The demo cookie deletion in getCurrentUser() was a no-op from
Server Component context (cookies().delete() only works in
Server Actions and Route Handlers). The cookie persisted for
its full 24h lifetime, causing middleware to short-circuit auth
checks even when a real WorkOS session existed.
- Middleware: real session now takes priority over demo cookie,
stale cookie actively deleted via Set-Cookie on response
- auth.ts: remove early demo-first check and dead deletion code,
WorkOS session checked before demo fallback
- /demo route: clear compass-active-org so demo doesn't inherit
a real user's workspace selection
Co-authored-by: Nicholai <nicholaivogelfilms@gmail.com>
Nicholai
b1f6780166