and Line 113 correctly initialize token and user together, which avoids auth-guard validation churn in dev bypass mode.
Also applies to: 113-113
web/src/stores/auth.ts
Outdated
| const DEV_USER: UserInfoResponse | null = DEV_AUTH_BYPASS | ||
| ? { id: 'dev-user', username: 'developer', role: 'ceo', must_change_password: false } | ||
| : null |
There was a problem hiding this comment.
Avoid hardcoding the dev bypass user to highest privilege (ceo).
Line 51 forces canWrite=true paths for all bypass sessions, which can hide role-gating regressions (see web/src/hooks/useAuth.ts and web/src/utils/constants.ts). Prefer a least-privilege default (observer) with optional env override.
Proposed fix
const DEV_AUTH_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true'
+const DEV_BYPASS_ROLE: HumanRole =
+ (import.meta.env.VITE_DEV_AUTH_BYPASS_ROLE as HumanRole | undefined) ?? 'observer'
const DEV_USER: UserInfoResponse | null = DEV_AUTH_BYPASS
- ? { id: 'dev-user', username: 'developer', role: 'ceo', must_change_password: false }
+ ? { id: 'dev-user', username: 'developer', role: DEV_BYPASS_ROLE, must_change_password: false }
: null📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const DEV_USER: UserInfoResponse | null = DEV_AUTH_BYPASS | |
| ? { id: 'dev-user', username: 'developer', role: 'ceo', must_change_password: false } | |
| : null | |
| const DEV_AUTH_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true' | |
| const DEV_BYPASS_ROLE: HumanRole = | |
| (import.meta.env.VITE_DEV_AUTH_BYPASS_ROLE as HumanRole | undefined) ?? 'observer' | |
| const DEV_USER: UserInfoResponse | null = DEV_AUTH_BYPASS | |
| ? { id: 'dev-user', username: 'developer', role: DEV_BYPASS_ROLE, must_change_password: false } | |
| : null |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@web/src/stores/auth.ts` around lines 50 - 52, DEV_USER is currently hardcoded
with the highest privilege ('ceo'), causing all dev-bypass sessions to get
canWrite=true; change the default dev-bypass role to a least-privilege value
(e.g., 'observer') instead of 'ceo', and allow an optional environment override
to elevate the role when explicitly required (use DEV_AUTH_BYPASS and
UserInfoResponse to populate role dynamically). Update the DEV_USER assignment
so it uses a safe default role and reads an env var if provided to set a
different role for development.
web/src/stores/setup.ts
Outdated
| // Dev-only: skip setup check when auth bypass is active | ||
| const DEV_SETUP_BYPASS = import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true' | ||
|
|
||
| export const useSetupStore = create<SetupState>()((set, get) => ({ | ||
| setupComplete: null, | ||
| setupComplete: DEV_SETUP_BYPASS ? true : null, |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Centralize the dev-bypass flag to avoid drift between stores.
import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true' is now duplicated in both web/src/stores/setup.ts and web/src/stores/auth.ts. A shared helper (e.g., web/src/config/devFlags.ts) will prevent future divergence where one store bypasses and the other does not.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@web/src/stores/setup.ts` around lines 13 - 17, The DEV-only bypass expression
(import.meta.env.DEV && import.meta.env.VITE_DEV_AUTH_BYPASS === 'true') is
duplicated; create a single exported constant (e.g., DEV_AUTH_BYPASS) in a new
module (suggest name devFlags.ts) and replace the local DEV_SETUP_BYPASS in
useSetupStore and the similar flag in useAuthStore to import and use that shared
constant; update references to DEV_SETUP_BYPASS and the other store's local flag
to use the new DEV_AUTH_BYPASS to prevent drift.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
web/src/stores/auth.ts (1)
53-64: 🧹 Nitpick | 🔵 TrivialDocument the expected dev workflow to avoid confusion with API calls.
