No dev-only feature flags hardcoded to true

ab-000271 · ai-slop-half-finished.dev-artifacts.dev-only-env-flags-enabled

Severity: lowactive

Why it matters

A module-scope const DEBUG = true survives every environment because it is never read from process.env. Debug logs spew into production, verbose error messages leak internal structure, SKIP_AUTH bypasses middleware, and MOCK_PAYMENTS routes real checkouts to fakes. These constants ship because AI sets them to true during scaffolding and never parameterizes them, and linters do not flag boolean literals.

Severity rationale

Low because the flags rarely expose data directly, but they can enable debug paths, skipped checks, or mock flows in production.

Remediation

Drive every dev-pattern flag from process.env with an explicit fallback, and centralize flag resolution so the check is obvious in review. Fix at src/lib/logger.ts:

const DEBUG = process.env.DEBUG === '1' || process.env.NODE_ENV === 'development'
const SKIP_AUTH = process.env.SKIP_AUTH === '1' && process.env.NODE_ENV !== 'production'

Detection

ID: dev-only-env-flags-enabled
Severity: low
What to look for: Walk all source files for module-scope const declarations of feature flags hardcoded to true. Count all patterns like: const ENABLE_X = true, const DEBUG = true, const SHOW_DEBUG = true, const SKIP_Y = true, const BYPASS_Z = true, const DEV_MODE = true, const TEST_MODE = true, const MOCK_Y = true where the variable name suggests a debug/dev feature flag (contains: DEBUG, DEV, TEST, MOCK, SKIP, BYPASS, DISABLE, FAKE). EXCLUDE variables read from process.env (const DEBUG = process.env.DEBUG === 'true').
Pass criteria: 0 dev-pattern feature flags are hardcoded to true. Report: "Scanned X source files, 0 hardcoded dev feature flags."
Fail criteria: At least 1 source file has a module-scope const with a dev-pattern name hardcoded to true.
Skip (N/A) when: Project has 0 source files.
Detail on fail: "1 hardcoded dev flag: 'const DEBUG = true' at module scope in src/lib/logger.ts line 3. Will emit debug logs in production."

Remediation: Hardcoded debug flags leak to production. Read them from env instead:

// Bad: always debug
const DEBUG = true

// Good: env-based
const DEBUG = process.env.DEBUG === '1' || process.env.NODE_ENV === 'development'

Taxons

placeholder-hygiene

History

2026-04-18·v1.0.0·Initial import from ai-slop-half-finished·automated

Why it matters

Remediation

Drive every dev-pattern flag from process.env with an explicit fallback, and centralize flag resolution so the check is obvious in review. Fix at src/lib/logger.ts:

const DEBUG = process.env.DEBUG === '1' || process.env.NODE_ENV === 'development'
const SKIP_AUTH = process.env.SKIP_AUTH === '1' && process.env.NODE_ENV !== 'production'

Detection

ID: dev-only-env-flags-enabled
Severity: low
What to look for: Walk all source files for module-scope const declarations of feature flags hardcoded to true. Count all patterns like: const ENABLE_X = true, const DEBUG = true, const SHOW_DEBUG = true, const SKIP_Y = true, const BYPASS_Z = true, const DEV_MODE = true, const TEST_MODE = true, const MOCK_Y = true where the variable name suggests a debug/dev feature flag (contains: DEBUG, DEV, TEST, MOCK, SKIP, BYPASS, DISABLE, FAKE). EXCLUDE variables read from process.env (const DEBUG = process.env.DEBUG === 'true').
Pass criteria: 0 dev-pattern feature flags are hardcoded to true. Report: "Scanned X source files, 0 hardcoded dev feature flags."
Fail criteria: At least 1 source file has a module-scope const with a dev-pattern name hardcoded to true.
Skip (N/A) when: Project has 0 source files.
Detail on fail: "1 hardcoded dev flag: 'const DEBUG = true' at module scope in src/lib/logger.ts line 3. Will emit debug logs in production."

Remediation: Hardcoded debug flags leak to production. Read them from env instead:

// Bad: always debug
const DEBUG = true

// Good: env-based
const DEBUG = process.env.DEBUG === '1' || process.env.NODE_ENV === 'development'