docs(local-dev): document setup-dev-user + the three founder accounts

Adds a "Local Login & Dev Users" section to docs/LOCAL_DEVELOPMENT.md
and a short pointer in services/mana-auth/CLAUDE.md so the next dev
finds the script without first hitting the "why can't I log in?" wall:

- Why it exists (no admin seed, requireEmailVerification + no SMTP)
- The 3 default accounts + password
- Single-account form + env overrides (TIER, AUTH_URL, …)
- Idempotency promise
- Prereqs (Postgres + mana-auth on :3001)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/LOCAL_DEVELOPMENT.md

@@ -172,6 +172,52 @@ pnpm setup:db:traces      # Setup traces database + schema
 pnpm setup:db             # Creates ALL databases and pushes ALL schemas
 ```
 
+## Local Login & Dev Users
+
+The local mana-auth has `requireEmailVerification: true` and no real
+SMTP wired up, so a freshly-registered user can't actually log in until
+the verification flag is flipped manually. There's also no built-in
+admin seed and no `DEV_BYPASS_AUTH` env var. Use the convenience script:
+
+```bash
+pnpm setup:dev-user
+```
+
+Creates three founder-tier accounts with `email_verified = true` so
+you can immediately exercise every tier-gated module:
+
+| Email | Password | Tier |
+|---|---|---|
+| `tills95@gmail.com` | `Aa-123456789` | founder |
+| `tilljkb@gmail.com` | `Aa-123456789` | founder |
+| `rajiehq@gmail.com` | `Aa-123456789` | founder |
+
+Login at http://localhost:5173/login with any of them.
+
+**Single account / custom credentials:**
+
+```bash
+./scripts/dev/setup-dev-user.sh you@example.com YourPassword
+```
+
+**Override defaults via env:**
+
+```bash
+TIER=alpha AUTH_URL=http://localhost:3001 pnpm setup:dev-user
+```
+
+The script is **idempotent** — re-running re-applies `email_verified`
++ `access_tier` to existing users without touching their password.
+
+**Prereqs**: Postgres up (`pnpm docker:up`), mana-auth running on
+:3001 (`pnpm dev:auth`), `psql` in `PATH`. Both gates fail loud if
+missing.
+
+**How it works internally**: `POST /api/v1/auth/register` so Better
+Auth's `signUpEmail` handles password hashing correctly, then
+`UPDATE auth.users SET email_verified = true, access_tier = 'founder'`
+to bypass the missing local SMTP and lift the tier in one step.
+
 This is useful when setting up a fresh environment or after pulling new schema changes.
 
 ## How It Works

services/mana-auth/CLAUDE.md

@@ -79,6 +79,23 @@ For the full architectural deep-dive, threat model, and rollout history (Phases
 |--------|------|-------------|
 | GET | `/org/:orgId/member/:userId` | Check membership (for mana-credits) |
 
+## Local Dev Login
+
+There is **no built-in admin seed** and **no auth-bypass env var**, and
+the local stack runs with `requireEmailVerification: true` against no
+real SMTP. Use the convenience script instead of hand-crafting SQL:
+
+```bash
+pnpm setup:dev-user                              # 3 founder accounts
+./scripts/dev/setup-dev-user.sh foo@x.de pass    # single account
+```
+
+Defaults to `tills95@gmail.com` / `tilljkb@gmail.com` / `rajiehq@gmail.com`,
+all with password `Aa-123456789` and `access_tier = founder`. The script
+calls `POST /api/v1/auth/register` (so Better Auth handles hashing),
+then runs an idempotent SQL `UPDATE auth.users SET email_verified = true,
+access_tier = 'founder'`. Full docs in `docs/LOCAL_DEVELOPMENT.md`.
+
 ## Cross-Domain SSO
 
 Session cookies shared across `*.mana.how` via `COOKIE_DOMAIN=.mana.how`.