Demo 6 — The Decision Surface

Open Human-written

Migrate auth to shared middleware layer

+291 / −56 lines 8 files changed Commit message: "fix auth stuff"

No agent brief available. This PR was written by a human with a single commit message: "fix auth stuff". The AI analyzed the diff shape and reconstructed 4 likely decisions. Verify each is accurate — correcting wrong inferences is faster than explaining decisions from scratch.

Verified: 0 / 4

🔍

Inferred · Architecture

Auth was consolidated from per-route to middleware layer

92% confidence

Detected: authMiddleware newly registered on app + simultaneous removal of requireAuth from 23 route definitions. This pattern indicates middleware consolidation.

If this is accurate: any route not in the public allowlist is now protected by default. New routes are secure unless explicitly excluded.

🔍

Inferred · Config

Public routes defined via explicit allowlist

88% confidence

Detected: new PUBLIC_ROUTES array exported from config/routes.ts, imported and checked inside the middleware. This is an allowlist pattern — routes not in this array require auth.

Question this raises: is /health, /docs, and /auth/register the complete list of public routes? Are there any that were missed?

🔍

Inferred · Cleanup

23 @requireAuth decorators removed across route files

99% confidence

Detected: identical deletion pattern across 6 route files — requireAuth removed from every handler. High-confidence mechanical cleanup. @adminOnly and @roleRequired decorators appear to be intentionally preserved.

Question this raises: were all 23 removals checked against the PUBLIC_ROUTES allowlist to verify nothing became accidentally public?

⚠️

Inferred · Infrastructure

Session storage changed from in-memory Map to Redis

64% confidence · Needs verification

Detected: Map<string, Session> replaced with Redis client in lib/session.ts. This may be intentional infrastructure improvement or could be an unplanned change bundled into this PR. Lower confidence because the commit message ("fix auth stuff") provides no signal.

This needs explicit verification: was this change planned? Is Redis deployed in this environment? What happens if Redis is unavailable at startup?

5 questions a thorough reviewer should ask about this diff. Generated from diff patterns — not from any author context. Mark each as resolved or flag it for the author. Flagged questions become structured review comments.

Resolved: 0 / 5

Safety

What happens to existing user sessions after this is deployed? Are active sessions invalidated or do they carry over?

lib/session.ts · storage mechanism changed

Safety

Is the Redis URL validated or is it just assumed present via process.env.REDIS_URL? What happens if it's missing or wrong?

lib/session.ts:8 · createClient({ url: process.env.REDIS_URL })

Correctness

Were all 23 requireAuth removals manually verified against the public routes allowlist? Is it possible a protected route became accidentally public?

routes/*.ts · mass decorator removal

Coverage

The tests added cover the middleware itself, but are there tests verifying that specific protected routes are still protected after the decorator removal?

tests/auth.test.ts · +178 lines added

Correctness

The middleware checks PUBLIC_ROUTES using includes(req.path). Does this handle query strings and trailing slashes correctly? Could /health?check=1 be blocked?

middleware/auth.ts:8 · if (PUBLIC_ROUTES.includes(req.path))