feat: add DEV_MODE_BYPASS_AUTH to skip OAuth for local development

[thejacket]

Summary

• Skip GitHub OAuth setup for local dev by adding a DEV_MODE_BYPASS_AUTH=true server env var
• Auto-provisions a deterministic dev user (dev@ocrbase.local) and signs them in via GET /v1/auth/dev-session
• Login page probes the server on mount and only shows the "Bypass login" button when dev mode is active
• Full auth system (sessions, org membership, API keys) stays intact — the bypass creates a real user, not a shortcut
• No changes to any non-auth code paths — extraction, parsing, jobs, API keys, org logic, and all other features are untouched

Why

Setting up GitHub OAuth (creating an app, configuring callback URLs, managing secrets) is unnecessary friction for:

• Local development — developers just want to work on the UI, not configure OAuth
• Self-hosting evaluation — first-time users shouldn't need a GitHub OAuth app to try the product
• CI/E2E testing — automated tests need predictable auth without external dependencies
• Demo/recording — screen recordings shouldn't require live OAuth flows

Tools like Grafana, Metabase, and Portainer solve this with similar bypass mechanisms.

Safety guards

1. Production block — the flag is ignored when NODE_ENV=production; the endpoint is never registered
2. Explicit opt-in — defaults to false, must be explicitly set to "true"
3. Endpoint doesn't exist unless enabled — returns 404 when the flag is off, so there is no attack surface in production
4. Console warning — a prominent WARN line is logged on every server startup when active:

   ⚠️  DEV_MODE_BYPASS_AUTH is enabled — authentication is bypassed with a dev user. Do NOT use this in production.
   

5. UI banner — a yellow bar at the top of every authenticated page makes it obvious auth is bypassed
6. Login button hidden in production — the web client probes the server on mount and only renders the bypass button if the server returned 200, so production users never see it and the endpoint path is not leaked in network traffic

Configuration

# In apps/server/.env
DEV_MODE_BYPASS_AUTH=true

Files changed

File	Change
packages/env/src/server.ts	Add DEV_MODE_BYPASS_AUTH to server env schema
packages/auth/src/index.ts	Dev user upsert + org provisioning on startup
apps/server/src/index.ts	Startup warning log
apps/server/src/modules/auth/index.ts	GET /v1/auth/dev-session endpoint
apps/web/src/routes/login.tsx	Probe server on mount, conditionally show bypass button
apps/web/src/routes/_authenticated.tsx	Dev mode banner for dev user, clean auth redirect
apps/server/.env.example	Document the variable
docker-compose.yml	Pass DEV_MODE_BYPASS_AUTH to prod service

What this does NOT change

This PR only touches auth bootstrapping. No changes to:

• Extraction, parsing, or job processing logic
• API key authentication or REST API middleware
• Organization, membership, or permissions logic
• Database schema or migrations
• Any existing tests

Test plan

• bun check-types passes
• DEV_MODE_BYPASS_AUTH=true — login page shows bypass button, clicking it signs in and redirects to /app
• DEV_MODE_BYPASS_AUTH unset — login page shows only GitHub button, no /v1/auth/dev-session requests in Network tab (except the initial probe returning 404)
• Yellow "Dev mode" banner visible when signed in as dev user
• NODE_ENV=production with flag set — flag is ignored, endpoint returns 404

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.