diff --git a/ka-note/.env.example b/ka-note/.env.example
index f896b3a..135da89 100644
--- a/ka-note/.env.example
+++ b/ka-note/.env.example
@@ -7,3 +7,4 @@ AZURE_TENANT_ID=<azure-ad-tenant-id>
 # Client needs VITE_ prefix — create client/.env with:
 # VITE_AZURE_CLIENT_ID=<same as above>
 # VITE_AZURE_TENANT_ID=<same as above>
+# VITE_DEV_AUTH_BYPASS=true   ← DEV ONLY: skips MS login in browser (never set in production)
diff --git a/ka-note/client/src/lib/auth/authStore.ts b/ka-note/client/src/lib/auth/authStore.ts
index 71ea093..f019cab 100644
--- a/ka-note/client/src/lib/auth/authStore.ts
+++ b/ka-note/client/src/lib/auth/authStore.ts
@@ -2,10 +2,30 @@ import { writable, derived } from 'svelte/store';
 import { msalInstance, loginRequest } from './msalConfig.js';
 import type { AccountInfo } from '@azure/msal-browser';
 
+// DEV ONLY: bypass MS login when VITE_DEV_AUTH_BYPASS=true
+// This variable is replaced at build time — never set in production builds
+const DEV_AUTH_BYPASS = import.meta.env.VITE_DEV_AUTH_BYPASS === 'true';
+
+const DEV_ACCOUNT = {
+  homeAccountId: 'dev-user',
+  environment: 'localhost',
+  tenantId: 'dev',
+  username: 'dev@localhost',
+  localAccountId: 'dev-user',
+  name: 'Dev User',
+  idTokenClaims: {},
+} satisfies AccountInfo;
+
 export const account = writable<AccountInfo | null>(null);
 export const isAuthenticated = derived(account, ($account) => $account !== null);
 
 export async function handleRedirect(): Promise<void> {
+  if (DEV_AUTH_BYPASS) {
+    console.warn('[auth] VITE_DEV_AUTH_BYPASS active — skipping MS login');
+    account.set(DEV_ACCOUNT);
+    return;
+  }
+
   await msalInstance.initialize();
 
   try {
@@ -27,14 +47,21 @@ export async function handleRedirect(): Promise<void> {
 }
 
 export async function login(): Promise<void> {
+  if (DEV_AUTH_BYPASS) return;
   await msalInstance.loginRedirect(loginRequest);
 }
 
 export async function logout(): Promise<void> {
+  if (DEV_AUTH_BYPASS) {
+    account.set(null);
+    return;
+  }
   await msalInstance.logoutRedirect();
 }
 
 export async function getAccessToken(): Promise<string> {
+  if (DEV_AUTH_BYPASS) return 'dev-bypass-token';
+
   const active = msalInstance.getActiveAccount();
   if (!active) throw new Error('No active account');
 
diff --git a/ka-note/server/ka-note.db-shm b/ka-note/server/ka-note.db-shm
index 52d4c43..d830deb 100644
Binary files a/ka-note/server/ka-note.db-shm and b/ka-note/server/ka-note.db-shm differ
diff --git a/ka-note/server/ka-note.db-wal b/ka-note/server/ka-note.db-wal
index fbff5e8..947825e 100644
Binary files a/ka-note/server/ka-note.db-wal and b/ka-note/server/ka-note.db-wal differ