When bypass is active,
getInitialToken()returns'dev-bypass-token'. If any component triggers an API call (e.g., explicitfetchUser()call, or a data-fetching hook), the backend will return 401 and the response interceptor inapi/client.tswill calllogout(), clearing auth state and redirecting to/login.Consider adding a comment or console warning in dev mode to clarify that the bypass is for UI-only testing without backend calls.
Optional: Add dev-mode warning
function getInitialToken(): string | null { - if (IS_DEV_AUTH_BYPASS) return 'dev-bypass-token' + if (IS_DEV_AUTH_BYPASS) { + // Note: This fake token will cause 401 if any API call hits the backend. + // The bypass is intended for UI-only testing without a running backend. + return 'dev-bypass-token' + } const storedToken = localStorage.getItem('auth_token')🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@web/src/stores/auth.ts` around lines 53 - 64, Update getInitialToken to clearly signal the dev-auth bypass is UI-only: when IS_DEV_AUTH_BYPASS is true, add an inline comment and emit a console.warn (or dev-only log) inside getInitialToken indicating this token is only for local UI testing and any real API calls will receive 401 and trigger the response interceptor/logout (refer to getInitialToken and the api response interceptor behavior); keep the message concise and gated behind IS_DEV_AUTH_BYPASS so it only appears in development.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@web/src/stores/auth.ts`:
- Around line 53-64: Update getInitialToken to clearly signal the dev-auth
bypass is UI-only: when IS_DEV_AUTH_BYPASS is true, add an inline comment and
emit a console.warn (or dev-only log) inside getInitialToken indicating this
token is only for local UI testing and any real API calls will receive 401 and
trigger the response interceptor/logout (refer to getInitialToken and the api
response interceptor behavior); keep the message concise and gated behind
IS_DEV_AUTH_BYPASS so it only appears in development.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: aa4fc14d-6106-4c1c-af41-0aa191de45f0
📒 Files selected for processing (3)
web/src/stores/auth.tsweb/src/stores/setup.tsweb/src/utils/dev.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
- GitHub Check: Build Web
- GitHub Check: Build Backend
- GitHub Check: Build Sandbox
- GitHub Check: Dashboard Test
- GitHub Check: Dependency Review
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
web/src/**/*.{tsx,ts}
📄 CodeRabbit inference engine (CLAUDE.md)
web/src/**/*.{tsx,ts}: Always reuse existing components from web/src/components/ui/ before creating new ones
Use semantic Tailwind classes (text-foreground, bg-card, text-accent, text-success, bg-danger) or CSS variables (var(--so-*)); never hardcode hex values in .tsx/.ts files
Use font-sans or font-mono (maps to Geist tokens); never set fontFamily directly
Use density-aware tokens (p-card, gap-section-gap, gap-grid-gap) or standard Tailwind spacing; never hardcode pixel values for layout spacing
Use token variables (var(--so-shadow-card-hover), border-border, border-bright) for shadows/borders; never hardcode values
Do not recreate status dots inline -- use
Do not build card-with-header layouts from scratch -- use
Do not create metric displays with 'text-metric font-bold' -- use
Do not render initials circles manually -- use
Do not create complex (>8 line) JSX inside .map() -- extract to a shared component
Do not use rgba() with hardcoded values -- use design token variables
CSS side-effect imports need type declarations; Vite's '/// ' covers this in TS 6
Files:
web/src/stores/setup.tsweb/src/stores/auth.tsweb/src/utils/dev.ts
web/src/**/*
📄 CodeRabbit inference engine (CLAUDE.md)
PostToolUse hook (scripts/check_web_design_system.py) runs automatically on every Edit/Write to web/src/ files; fix all violations before proceeding
Files:
web/src/stores/setup.tsweb/src/stores/auth.tsweb/src/utils/dev.ts
🧠 Learnings (4)
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : CSS side-effect imports need type declarations; Vite's '/// <reference types="vite/client" />' covers this in TS 6
Applied to files:
web/src/stores/setup.tsweb/src/stores/auth.tsweb/src/utils/dev.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : Use token variables (var(--so-shadow-card-hover), border-border, border-bright) for shadows/borders; never hardcode values
Applied to files:
web/src/stores/setup.tsweb/src/stores/auth.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/components/ui/*.{tsx,ts} : For new shared React components: place in web/src/components/ui/ with kebab-case filename, create .stories.tsx with all states, export props as TypeScript interface, use design tokens exclusively
