feat: add local AUTH_MODE to bypass login

webapp/.env.example

@@ -31,7 +31,10 @@ BUILT_IN_FORGE_API_KEY=sk-your-api-key-here
 # ============================================================
 # Authentication (Optional - for multi-user mode)
 # ============================================================
-# If you don't need authentication, the app works without these.
+# AUTH_MODE controls how users are authenticated.
+# - oauth (default): use the original Manus OAuth + session flow
+# - local: local development only; auto-sign in a fixed local user
+AUTH_MODE=oauth
 # For Manus OAuth integration:
 JWT_SECRET=your-random-jwt-secret-at-least-32-chars
 VITE_APP_ID=your-oauth-app-id

webapp/server/_core/env.ts

@@ -7,4 +7,5 @@ export const ENV = {
   isProduction: process.env.NODE_ENV === "production",
   forgeApiUrl: process.env.BUILT_IN_FORGE_API_URL ?? "",
   forgeApiKey: process.env.BUILT_IN_FORGE_API_KEY ?? "",
+  authMode: process.env.AUTH_MODE ?? "oauth",
 };

webapp/server/_core/sdk.ts

@@ -256,7 +256,30 @@ class SDKServer {
     } as GetUserInfoWithJwtResponse;
   }
 
+  private async getLocalDevUser(): Promise<User> {
+    const signedInAt = new Date();
+    const localOpenId = "local-dev-user";
+
+    await db.upsertUser({
+      openId: localOpenId,
+      name: "Local User",
+      loginMethod: "local",
+      lastSignedIn: signedInAt,
+    });
+
+    const user = await db.getUserByOpenId(localOpenId);
+    if (!user) {
+      throw ForbiddenError("Local development user not found");
+    }
+
+    return user;
+  }
+
   async authenticateRequest(req: Request): Promise<User> {
+    if (ENV.authMode === "local" && !ENV.isProduction) {
+      return this.getLocalDevUser();
+    }
+
     // Regular authentication flow
     const cookies = this.parseCookies(req.headers.cookie);
     const sessionCookie = cookies.get(COOKIE_NAME);