From 5c6d8bff56f5f79ac2d943c2bdb5a919c7ca25f6 Mon Sep 17 00:00:00 2001
From: DJP <DJP>
Date: Thu, 7 May 2026 11:15:29 -0400
Subject: [PATCH] deploy: don't require AZURE_* when DEV_AUTH_BYPASS=true
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The SPA skips msalInstance.initialize() entirely in bypass mode, so the
Azure values aren't read by the build. Failing the deploy on missing
Azure config when bypass is on is a false positive — block on it only
when MSAL is actually going to run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 deploy/deploy.sh | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index ef8800f..22be8e3 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -175,18 +175,23 @@ docker compose -p "$COMPOSE_PROJECT" up -d
 # ---------- 6. Frontend build + sync ----------
 
 if (( DO_FRONTEND )); then
-    AZ_TENANT=$(get_env_var VITE_AZURE_TENANT_ID); AZ_TENANT=${AZ_TENANT:-$(get_env_var AZURE_TENANT_ID)}
-    AZ_CLIENT=$(get_env_var VITE_AZURE_CLIENT_ID); AZ_CLIENT=${AZ_CLIENT:-$(get_env_var AZURE_CLIENT_ID)}
-    if [[ -z "$AZ_TENANT" || -z "$AZ_CLIENT" ]]; then
-        err "AZURE_TENANT_ID and AZURE_CLIENT_ID must be set in .env to build the SPA."
-        exit 1
-    fi
     # Mirror DEV_AUTH_BYPASS into VITE_DEV_AUTH_BYPASS so a single env var
     # decides both backend token validation and frontend MSAL gating.
     VITE_BYPASS=$(get_env_var VITE_DEV_AUTH_BYPASS)
     [[ -z "$VITE_BYPASS" ]] && VITE_BYPASS=$(get_env_var DEV_AUTH_BYPASS)
     [[ -z "$VITE_BYPASS" ]] && VITE_BYPASS="false"
 
+    AZ_TENANT=$(get_env_var VITE_AZURE_TENANT_ID); AZ_TENANT=${AZ_TENANT:-$(get_env_var AZURE_TENANT_ID)}
+    AZ_CLIENT=$(get_env_var VITE_AZURE_CLIENT_ID); AZ_CLIENT=${AZ_CLIENT:-$(get_env_var AZURE_CLIENT_ID)}
+    # Azure values are only needed when the SPA actually performs MSAL sign-in.
+    # In bypass mode the SPA skips msalInstance.initialize() entirely, so empty
+    # strings are fine.
+    if [[ "$VITE_BYPASS" != "true" ]] && [[ -z "$AZ_TENANT" || -z "$AZ_CLIENT" ]]; then
+        err "AZURE_TENANT_ID and AZURE_CLIENT_ID must be set in .env to build the SPA."
+        err "  (Or set DEV_AUTH_BYPASS=true to skip MSAL entirely for now.)"
+        exit 1
+    fi
+
     log "Building Vite SPA (VITE_DEV_AUTH_BYPASS=${VITE_BYPASS}) in a one-shot node:20 container…"
     docker run --rm \
         -v "$REPO_ROOT/frontend:/app" \