Applied to files:
web/src/stores/setup.tsweb/src/stores/auth.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : Always reuse existing components from web/src/components/ui/ before creating new ones
Applied to files:
web/src/stores/auth.ts
🔇 Additional comments (6)
web/src/stores/auth.ts (3)
48-51: Avoid hardcoding the dev bypass user to highest privilege (ceo).The hardcoded
role: 'ceo'grantscanWrite=truefor all bypass sessions (peruseAuth.tsandWRITE_ROLESinconstants.ts), which can mask role-gating regressions during development. Prefer a least-privilege default (e.g.,'observer') with an optional env override.Proposed fix from prior review
+const DEV_BYPASS_ROLE: HumanRole = + (import.meta.env.VITE_DEV_AUTH_BYPASS_ROLE as HumanRole | undefined) ?? 'observer' + const DEV_USER: UserInfoResponse | null = IS_DEV_AUTH_BYPASS - ? { id: 'dev-user', username: 'developer', role: 'ceo', must_change_password: false } + ? { id: 'dev-user', username: 'developer', role: DEV_BYPASS_ROLE, must_change_password: false } : null
11-11: LGTM!Good use of the centralized
IS_DEV_AUTH_BYPASSconstant fromutils/dev.ts.
110-114: LGTM!Initial state correctly uses
DEV_USERwhen bypass is enabled, allowing immediate access to protected routes without waiting forfetchUser().web/src/utils/dev.ts (1)
1-10: LGTM!Clean centralization of the dev-bypass flag. The double-gating (
import.meta.env.DEV+ env var check) and strict equality against'true'correctly prevent accidental production activation. This addresses the previous review feedback about flag duplication.web/src/stores/setup.ts (2)
3-3: LGTM!Good use of the centralized
IS_DEV_AUTH_BYPASSconstant, addressing the prior feedback about duplication.
14-15: LGTM!Setting
setupComplete: truewhen bypass is active correctly preventsSetupGuardfrom triggeringfetchSetupStatus()and allows immediate access to protected routes. This aligns well with the auth store bypass behavior.
Add VITE_DEV_AUTH_BYPASS env var that injects a fake token and user when running the dev server without a backend. Bypasses both AuthGuard and SetupGuard so all pages are accessible. Only active when import.meta.env.DEV is true -- never affects production builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address Gemini review finding: duplicated IS_DEV_AUTH_BYPASS logic in auth.ts and setup.ts extracted to a single shared constant. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6ccc850 to
a6373e3
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
web/src/stores/auth.ts (1)
49-51:⚠️ Potential issue | 🟠 MajorUse least-privilege role for dev bypass user (not
ceo).
Line 50 still hardcodes the highest-privilege role, which can mask role-gating bugs during frontend testing. Default to a low-privilege role and allow explicit env override when needed.Proposed fix
const DEV_USER: UserInfoResponse | null = IS_DEV_AUTH_BYPASS - ? { id: 'dev-user', username: 'developer', role: 'ceo', must_change_password: false } + ? { + id: 'dev-user', + username: 'developer', + role: (import.meta.env.VITE_DEV_AUTH_BYPASS_ROLE as HumanRole | undefined) ?? 'observer', + must_change_password: false, + } : null🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@web/src/stores/auth.ts` around lines 49 - 51, DEV_USER currently assigns the high-privilege role 'ceo'; change it to a least-privilege default (e.g., 'user' or 'viewer') and allow an explicit env override if a higher role is required. Update the DEV_USER initialization (and any usages of IS_DEV_AUTH_BYPASS and UserInfoResponse) so the default role is low-privilege, and read an optional env variable to override the role only when explicitly set for testing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@web/src/stores/auth.ts`:
- Around line 54-58: The current UI-only bypass returns a synthetic
'dev-bypass-token' (IS_DEV_AUTH_BYPASS) but isn't integrated with the persisted
token/interceptor flow, causing stale-token leakage and immediate teardown on
the first 401; fix by: when IS_DEV_AUTH_BYPASS is true, write the same bypass
token into the app's persisted auth state/storage used by the API layer (the
same setter or key used by your auth store/getToken logic) instead of only
returning a literal, and update the response/401 handler in
web/src/api/client.ts (the response interceptor that clears auth on 401) to skip
clearing or logging out if IS_DEV_AUTH_BYPASS is active so the dev bypass
remains stable. Ensure you reference and reuse the auth store methods (token
setter/getter) and guard the 401 cleanup with IS_DEV_AUTH_BYPASS.
