added bypass login

ka-note/.env.example

@@ -7,3 +7,4 @@ AZURE_TENANT_ID=<azure-ad-tenant-id>
 # Client needs VITE_ prefix — create client/.env with:
 # VITE_AZURE_CLIENT_ID=<same as above>
 # VITE_AZURE_TENANT_ID=<same as above>
+# VITE_DEV_AUTH_BYPASS=true   ← DEV ONLY: skips MS login in browser (never set in production)

ka-note/client/src/lib/auth/authStore.ts

@@ -2,10 +2,30 @@ import { writable, derived } from 'svelte/store';
 import { msalInstance, loginRequest } from './msalConfig.js';
 import type { AccountInfo } from '@azure/msal-browser';
 
+// DEV ONLY: bypass MS login when VITE_DEV_AUTH_BYPASS=true
+// This variable is replaced at build time — never set in production builds
+const DEV_AUTH_BYPASS = import.meta.env.VITE_DEV_AUTH_BYPASS === 'true';
+
+const DEV_ACCOUNT = {
+  homeAccountId: 'dev-user',
+  environment: 'localhost',
+  tenantId: 'dev',
+  username: 'dev@localhost',
+  localAccountId: 'dev-user',
+  name: 'Dev User',
+  idTokenClaims: {},
+} satisfies AccountInfo;
+
 export const account = writable<AccountInfo | null>(null);
 export const isAuthenticated = derived(account, ($account) => $account !== null);
 
 export async function handleRedirect(): Promise<void> {
+  if (DEV_AUTH_BYPASS) {
+    console.warn('[auth] VITE_DEV_AUTH_BYPASS active — skipping MS login');
+    account.set(DEV_ACCOUNT);
+    return;
+  }
+
   await msalInstance.initialize();
 
   try {
@@ -27,14 +47,21 @@ export async function handleRedirect(): Promise<void> {
 }
 
 export async function login(): Promise<void> {
+  if (DEV_AUTH_BYPASS) return;
   await msalInstance.loginRedirect(loginRequest);
 }
 
 export async function logout(): Promise<void> {
+  if (DEV_AUTH_BYPASS) {
+    account.set(null);
+    return;
+  }
   await msalInstance.logoutRedirect();
 }
 
 export async function getAccessToken(): Promise<string> {
+  if (DEV_AUTH_BYPASS) return 'dev-bypass-token';
+
   const active = msalInstance.getActiveAccount();
   if (!active) throw new Error('No active account');