From b166a96e87fe41daa3e6971ac5e299bb5f1700f1 Mon Sep 17 00:00:00 2001
From: sneak <sneak@sneak.berlin>
Date: Wed, 25 Feb 2026 16:06:03 +0700
Subject: [PATCH] Remove DEBUG lock-screen bypass, add DEBUG mode policy

DEBUG mode must behave identically to normal mode except for
the red banner and hardcoded mnemonic. No other DEBUG branches
without explicit owner approval. Policy documented in README.
---
 README.md          | 9 +++++++++
 src/popup/index.js | 5 -----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 2b375c0..0aba8ee 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,15 @@ it is almost certainly a bug. All cryptographic operations must go through
 Exceptions require explicit authorization in a code comment referencing this
 policy.
 
+### DEBUG Mode Policy
+
+The `DEBUG` constant in the popup JS enables a red "DEBUG / INSECURE" banner and
+a hardcoded test mnemonic. **DEBUG mode must behave as close to normal mode as
+possible.** No `if (DEBUG)` branches that skip functionality, bypass security
+flows, or alter program behavior beyond the banner and the hardcoded mnemonic.
+Adding new DEBUG-conditional branches requires explicit approval from the
+project owner.
+
 ### Key Decisions
 
 - **No framework**: The popup UI is vanilla JS and HTML. The extension is small
diff --git a/src/popup/index.js b/src/popup/index.js
index 9a3b165..d1ac45f 100644
--- a/src/popup/index.js
+++ b/src/popup/index.js
@@ -287,11 +287,6 @@ async function init() {
 
     await loadState();
 
-    // In DEBUG mode, skip the lock screen (no encryption yet)
-    if (DEBUG && state.hasWallet) {
-        state.locked = false;
-    }
-
     if (!state.hasWallet) {
         showView("welcome");
     } else if (state.locked) {