---
Duplicate comments:
In `@web/src/stores/auth.ts`:
- Around line 49-51: DEV_USER currently assigns the high-privilege role 'ceo';
change it to a least-privilege default (e.g., 'user' or 'viewer') and allow an
explicit env override if a higher role is required. Update the DEV_USER
initialization (and any usages of IS_DEV_AUTH_BYPASS and UserInfoResponse) so
the default role is low-privilege, and read an optional env variable to override
the role only when explicitly set for testing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5168e6a3-4b57-4764-aff8-bd52f158979f
📒 Files selected for processing (4)
web/.env.exampleweb/src/stores/auth.tsweb/src/stores/setup.tsweb/src/utils/dev.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: Build Web
- GitHub Check: Build Backend
- GitHub Check: Dashboard Test
- GitHub Check: Analyze (python)
- GitHub Check: Dependency Review
🧰 Additional context used
📓 Path-based instructions (2)
web/src/**/*.{tsx,ts}
📄 CodeRabbit inference engine (CLAUDE.md)
web/src/**/*.{tsx,ts}: Always reuse existing components from web/src/components/ui/ before creating new ones
Use semantic Tailwind classes (text-foreground, bg-card, text-accent, text-success, bg-danger) or CSS variables (var(--so-*)); never hardcode hex values in .tsx/.ts files
Use font-sans or font-mono (maps to Geist tokens); never set fontFamily directly
Use density-aware tokens (p-card, gap-section-gap, gap-grid-gap) or standard Tailwind spacing; never hardcode pixel values for layout spacing
Use token variables (var(--so-shadow-card-hover), border-border, border-bright) for shadows/borders; never hardcode values
Do not recreate status dots inline -- use
Do not build card-with-header layouts from scratch -- use
Do not create metric displays with 'text-metric font-bold' -- use
Do not render initials circles manually -- use
Do not create complex (>8 line) JSX inside .map() -- extract to a shared component
Do not use rgba() with hardcoded values -- use design token variables
CSS side-effect imports need type declarations; Vite's '/// ' covers this in TS 6
Files:
web/src/stores/setup.tsweb/src/utils/dev.tsweb/src/stores/auth.ts
web/src/**/*
📄 CodeRabbit inference engine (CLAUDE.md)
PostToolUse hook (scripts/check_web_design_system.py) runs automatically on every Edit/Write to web/src/ files; fix all violations before proceeding
Files:
web/src/stores/setup.tsweb/src/utils/dev.tsweb/src/stores/auth.ts
🧠 Learnings (4)
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : CSS side-effect imports need type declarations; Vite's '/// <reference types="vite/client" />' covers this in TS 6
Applied to files:
web/src/stores/setup.tsweb/src/utils/dev.tsweb/src/stores/auth.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : Use token variables (var(--so-shadow-card-hover), border-border, border-bright) for shadows/borders; never hardcode values
Applied to files:
web/src/stores/setup.tsweb/src/stores/auth.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/components/ui/*.{tsx,ts} : For new shared React components: place in web/src/components/ui/ with kebab-case filename, create .stories.tsx with all states, export props as TypeScript interface, use design tokens exclusively
Applied to files:
web/src/stores/setup.tsweb/src/stores/auth.ts
📚 Learning: 2026-03-27T17:07:16.441Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-27T17:07:16.441Z
Learning: Applies to web/src/**/*.{tsx,ts} : Always reuse existing components from web/src/components/ui/ before creating new ones
Applied to files:
web/src/stores/auth.ts
🔇 Additional comments (3)
web/.env.example (1)
3-6: Dev bypass env docs look clear and appropriately scoped.
