fix: correct merged PR count in weekly summary and remove Playwright auth bypass

[advikdivekar]

Summary

Closes #451, Closes #450

Two independent bugs fixed together — both are data-correctness or security issues with no new features.

---

Fix 1 — Weekly summary counts all closed PRs as merged (#451)

File: src/app/api/metrics/weekly-summary/route.ts

The PR counting loop used item.state === "closed" to decide whether a PR was merged. A PR can be state: "closed" for two reasons: merged, or
rejected/abandoned without merging. The GitHub search/issues response includes pull_request.merged_at which is null for closed-but-not-merged
PRs. Updated the type and condition to use item.pull_request?.merged_at != null so prsMergedThisWeek no longer inflates for
closed-but-unmerged PRs.

---

Fix 2 — Playwright auth bypass reachable in production (#450)

Files: src/app/dashboard/page.tsx, e2e/dashboard-widgets.spec.js, playwright.config.mjs

alternative to real NextAuth authentication. If that env var was accidentally deployed to production (a realistic Vercel misconfiguration), any
visitor could access the full dashboard by running document.cookie = "playwright-dashboard-auth=1" in their browser.

The e2e tests already inject a properly signed next-auth.session-token JWT (via next-auth/jwt encode() with the same NEXTAUTH_SECRET as the
dev server), so the cookie bypass was always redundant. Removed the bypass entirely: dashboard/page.tsx now calls getServerSession
unconditionally, the redundant playwright-dashboard-auth cookie is dropped from the test beforeEach, and PLAYWRIGHT_AUTH_BYPASS is removed
from playwright.config.mjs. Tests continue to pass through the JWT-based auth path.

Test plan

#451 — Merged PR count

• PR with merged_at non-null, state: "closed" → counted in prsMergedThisWeek
• PR with merged_at: null, state: "closed" (rejected) → not counted in prsMergedThisWeek
• Open PR → not counted in prsMergedThisWeek
• PR created before current week → excluded regardless of state
• prsOpenedThisWeek count is unaffected

#450 — Auth bypass

• grep confirms zero remaining references to playwright-dashboard-auth, PLAYWRIGHT_AUTH_BYPASS, allowPlaywrightBypass, or cookies()
  across all three files
• dashboard/page.tsx calls getServerSession unconditionally with no conditional bypass
• Playwright tests still set next-auth.session-token signed JWT — auth works without the bypass
• npm run lint and npm run type-check pass with zero errors

[vercel]

@advikdivekar is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus