# Navi Demo Access Date: 2026-05-05 ## Demo Environment Rule Demo access is allowed only for local development, staging, and demo environments. - Local: `pnpm seed:demo` is allowed. - Staging/demo: set `DEMO_MODE=true`, `NAVI_ENV=staging` or `NAVI_ENV=demo`, and `DEMO_USER_PASSWORD`. - Production: demo access is refused unless `DEMO_MODE=true` and the deployment environment is explicitly `demo` or `staging`. Never enable demo switching on a real production customer environment. ## Create Or Reset Demo Data Run the base seed first, then demo seed: ```bash pnpm --filter @navi/api prisma:seed DEMO_USER_PASSWORD='use-a-safe-demo-password' pnpm seed:demo ``` If `DEMO_USER_PASSWORD` is missing in local development, the script generates a temporary password and prints it to the local console only. It does not print passwords in production. ## Demo Users | Email | Role | Access | |---|---|---| | `superadmin@navi.demo` | Super Admin | Full platform, roles, permissions, settings, integrations, demo access | | `admin@navi.demo` | Admin | Operational dashboard, users, providers, listings, bookings, orders, content, reports | | `support@navi.demo` | Support Agent | Support/customer/booking/order lookup, support audit scope | | `tourist@navi.demo` | Tourist User | Mobile customer flows, saved items, bookings, orders, trip planner, translator | | `premium@navi.demo` | Premium User | Tourist flows plus premium role/badge/options | | `hotel.owner@navi.demo` | Partner Owner | Own hotel business, listings, bookings, reports | | `restaurant.owner@navi.demo` | Partner Owner | Own restaurant business and orders | | `pharmacy.owner@navi.demo` | Partner Owner | Own pharmacy business and orders | | `grocery.owner@navi.demo` | Partner Owner | Own grocery business and orders | | `taxi.owner@navi.demo` | Partner Owner | Own taxi business and bookings/jobs | | `sim.owner@navi.demo` | Partner Owner | Own SIM provider business and orders | | `provider.manager@navi.demo` | Provider Manager | Assigned provider operations | | `provider.staff@navi.demo` | Provider Staff | Limited assigned provider operations | | `driver@navi.demo` | Driver / Delivery Partner | Assigned driver/delivery role; assignment model is still pending | ## Dashboard Demo Login Set: ```bash NEXT_PUBLIC_DEMO_MODE=true NEXT_PUBLIC_DEMO_PASSWORD='same value used in DEMO_USER_PASSWORD' ``` The dashboard login page shows a clearly labeled demo-only role switcher. It calls the normal login API. It does not bypass authentication and does not inject fake tokens. ## Mobile Demo Login Set: ```bash EXPO_PUBLIC_DEMO_MODE=true EXPO_PUBLIC_DEMO_PASSWORD='same value used in DEMO_USER_PASSWORD' ``` The mobile login page shows demo role buttons for QA. Each button calls the same login flow as a real user. ## Mobile Test Flow 1. Open mobile app. 2. Sign in with Tourist or Premium demo account. 3. Search in Discover. 4. Tap a suggestion or listing. 5. Save a listing. 6. Generate a trip. 7. Confirm the engagement data appears in dashboard `/engagement`. ## Dashboard Test Flow 1. Seed demo users. 2. Enable dashboard demo mode. 3. Sign in as Super Admin. 4. Open Users, Roles, Permissions, Businesses, Listings, Bookings, Payments, Refunds, Reports, Audit Logs, and Engagement. 5. Sign out and sign in as Provider Owner. 6. Verify provider data is scoped to assigned business where APIs enforce assignment. ## Website Test Flow 1. Open `/en`, `/ar`, `/en/partners`, `/ar/partners`. 2. Confirm public content does not require auth. 3. Confirm partner application submission is still marked as missing until the PartnerApplication model/API is implemented. ## Disable Demo Mode Unset: ```bash DEMO_MODE NEXT_PUBLIC_DEMO_MODE EXPO_PUBLIC_DEMO_MODE NEXT_PUBLIC_DEMO_PASSWORD EXPO_PUBLIC_DEMO_PASSWORD DEMO_USER_PASSWORD ``` Rebuild the dashboard/mobile apps after changing public environment variables. ## Security Warning - Demo users are only for local/staging/demo testing. - Do not use production secrets for demo users. - Do not expose `NEXT_PUBLIC_DEMO_PASSWORD` or `EXPO_PUBLIC_DEMO_PASSWORD` in production. - The demo switchers are frontend conveniences only; backend RBAC remains authoritative.