The comments correctly communicate dev-only behavior and expected usage.web/src/utils/dev.ts (1)
9-10: Good centralization of the dev-auth bypass flag.
Single-source gating here reduces divergence risk across auth/setup stores.web/src/stores/setup.ts (1)
3-15: Nice follow-through on shared bypass flag usage in setup store.
This resolves prior duplication risk and keeps auth/setup bypass behavior consistent.
Prevents the response interceptor from clearing the fake token and redirecting to login on every API call when no backend is running. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
🤖 I have created a release *beep* *boop* --- #MAJOR CHANGES; We got a somewhat working webui :) ## [0.5.0](v0.4.9...v0.5.0) (2026-03-30) ### Features * add analytics trends and budget forecast API endpoints ([#798](#798)) ([16b61f5](16b61f5)) * add department policies to default templates ([#852](#852)) ([7a41548](7a41548)) * add remaining activity event types (task_started, tool_used, delegation, cost_incurred) ([#832](#832)) ([4252fac](4252fac)) * agent performance, activity, and history API endpoints ([#811](#811)) ([9b75c1d](9b75c1d)) * Agent Profiles and Detail pages (biography, career, performance) ([#874](#874)) ([62d7880](62d7880)) * app shell, Storybook, and CI/CD pipeline ([#819](#819)) ([d4dde90](d4dde90)) * Approvals page with risk grouping, urgency indicators, batch actions ([#889](#889)) ([4e9673d](4e9673d)) * Budget Panel page (P&L dashboard, breakdown charts, forecast) ([#890](#890)) ([b63b0f1](b63b0f1)) * build infrastructure layer (API client, auth, WebSocket) ([#815](#815)) ([9f01d3e](9f01d3e)) * CLI global options infrastructure, UI modes, exit codes, env vars ([#891](#891)) ([fef4fc5](fef4fc5)) * CodeMirror editor and theme preferences toggle ([#905](#905), [#807](#807)) ([#909](#909)) ([41fbedc](41fbedc)) * Company page (department/agent management) ([#888](#888)) ([cfb88b0](cfb88b0)) * comprehensive hint coverage across all CLI commands ([#900](#900)) ([937974e](937974e)) * config system extensions, per-command flags for init/start/stop/status/logs ([#895](#895)) ([32f83fe](32f83fe)) * configurable currency system replacing hardcoded USD ([#854](#854)) ([b372551](b372551)) * Dashboard page (metric cards, activity feed, budget burn) ([#861](#861)) ([7d519d5](7d519d5)) * department health, provider status, and activity feed endpoints ([#818](#818)) ([6d5f196](6d5f196)) * design tokens and core UI components ([#833](#833)) ([ed887f2](ed887f2)) * extend approval, meeting, and budget API responses ([#834](#834)) ([31472bf](31472bf)) * frontend polish -- real-time UX, accessibility, responsive, performance ([#790](#790), [#792](#792), [#791](#791), [#793](#793)) ([#917](#917)) ([f04a537](f04a537)) * implement human roles and access control levels ([#856](#856)) ([d6d8a06](d6d8a06)) * implement semantic conflict detection in workspace merge ([#860](#860)) ([d97283b](d97283b)) * interaction components and animation patterns ([#853](#853)) ([82d4b01](82d4b01)) * Login page + first-run bootstrap + Company page ([#789](#789), [#888](#888)) ([#896](#896)) ([8758e8d](8758e8d)) * Meetings page with timeline viz, token bars, contribution formatting ([#788](#788)) ([#904](#904)) ([b207f46](b207f46)) * Messages