chore(dev-env): localhost defaults + dev scripts

[ital0]

Note

Medium Risk
Moderate risk because it changes default PowerSync configuration based on NODE_ENV, which can affect startup/validation behavior in non-dev deployments if they relied on implicit localhost defaults.

Overview
Updates PowerSync config defaults to no longer assume localhost in non-development environments: the schema defaults powersyncUrl, powersyncJwtKid, and powersyncJwtSecret to empty strings, while parseSettings only injects the previous localhost defaults when NODE_ENV=development.

Adjusts tests to cover the new NODE_ENV-dependent behavior and adds validation cases ensuring an empty JWT secret is allowed only when POWERSYNC_URL is empty, and rejected in non-dev when POWERSYNC_URL is set.

^{Reviewed by Cursor Bugbot for commit 4b03fc4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4b03fc4. Configure here.}

[cursor]

Test doesn't control NODE_ENV, fails in development

Low Severity

The new test "should allow empty JWT secret when powersyncUrl is empty" sets POWERSYNC_URL and POWERSYNC_JWT_SECRET to '' but doesn't set or delete NODE_ENV. Since empty strings are falsy and fall through the || in parseSettings, when NODE_ENV happens to be 'development', the dev defaults ('http://localhost:8080' and 'powersync-dev-secret-change-in-production') are used instead. The assertion expect(settings.powersyncJwtSecret).toBe('') then fails. Other tests in this block explicitly delete or set NODE_ENV; this one is missing that step.

 

^{Reviewed by Cursor Bugbot for commit 4b03fc4. Configure here.}