AICA GitHub Repo: Critical Auth Bypass Hotfix Missing from 'feat/flux-launch-bundle' Branch

A critical security regression has been identified in the AICA GitHub repository, where a feature branch slated for a major launch was cut before a vital authentication hotfix was merged, effectively reintroducing a CVE-grade vulnerability. The `feat/flux-launch-bundle` branch, created for a Google Tag Manager launch, does not contain the fix from PR #1506, which patched an auth-bypass flaw (issue #1419). This means the branch currently accepts any Bearer token over 100 characters and assigns a user ID from an unverified JWT payload, a flaw that was corrected on the `main` branch to require strict validation against the `SUPABASE_SERVICE_ROLE_KEY`.

The regression spans at least six core files, reintroducing the vulnerability across key authentication and function logic. Affected files include `supabase/functions/_shared/auth.ts`, where the flawed token validation logic has reappeared, and `supabase/functions/_shared/gemini-helpers.ts`, which still contains and uses an unverified payload decoder. Furthermore, the branch has deleted the specific regression test (`auth-bypass-regression.spec.ts`) that was added to `main` to prevent this exact scenario, eliminating a crucial automated safeguard.

This oversight creates a direct pipeline for a severe security flaw to be deployed into production if the `feat/flux-launch-bundle` branch is merged without rebasing. The situation highlights a breakdown in the repository's branch synchronization and code review protocols, where a high-priority security patch was not propagated to an active development branch for a significant feature. It places immediate pressure on the project maintainers to rebase the branch onto the updated `main` before any integration, to audit all other active branches for similar oversights, and to reinforce gating procedures that prevent feature work from proceeding without the latest security fixes.