page with threading, channel badges, sender indicators ([#787](#787)) ([#903](#903)) ([28293ad](28293ad)) * Org Chart force-directed view and drag-drop reassignment ([#872](#872), [#873](#873)) ([#912](#912)) ([a68a938](a68a938)) * Org Chart page (living nodes, status, CRUD, department health) ([#870](#870)) ([0acbdae](0acbdae)) * per-command flags for remaining commands, auto-behavior wiring, help/discoverability ([#897](#897)) ([3f7afa2](3f7afa2)) * Providers page with backend rework -- health, CRUD, subscription auth ([#893](#893)) ([9f8dd98](9f8dd98)) * scaffold React + Vite + TypeScript + Tailwind project ([#799](#799)) ([bd151aa](bd151aa)) * Settings page with search, dependency indicators, grouped rendering ([#784](#784)) ([#902](#902)) ([a7b9870](a7b9870)) * Setup Wizard rebuild with template comparison, cost estimator, theme customization ([#879](#879)) ([ae8b50b](ae8b50b)) * setup wizard UX -- template filters, card metadata, provider form reuse ([#910](#910)) ([7f04676](7f04676)) * setup wizard UX overhaul -- mode choice, step reorder, provider fixes ([#907](#907)) ([ee964c4](ee964c4)) * structured ModelRequirement in template agent configs ([#795](#795)) ([7433548](7433548)) * Task Board page (rich Kanban, filtering, dependency viz) ([#871](#871)) ([04a19b0](04a19b0)) ### Bug Fixes * align frontend types with backend and debounce WS refetches ([#916](#916)) ([134c11b](134c11b)) * auto-cleanup targets newly pulled images instead of old ones ([#884](#884)) ([50e6591](50e6591)) * correct wipe backup-skip flow and harden error handling ([#808](#808)) ([c05860f](c05860f)) * improve provider setup in wizard, subscription auth, dashboard bugs ([#914](#914)) ([87bf8e6](87bf8e6)) * improve update channel detection and add config get command ([#814](#814)) ([6b137f0](6b137f0)) * resolve all ESLint warnings, add zero-warnings enforcement ([#899](#899)) ([079b46a](079b46a)) * subscription auth uses api_key, base URL optional for cloud providers ([#915](#915)) ([f0098dd](f0098dd)) ### Refactoring * semantic analyzer cleanup -- shared filtering, concurrency, extraction ([#908](#908)) ([81372bf](81372bf)) ### Documentation * brand identity and UX design system from [#765](#765) exploration ([#804](#804)) ([389a9f4](389a9f4)) * page structure and information architecture for v0.5.0 dashboard ([#809](#809)) ([f8d6d4a](f8d6d4a)) * write UX design guidelines with WCAG-verified color system ([#816](#816)) ([4a4594e](4a4594e)) ### Tests * add unit tests for agent hooks and page components ([#875](#875)) ([#901](#901)) ([1d81546](1d81546)) ### CI/CD * bump actions/deploy-pages from 4.0.5 to 5.0.0 in the major group ([#831](#831)) ([01c19de](01c19de)) * bump astral-sh/setup-uv from 7.6.0 to 8.0.0 in /.github/actions/setup-python-uv in the all group ([#920](#920)) ([5f6ba54](5f6ba54)) * bump codecov/codecov-action from 5.5.3 to 6.0.0 in the major group ([#868](#868)) ([f22a181](f22a181)) * bump github/codeql-action from 4.34.1 to 4.35.0 in the all group ([#883](#883)) ([87a4890](87a4890)) * bump sigstore/cosign-installer from 4.1.0 to 4.1.1 in the minor-and-patch group ([#830](#830)) ([7a69050](7a69050)) * bump the all group with 3 updates ([#923](#923)) ([ff27c8e](ff27c8e)) * bump