ether · JohnMcLear · May 16, 2026 · May 16, 2026
diff --git a/src/node/db/SecurityManager.ts b/src/node/db/SecurityManager.ts
@@ -75,10 +75,13 @@ exports.checkAccess = async (padID:string, sessionCookie:string, token:string, u
   }
 
   // Authentication and authorization checks.
-  if (settings.loadTest) {
-    console.warn(
-        'bypassing socket.io authentication and authorization checks due to settings.loadTest');
-  } else if (settings.requireAuthentication) {
+  // settings.loadTest just short-circuits authn/authz; the user-facing
+  // warning about this configuration choice is logged from Settings.ts
+  // during settings load/reload, not on every request. Re-logging it
+  // here was costing ~4% of process CPU in the 100-400 author dive
+  // sweep (#7756): the routed-console-warn went through log4js's
+  // clustering dispatch on every message.
+  if (!settings.loadTest && settings.requireAuthentication) {
     if (userSettings == null) {
       authLogger.debug('access denied: authentication is required');
       return DENY;

diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
@@ -1193,6 +1193,13 @@ export const reloadSettings = () => {
     logger.warn("logLayoutType: " + settings.logLayoutType);
     initLogging(settings.logconfig);
 
+    if (settings.loadTest) {
+      logger.warn(
+        'settings.loadTest is true: SecurityManager.checkAccess() will bypass ' +
+        'authentication and authorization for both HTTP and socket.io requests. ' +
+        'Do NOT enable this in production.');
+    }
+
     if (!settings.skinName) {
         logger.warn('No "skinName" parameter found. Please check out settings.json.template and ' +
             'update your settings.json. Falling back to the default "colibris".');