DO NOT MERGE

[evanpelle]

disable turnstile for testing

[coderabbitai]

Walkthrough

The PR removes the GameEnv import and replaces the environment-based Turnstile verification conditional with a hardcoded false gate in the WebSocket join handler. The verification block no longer executes during client connection.

Changes

Turnstile Verification Gate Bypass

Layer / File(s)	Summary
Turnstile verification gate and import removal src/server/Worker.ts	The GameEnv import is removed, and the Turnstile verification conditional at join time is changed from if (ServerEnv.env() !== GameEnv.Dev) { ... } to const f = false; if (f) { ... }, effectively disabling token verification logic during client WebSocket join.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🔐 A gate once guarded now lies open wide,
Turnstile tokens turned away with pride,
False becomes the gatekeeper's call,
Access flows where walls now fall.
Is this a test, or change for good? 🤔

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'DO NOT MERGE' is a directive flag rather than a description of the actual change; it does not meaningfully describe what the pull request does.	Revise the title to describe the actual change, such as 'Disable Turnstile verification for testing' or 'Gate Turnstile token verification with conditional flag'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description 'disable turnstile for testing' is directly related to the changeset, which disables Turnstile token verification by replacing the environment check with a false gate.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/server/Worker.ts`:
- Around line 430-431: Replace the hardcoded bypass "const f = false" / "if (f)
{ … }" with a real, explicit config or environment check that defaults to secure
behavior: remove/replace the "f" constant and gate the Turnstile verification by
a named flag such as process.env.TURNSTILE_BYPASS or a server config property
(e.g., config.turnstileBypass) used where the current if-block lives in
Worker.ts; ensure the default is false and update any comments so the bypass is
only enabled intentionally for tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5a2efc4f-f72b-430e-91c0-dc062775995e

📥 Commits

Reviewing files that changed from the base of the PR and between 2d6342c and b3fb85d.

📒 Files selected for processing (1)

• src/server/Worker.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Restore a real Turnstile gate here.

This hardcoded false disables Turnstile verification for every WebSocket join on this worker, so the testing bypass can ship as a full production bypass. Keep this behind an explicit env/config flag, or restore the previous environment check instead of using a constant.

Suggested direction

-        const f = false;
-        if (f) {
+        const shouldVerifyTurnstile = ServerEnv.env() !== GameEnv.Dev;
+        if (shouldVerifyTurnstile) {
           const turnstileResult = await verifyTurnstileToken(
             ip,
             clientMsg.turnstileToken,
           );

If you need a temporary test bypass, prefer a clearly named server config flag that defaults to secure behavior.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const f = false;
	if (f) {
	const shouldVerifyTurnstile = ServerEnv.env() !== GameEnv.Dev;
	if (shouldVerifyTurnstile) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/server/Worker.ts` around lines 430 - 431, Replace the hardcoded bypass
"const f = false" / "if (f) { … }" with a real, explicit config or environment
check that defaults to secure behavior: remove/replace the "f" constant and gate
the Turnstile verification by a named flag such as process.env.TURNSTILE_BYPASS
or a server config property (e.g., config.turnstileBypass) used where the
current if-block lives in Worker.ts; ensure the default is false and update any
comments so the bypass is only enabled intentionally for tests.