wrangler from 4.76.0 to 4.77.0 in /.github in the minor-and-patch group ([#822](#822)) ([07d43eb](07d43eb)) * bump wrangler from 4.77.0 to 4.78.0 in /.github in the all group ([#882](#882)) ([f84118d](f84118d)) ### Maintenance * add design system enforcement hook and component inventory ([#846](#846)) ([15abc43](15abc43)) * add dev-only auth bypass for frontend testing ([#885](#885)) ([6cdcd8a](6cdcd8a)) * add pre-push rebase check hook ([#855](#855)) ([b637a04](b637a04)) * backend hardening -- eviction/size-caps and model validation ([#911](#911)) ([81253d9](81253d9)) * bump axios from 1.13.6 to 1.14.0 in /web in the all group across 1 directory ([#922](#922)) ([b1b0232](b1b0232)) * bump brace-expansion from 5.0.4 to 5.0.5 in /web ([#862](#862)) ([ba4a565](ba4a565)) * bump eslint-plugin-react-refresh from 0.4.26 to 0.5.2 in /web ([#801](#801)) ([7574bb5](7574bb5)) * bump faker from 40.11.0 to 40.11.1 in the minor-and-patch group ([#803](#803)) ([14d322e](14d322e)) * bump https://github.com/astral-sh/ruff-pre-commit from v0.15.7 to 0.15.8 ([#864](#864)) ([f52901e](f52901e)) * bump nginxinc/nginx-unprivileged from `6582a34` to `f99cc61` in /docker/web in the all group ([#919](#919)) ([df85e4f](df85e4f)) * bump nginxinc/nginx-unprivileged from `ccbac1a` to `6582a34` in /docker/web ([#800](#800)) ([f4e9450](f4e9450)) * bump node from `44bcbf4` to `71be405` in /docker/sandbox ([#827](#827)) ([91bec67](91bec67)) * bump node from `5209bca` to `cf38e1f` in /docker/web ([#863](#863)) ([66d6043](66d6043)) * bump picomatch in /site ([#842](#842)) ([5f20bcc](5f20bcc)) * bump recharts 2->3 and @types/node 22->25 in /web ([#802](#802)) ([a908800](a908800)) * Bump requests from 2.32.5 to 2.33.0 ([#843](#843)) ([41daf69](41daf69)) * bump smol-toml from 1.6.0 to 1.6.1 in /site ([#826](#826)) ([3e5dbe4](3e5dbe4)) * bump the all group with 3 updates ([#921](#921)) ([7bace0b](7bace0b)) * bump the minor-and-patch group across 1 directory with 2 updates ([#829](#829)) ([93e611f](93e611f)) * bump the minor-and-patch group across 1 directory with 3 updates ([#841](#841)) ([7010c8e](7010c8e)) * bump the minor-and-patch group across 1 directory with 3 updates ([#869](#869)) ([548cee5](548cee5)) * bump the minor-and-patch group in /site with 2 updates ([#865](#865)) ([9558101](9558101)) * bump the minor-and-patch group with 2 updates ([#867](#867)) ([4830706](4830706)) * consolidate Dependabot groups to 1 PR per ecosystem ([06d2556](06d2556)) * consolidate Dependabot groups to 1 PR per ecosystem ([#881](#881)) ([06d2556](06d2556)) * improve worktree skill with full dep sync and status enhancements ([#906](#906)) ([772c625](772c625)) * remove Vue remnants and document framework decision ([#851](#851)) ([bf2adf6](bf2adf6)) * update web dependencies and fix brace-expansion CVE ([#880](#880)) ([a7a0ed6](a7a0ed6)) * upgrade to Storybook 10 and TypeScript 6 ([#845](#845)) ([52d95f2](52d95f2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Summary
VITE_DEV_AUTH_BYPASS=trueenv var that bypasses AuthGuard and SetupGuard in dev modeimport.meta.env.DEVis true -- production builds are unaffected.envis gitignored;.env.exampledocuments the optionHow to use
Test plan
.envis gitignored🤖 Generated with Claude Code