security: fail-fast dev-bypass flag in production (#42)

Both auth.ts and trpc.ts now delegate the E2E_TEST_MODE-in-production check to a single shared helper (packages/api/src/lib/runtime-security.ts). trpc.ts used to only console.warn; it now throws at module load time, matching the behaviour already enforced by assertSecureRuntimeEnv on the auth side. A future refactor can no longer silently drop the guard on either side. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 08:56:27 +02:00
parent c2d05b4b99
commit 93a7fbaa4c
5 changed files with 92 additions and 10 deletions
@@ -11,6 +11,7 @@
    "./lib/audit": "./src/lib/audit.ts",
    "./lib/reminder-scheduler": "./src/lib/reminder-scheduler.ts",
    "./lib/logger": "./src/lib/logger.ts",
+    "./lib/runtime-security": "./src/lib/runtime-security.ts",
    "./middleware/rate-limit": "./src/middleware/rate-limit.ts"
  },
  "scripts": {